wtorek, 15 stycznia 2019

Exploiting VUPlayer

Lately I decided to perform another 'quick autopsy' of the bug found few years ago in VUPlayer. Here we go...

We will start here:

During this research I used:
- Windows 7 (32bit)
- mona.py with ImmunityDebugger
- VUPlayer

I started from fuzzing (.PLS) to check if there are any other possible bugs (related to parsing PLS).

I landed here:

Ok, so we will prepare a basic skeleton for our poc:

After trying this (vtest1.pls) file in VUPlayer we should see 41414141 value in registers.

I tried to prepare a new content for our PLS file using mona.py (!mona pc 2000) but after using this payload I wasn't able to crash the program again. So I decided to use another approach. I restarted the program in ImmunityDbg and started it with our 1st created sample file:

As you can see we landed at 0x0012eca4. Click on that address (2 times) and scrol up to the beginning of our 'shellcode' (AAAA):

After a while you should see:

Now let's open calc.exe ("programmer's calc") and tyle there your value for the shellcode beginning (3f8 in my case). Next switch to DEC(imal values):


So we know that we can overwrite EIP with shellcode 1012 + 4*(our)A = 1016. Let's try. Rewriting our poc.py:


So far so good. Now we need to find a way to run the shellcode on the stack. I decided to use !mona again to find the address (!mona jmp -r esp).

We will put that value as our 0xdeadbeef:


So fa, so good. :) Next I used egghunter (!mona egg) and shellcode created by msfvenom:

Now we should be ready to prepare a working poc:

Waiting with Meterpreter:

And we're ready to go:

I must say it was a good idea to practice a bit with this case.

More information about it you can find here:

- 1 - by rafaveira3
- 2 - by corelan
- 3 - by shogunlab
- 4 - by fuzzysecurity
- 5 - by securitysift

See you next time.


Brak komentarzy:

Prześlij komentarz