VisiWave VWR File Parsing Vulnerability

This module exploits a vulnerability found in VisiWave's Site Survey Report application. When processing .VWR files, VisiWaveReport.exe attempts to match a valid pointer based on the 'Type' property (valid ones include 'Properties', 'TitlePage', 'Details', 'Graph', 'Table', 'Text', 'Image'), but if a match isn't found, the function that's supposed to handle this routine ends up returning the input as a pointer, and later used in a CALL DWORD PTR [EDX+10] instruction. This allows attackers to overwrite it with any arbitrary value, and results code execution. A patch is available at visiwave.com; the fix is done by XORing the return value as null if no match is found, and then it is validated before use. NOTE: During installation, the application will register two file handle's, VWS and VWR and allows a victim user to 'double click' the malicious VWR file and execute code. This module was also built to bypass ASLR and DEP.

Search Other Modules

Exploit Rank

• Great

Exploit Authors

• mr_me < steventhomasseeley [at] gmail.com >
• TecR0c < roccogiovannicalvi [at] gmail.com >

Vulnerability References

• CVE-2011-2386
• OSVDB-72464
• http://www.visiwave.com/blog/index.php?/archives/4-Version-2.1.9-Released.html
• http://www.stratsec.net/Research/Advisories/VisiWave-Site-Survey-Report-Trust...

Exploit Targets

• 0 - Windows XP SP3/Windows 7 SP0 (default)

Exploit Development

• Source Code
• History

Similar Exploit Modules

• exploit/windows/fileformat/a-pdf_wav_to_mp3
• exploit/windows/fileformat/acdsee_fotoslate_string
• exploit/windows/fileformat/acdsee_xpm
• exploit/windows/fileformat/activepdf_webgrabber
• exploit/windows/fileformat/adobe_collectemailinfo
• exploit/windows/fileformat/adobe_cooltype_sing
• exploit/windows/fileformat/adobe_flashplayer_button
• exploit/windows/fileformat/adobe_flashplayer_newfunction
• exploit/windows/fileformat/adobe_flatedecode_predictor02
• exploit/windows/fileformat/adobe_geticon

Exploit Usage Information

Exploit Module Options