RET buffer Overflow in VUPlayer

1. Information Gathering

    VUPlayer is a freeware multi-format audio player for Windows supporting the following formats:
MOD • Sound/Noise/ProTracker
MTM • MultiTracker
S3M • ScreamTracker
XM • FastTracker
IT • ImpulseTracker
MO3 • MO3 Packer
MP3 • MPEG Audio
MP4 • QuickTime MPEG-4 (AAC/Apple Lossless)
MPC • Musepack
OGG • Ogg Vorbis
FLAC • Free Lossless Audio Codec
APE • Monkey's Audio
WV • WavPack
AIFF • Audio Interchange File Format
WMA • Windows Media Audio
WAV • Windows PCM/ACM
MIDI • Musical Instrument Digital Interface
CD • Audio CD
 System requirements:
Microsoft Windows 95, 98, ME, NT ,2000, XP or Vista
Microsoft DirectX version 3 or later
32-bit mixing requires WDM audio drivers
Graphic EQ requires DirectX 8 (version 9 required for 32-bit mixing)
Windows Media Audio support requires Windows Media Player version 9 or later
QuickTime MPEG-4 support requires QuickTime version 7 or later
MIDI support requires a SoundFont
Audioscrobbler & freedb functionality requires an internet connection
Audio CD support requires Windows NT, 2000, XP or Vista
CD-Text support requires Windows XP or Vista .

2.  Trial and Error To get The vulnerabillity

      Then i try to explore the UV Player, i run it with different format file to get the vulnerability of the aplications. i think it is not much different like RM MP3 Player, the application which i have exploits before, so i have an idea if i will use the same fuzzer which i used to exploits RM MP3 Player before, of course with little change.

3. Make the Fuzzer

    i decided to use the same fuzzer ,of RM MP3 converter but, without give the "http://" on it

  

then i open the VUPlayer, and running the fuzzer on it, suddenly VUPlayer was missing, that means if the fuzzer cause crash on the aplication. but i have not sure yet, so i try once again  but now i run the VUP from Ollydbg,....and the result is it crash and the EIP register value  stacks with 414141414141. allright, one step forward now.............

4. Now i will use pattern_create to look for, where exackly is the string on data package sent by fuzzer inside the aplication. ./pattern_create .rb 25000 > string_pattern.txt

 then iam edit the fuzzer with load the strings on it.

then i run it into UVP and OllyDbg, and the result is the register value full filled with string pattern wich we load from fuzzer before.

so right now we already succed to make crash the aplication using data pattern.


5. After thoose steps above, now we have to know on which byte the strings stacks EIP register. we will use 2nd tools here, pattern_offset.

 after we get the value, then once again we modify the fuzzer:

and again we run it into ollydbg and VUP

Just see the EIP register value , we have succed to overwrite it now.


6. Overwrite the ESP value.
    after success overwrite EIP register value, now we have to write in ESP , where ESP is   temporary keep the data on memory(stack).

then i run again the aplications from Ollydbg

we see if now the EIP register value is DEADBEEF and stack full filled with junk characters of  \xCC.

7.  Find JMP ESP
   We must get ESP address if we need to install the paylod.

So right now we got JMP ESP Value is 7C9D30D7, we will use it to modify the fuzzer :

and once more run it into the Ollydbg and VUP.

now the EIP value is 0012EF45 and it is not 7C9D30D7, to prove if the EIP register value is really read by EIP we can use breakpoint. but i am  sure that it is already correct, so i dont need to prove it. just in case.

8. Payload
   Right now is the most important step, we need to generate the payload . we will use msf web

then i load the shell code to the fuzzer:

 10. Finally i am running again the VUPlayer without Ollydbg and load the fuzzer, and the result:

       
i am successfully remote the target now.